Monday, February 18, 2019

FERC Backs NERC Supply Chain Standards

By Michael Brooks

WASHINGTON — FERC on Thursday proposed to adopt several reliability standards intended to mitigate cybersecurity risks posed by the global supply chain of grid operation tools.

Multiple entities around the world may participate in the development of software or technology used by utilities to manage their reliability duties, exposing them to potential corruption.

FERC NERC cybersecurity supply chain

In a Notice of Proposed Rulemaking (RM17-13) FERC indicated its intention to approve a NERC critical infrastructure protection standard (CIP-013-1) that would require utilities to consider several cybersecurity issues when procuring these products for their medium- and high-impact systems. These issues include:

  • disclosure of known vulnerabilities in the products;
  • security event notifications;
  • coordination of vendor remote access;
  • notification when vendor employee remote or onsite access is terminated;
  • coordinated response to vendor-related cybersecurity incidents; and
  • verification of integrity and authenticity of all software and patches.

NERC noted that the standard does not “require that every contract with a vendor include provisions for each of the listed items.” Rather, utilities would need to “ensure that these security items are an integrated part of procurement activities, such as a request for proposal or in the contract negotiation process.”

The actual terms and conditions of utilities’ contracts with vendors are outside the scope of the standard, as are the activities of the vendors themselves. “A responsible entity should not be held responsible under the proposed reliability standard for actions (or inactions) of the vendor,” NERC said.

Reliability officials would evaluate and reapprove utilities’ procurement processes every 15 months under the standard.

FERC also proposed to adopt two additions to existing NERC standards, both to support the requirements in CIP-013-1. One (CIP-005-6) would require utilities to develop a method for identifying active remote access sessions by vendors. The other (CIP-10-3) would require utilities to verify the source of all software and patches before installing them.

Broader Scope, Tighter Deadline

NERC developed the standards in response to a FERC directive in July 2016, marking only the third time the commission has taken such initiative. (See FERC Orders NERC to Develop ‘Flexible’ Supply Chain Standard.) The organization submitted the proposed standards last September.

FERC found that NERC had generally satisfied the four objectives it had laid out in its order: software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls. The commission had also directed that the standard be flexible, leaving it to utilities to determine the best way to comply.

However, the commission directed NERC to include Electronic Access Control and Monitoring Systems (EACMS) — firewalls, authentication servers, security event monitoring systems and intrusion detection systems, for example — as part of the scope of the standard.

It also instructed NERC to evaluate the risks posed by Physical Access Control Systems (PACS) — such as motion sensors, badge readers and electronic locks — and Protected Cyber Assets (PCAs) — networked printers, file transfer servers and local area network switches — as part of a supply chain cybersecurity study the organization’s Board of Trustees ordered last August.

FERC also proposed to tighten the implementation deadline for the standards, shortening NERC’s proposed 18 months after commission approval to 12.

Commissioners: Good First Step

Commissioner Cheryl LaFleur, who had dissented from FERC’s earlier order, issued a lengthy concurrence to explain her vote. She had called the July 2016 directive too broad and lacking in guidance. She had also said the timeline for developing the standards was too short given the lack of stakeholder input.

At the commission’s open meeting Thursday, LaFleur said she still had some of those concerns, calling the standards “quite general.” But, she said, “I agree that they are an improvement over the status quo.

“I do not believe that remanding these standards or the larger supply chain issue to the NERC standards process would be a prudent step at this point,” she said. “Rather, I believe the better course of action at this time is to move forward with these standards and … improve them over time as needed.”

Her colleagues had similar sentiments.

“While the standard is not a panacea, it is an important step forward to tackle a tough problem,” Commissioner Neil Chatterjee said. “It will be particularly important to revisit the standard after several years of experience to see what is working and what aspects could be improved. But again, today’s order is a good step in the right direction.”

Commissioner Richard Glick also called the standards “an important first step,” but “I think more needs to be done.”

Comments on the proposal to adopt the standards are due 60 days after its publication in the Federal Register.

EOP Reliability Standards

FERC on Thursday also approved several updates to emergency preparedness and operations reliability standards proposed by NERC last March (RM17-12).

The revisions streamline existing standards and remove redundant language. The commission said they will ensure accurate reporting of events to NERC’s event analysis group; delineate the roles and responsibilities of entities involved in system restoration processes; and identify the elements required in plans for continuing operations when primary control functionality is lost.

FERC did not make any changes to the EOP standards since it proposed to adopt them last September, nor did stakeholders propose any. (See FERC OKs Rules on Balancing, Interconnection, Remedial Actions.) They will go into effect 60 days after their publication in the Federal Register.