After identifying supply chain risks to the electric utility industry (including the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices) on July 21 the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop a new or modified Reliability Standard that addresses risks to industrial control systems associated with bulk electric system operations.
The plan required by the new or modified Reliability Standard developed by NERC should address four specific security objectives in the context of addressing supply chain management risks:
- Software integrity and authenticity
- Vendor remote access
- Information system planning
- Vendor risk management and procurement controls
The agency pointed to changes in the bulk electric system cyber threat landscape, evidenced by recent malware campaigns targeting supply chain vendors, which highlighted a gap in the protections under the current reliability standards. Examples cited by regulators include unauthorized code found in Juniper firewalls in 2015, as well as two events targeting electric utility vendors.
The new rule is effective 60 days after publication in the Federal Register and NERC is to submit the new standard within one year.
A copy of the FERC order is available here.