Just last week, the Federal Energy Regulatory Commission or “FERC” moved closer to regulating the supply chain management practices for energy companies that own and operate the physical assets that comprise the nation’s power grid. Specifically, on July 21, FERC directed the North American Electric Reliability Corporation or “NERC” to issue a new supply chain management standard that addresses risks to information systems and related bulk electric system assets.
By way of background, the Energy Policy Act of 2005 required FERC to select an electric reliability organization or “ERO” to develop and enforce cybersecurity reliability standards for the grid. In July 2006, FERC certified NERC as the nation’s ERO and in January 2008, FERC approved NERC’s first version of the cyber regulations known as the Critical Infrastructure Protection or “CIP” standards. Since that time, the NERC CIP standards have been consistently revised and in January of this year, FERC in Order No. 822 approved the sixth version of the standards. That FERC order also directed NERC to study a supply chain management standard and, in doing so, recognized that the hardware, software, and other products provided by an energy company’s third party vendors must be secure:
“The supply chain enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may results in risks to the end user. Supply chain risks may include the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development processes.”
FERC’s action last week builds on those efforts from earlier this year. Now, FERC has directed NERC to build into NERC CIP a “forward-looking, objective-based” standard that requires covered entities to develop their own supply chain management plans for industrial control system hardware, software, and services associated with bulk electric system operations.
FERC’s decision was made in a 3-1 vote, with Commissioner Cheryl LaFleur dissenting. In a lengthy statement, Commissioner LaFleur explained that the supply chain standard should have been included in a notice of proposed rulemaking rather than a final rule, which would have allowed for greater stakeholder involvement:
“I worry that the limited process that preceded the Final Rule and the expedited timetable will make it extremely difficult for NERC to file a standard that [FERC] can cleanly approve. Had [FERC] committed itself to conducting adequate outreach, I believe we could have mitigated the likelihood of that outcome, and more effectively and promptly addressed the supply chain threat in the long term.”
FERC’s final rule will become effective 60 days after publication in the Federal Register. Then, NERC will have one year to submit to FERC the supply chain management standard to be incorporated into NERC CIP.