FERC on Oct. 18 said that it has approved new mandatory reliability standards to bolster supply chain risk management protections for the country’s bulk electric system.
The new standards will augment current Critical Infrastructure Protection standards to mitigate cybersecurity risks associated with the supply chain for grid-related cyber systems, FERC said, adding that the Oct. 18 final rule closely follows what it outlined in the Notice of Proposed Rulemaking issued in January.
NERC, in a separate Oct. 18 statement, said that the new supply chain risk management standards require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.
FERC noted in its statement that NERC proposed the standards in response to FERC Order No. 829, which directed it to develop standards to address supply chain risk management for industrial control system hardware, software, and computing and networking services.
FERC noted that while the global supply chain provides opportunity for significant benefits to customers, it also presents opportunities to affect management or operations of generation or transmission companies that may result in risks to end-users.
FERC said that the Oct. 18 final rule takes effect 60 days after publication in the Federal Register.
FERC’s final rule
As noted in the final rule, section 215 of the Federal Power Act (FPA) requires a commission-certified electric reliability organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to commission review and approval.
In Order No. 829, the commission directed NERC to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, as well as computing and networking services associated with bulk electric system operations. The final rule added that NERC in September 2017 submitted for commission approval proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3, as well as their associated violation risk factors and violation severity levels, implementation plan, and effective date.
Proposed Reliability Standard CIP-013-1, for instance, does not require any specific controls or mandate “one-size-fits-all” requirements due to the differences in needs and characteristics of responsible entities, as well as the diversity of bulk electric system environments, technologies, and risks. The final rule added that with regard to assessing compliance with Reliability Standard CIP-013-1, NERC stated that it and regional entities would focus on whether responsible entities, for instance, developed processes reasonably designed to identify and assess risks associated with vendor products and services.
Proposed Reliability Standard CIP-005-6 includes two new parts, Parts 2.4 and 2.5, to address vendor remote access, which is the second objective discussed in Order No. 829. The final rule added that NERC explained that the new parts work in tandem with Reliability Standard CIP-013-1, Requirement R1.2.6, which requires responsible entities to address Interactive Remote Access and system-to-system remote access when procuring industrial control system hardware, software, as well as computing and networking services associated with bulk electric system operations.
Proposed Reliability Standard CIP-010-3 includes a new part, Part 1.6, to address software integrity and authenticity, the first objective addressed in Order No. 829, by requiring that the publisher is identified and the integrity of all software and patches are confirmed, the final rule said. NERC stated that proposed Reliability Standard CIP-010-3, Requirement R1.6 requires that responsible entities verify the identity of the software source and the integrity of the software obtained by the software sources prior to installing software that changes established baseline configurations, when methods are available to do so.
As noted in the final rule, NERC stated that the purpose of the Reliability Standards is to enhance the cybersecurity posture of the electric industry by requiring responsible entities to take additional actions to address cybersecurity risks associated with the supply chain for bulk electric system (BES) cyber systems. NERC stated that the supply chain risk management reliability standards apply only to medium and high impact BES cyber systems, and explained that the goal of the CIP reliability standards is to “focus industry resources on protecting those BES cyber systems with heightened risks to the [bulk electric system] … [and] that the requirements applicable to low impact BES cyber systems, given their lower risk profile, should not be overly burdensome to divert resources from the protection of medium and high impact BES cyber systems.”
The final rule also said that NERC stated that the standard drafting team excludes, for instance, electronic access control and monitoring systems (EACMS), physical access control systems (PACS), and protected cyber assets (PCAs) from the scope of the supply chain risk management reliability standards, with the exception of the modifications in Reliability Standard CIP-005-6, which apply to PCAs. EACMS are defined in the NERC Glossary as “cyber assets that perform electronic access control or electronic access monitoring of the electronic security perimeter(s) or BES cyber systems. This includes intermediate systems.”
The final rule also said that NERC explained that while certain requirements in the existing CIP reliability standards apply to EACMS, PACS, and PCAs due to their association with BES cyber systems – either by function or location – the standard drafting team determined that the supply chain risk management reliability standards should focus on high and medium impact BES cyber systems only.
The final rule added that NERC asserted that with respect to low impact BES cyber systems and EACMS, PACS, and PCAs, while not mandatory, NERC expects that those assets will likely be subject to responsible entity supply chain risk management plans required by Reliability Standard CIP-013-1. Specifically, the final rule said, NERC explained that “[r]esponsible [e]ntities may implement a single process for procuring products and services associated with their operational environments.” NERC contended that “by requiring that entities implement supply chain cybersecurity risk management plans for high and medium impact BES cyber systems, those plans would likely also cover their low impact BES cyber systems,” the final rule noted.
FERC in its final rule said that it “approves supply chain risk management Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. We determine that the supply chain risk management reliability standards will enhance existing protections for bulk electric system reliability by addressing the four objectives identified in Order No. 829: (1) software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls.”
FEC said that it finds that the exclusion of EACMS from the scope of the reliability standards presents risks to the cybersecurity of the bulk electric system. Noting that the record indicates that the vulnerabilities associated with EACMS – which include firewalls – are well understood and appropriate for mitigation, the final rule said that FERC directs NERC to develop modifications to the CIP reliability standards to include EACMS within the scope of the supply chain risk management reliability standards. NERC is to submit the directed modifications within 24 months of the effective date of the final rule.
The final rule also said that while PACS and PCAs present concerns, the commission agrees with NERC and others that further study is warranted with regard to the impacts and benefits of directing that the ERO address the risks associated with PACS and PCAs in the supply chain risk management reliability standards. Accordingly, the commission accepts NERC’s commitment to evaluate the cybersecurity supply chain risks presented by PACS and PCAs in the cybersecurity supply chain risks study directed by the NERC Board of Trustees, the final rule said.