On October 18, the Federal Energy Regulatory Commission (FERC or Commission) issued Order No. 850, adopting a suite of reliability standards proposed by the North American Electric Reliability Corporation (NERC) to address the cybersecurity risks posed by supply chains for industrial control system assets and services in critical electric utility environments. The final rule largely adopts the proposals from the Commission’s Notice of Proposed Rulemaking (NOPR). But the Commission also directs NERC to expand the scope of the new requirements to include Electronic Access or Control Monitoring Systems (EACMS) and to evaluate the need to further expand the scope of the requirements to include Physical Access Control Systems (PACS) and Protected Cyber Assets (PCAs).

Despite fears that the Commission would shorten the implementation period for the new requirements, the Commission adopted the 18-month implementation period that was originally proposed by NERC.

Background

Once effective, the new standards will require electric utilities to develop a plan to mitigate supply chain cybersecurity risks posed by vendor products and services, particularly during the vendor procurement process. As a result, those companies providing goods and services to electric utilities will also need to adapt to the new requirements in order to demonstrate that they can assist electric utilities in meeting these compliance obligations, even though only utilities themselves would be subject to the standards and could be fined for noncompliance.

The final rule approved new reliability standard CIP-013-1, addressing supply chain risk management, and revisions to two existing reliability standards in proposed CIP-005-6 and CIP-010-3. The standards address cybersecurity risks in the supply chains for high and medium impact BES Cyber Systems by ensuring that entities (1) establish and implement organizationally defined processes that integrate a cybersecurity risk management framework (proposed CIP-013-1); (2) implement methods to identify active vendor remote access sessions and to disable active vendor remote access (proposed modification to CIP-005-5); and (3) verify the identity of software publishers and the integrity of all software and patches intended for use on BES Cyber Systems (proposed modification to CIP-010-2).

Read a more comprehensive overview of the new standards.

Changes in the Final Rule

Inclusion of EACMS

In spite of disagreements from many commenters, the Commission adopted its NOPR to include EACMS—cyber assets used to control access to and monitor BES Cyber Systems—within the scope of the standards. In the NOPR, the Commission expressed concerns over the exclusion of EACMS from the proposed standards, pointing to the critical security functions performed by those assets, such as controlling interactive remote access into Electronic Security Perimeters (ESPs) and guarding industrial control systems. In the final rule, the Commission reiterated its belief that EACMS are high-value targets for malicious actors and represent the most likely route an attacker would take to access a BES Cyber System or PCA within an ESP. To further support its decision to direct the inclusion of EACMS within the scope of the new and modified standards, the Commission also pointed to various commenters’ conclusions that the misoperation or unavailability of EACMS would have severe, negative impacts on reliability.

The Commission further disagreed that existing standards address the specific supply chain risks that formed the basis of NERC’s original proposal. As an example, the Commission explained that while the currently effective CIP-005-5 provides electronic access protection for an ESP through controls applied to an electronic access point associated with an EACMS, those controls only apply after an asset is procured and deployed on an entity’s system. Thus, the EACMS at issue could already contain built-in vulnerabilities making it susceptible to compromise or, in the worst-case scenario, could have been compromised before its acquisition. In directing further modifications to the standards to incorporate EACMS, the Commission rejected calls to delay its decision until the publication of a report commissioned by the NERC board of trustees that will address supply chain risks. Instead, the Commission expects that the report will assist the standard drafting team in developing modifications that target only those EACMS whose compromise by way of the cybersecurity supply chain can affect the reliable operation of BES Cyber Systems.

NERC will be required to submit the directed modifications to incorporate EACMS within the scope of the new standards within 24 months of the effective date of the final rule.

Further Study on PACS and PCAs

In the NOPR, the Commission proposed to direct NERC to further evaluate the supply chain risks posed by PACS and PCAs, instead of proposing to include those types of assets within the scope of the standards, as the Commission opted to do with EACMS. The Commission did not deviate from that proposal, and will evaluate the final report directed by the NERC board of trustees to determine whether PACS and PCAs should be included in the supply chain risk management standards through future modifications.

Implementation Plan

The Commission adopted NERC’s original proposal for the standards to take effect 18 months after the effective date of the final rule, which will be 60 days after the final rule’s publication in the Federal Register. In the NOPR, the Commission had called into question NERC’s justification for the 18-month implementation period, and suggested reducing the implementation period to 12 months instead. However, the Commission found persuasive comments opposing the shortened implementation period on the basis that technical upgrades are likely necessary to meet the security objectives of the supply chain risk management reliability standards, which could involve longer time-horizon capital budgets and planning cycles.

Under the approved implementation plan, the new supply chain cybersecurity requirements will become effective on July 1, 2020. Given the significant number of vendors with which electric utilities have relationships and the lengthy procurement processes needed to acquire necessary goods and services for BES Cyber Systems, implementation of the new requirements will require extensive coordination among legal, procurement, cyber, and IT personnel.