FERC, in a Sept. 17 notice of inquiry, said that it seeks comments on the potential risks to the bulk electric system posed by the use of equipment and services produced, or provided by, certain entities identified as risks to national security.
FERC said that it also seeks comments on strategies to mitigate any potential risks posed by certain telecommunications equipment and services, including potential modifications to the Critical Infrastructure Protection (CIP) Reliability Standards.
As noted in the filing, FERC in October 2018 approved the first set of supply chain risk management Reliability Standards in Order No. 850, describing those standards as “forward-looking and objective-based and require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.”
FERC said that since the issuance of Order No. 850, there have been significant developments in the form of executive orders, legislation, as well as federal agency actions that raise concerns over the potential risks posed by the use of equipment and services provided by certain entities identified as risks to national security.
Among other things, FERC noted that Congress has recently addressed the risks posed by the procurement of equipment and services from entities identified as risks to national security in the annual National Defense Authorization Acts. For instance, the National Defense Authorization Act (NDAA) for Fiscal Year 2019 prohibits the Secretary of Defense from procuring or obtaining, or extending or renewing a contract to procure or obtain, equipment, systems, or services that use “covered telecommunications equipment or services” as a substantial or essential component of any system, or as critical technology as part of any system.
The commission said that it seeks comments on:
- The extent of the use of equipment and services provided by certain entities identified as risks to national security related to bulk electric system operations
- The risks to bulk electric system reliability and security posed by the use of equipment and services provided by certain entities
- Whether the CIP Reliability Standards adequately mitigate the identified risks
- What mandatory actions FERC could consider taking to mitigate the risk of equipment and services provided by certain entities related to bulk electric system operations
- Strategies that entities have implemented or plan to implement — in addition to compliance with the mandatory CIP Reliability Standards — to mitigate the risks associated with use of equipment and services provided by certain entities
- Other methods FERC may employ to address the matter, including working collaboratively with industry to raise awareness about the identified risks and assisting with mitigating actions, such as facilitating information sharing
FERC said that comments must refer to Docket No. RM20-19-000, and that initial comments are due 60 days after the date of publication in the Federal Register.