After a more than two year proceeding to identify and study supply chain risks to the electric utility industry (including the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices), on October 18, 2018, the Federal Energy Regulatory Commission (FERC) approved a North American Electric Reliability Corporation (NERC) proposal for a new Reliability Standard that addresses risks to industrial control systems associated with bulk electric system operations.
The plan required by the new Standard developed by NERC addresses four specific security objectives identified by FERC when it opened its proceeding in 2016:
- Software integrity and authenticity
- Vendor remote access
- Information system planning
- Vendor risk management and procurement controls
The Commission said the global supply chain affords significant benefits to customers, including: low cost; interoperability; rapid innovation; and a variety of product features and choice. However, the global supply chain creates opportunities for adversaries to directly or indirectly affect the management or operations of companies with potential risks to end users. While FERC has no authority over manufacturers, it expects the utilities it does regulate to insist on features, like robust firewalls, that will protect the bulk electric system.
While this FERC proceeding exists against the backdrop of widely reported hacking attempts against U.S. utility systems—including by Russia—the 60-page order does not mention any adversaries by name.
The agency pointed to increases in the bulk electric system cyber threat landscape, including malware campaigns targeting supply chain vendors, which highlighted a gap in the protections under the current reliability standards. Examples cited by regulators in 2016 had included unauthorized code found in Juniper firewalls in 2015, as well as two events targeting electric utility vendors.
The new rule is effective 60 days after publication in the Federal Register. NERC is to actually implement the security standard within 18 months. Certain modifications ordered by FERC are required within two years.
FERC’s order is available here.