At its October monthly meeting, the Federal Energy Regulatory Commission (the “Commission”) adopted new reliability standards addressing cybersecurity risks associated with the global supply chain for Bulk Electric System (“BES”) Cyber Systems. The new standards expand the scope of the mandatory and enforceable cybersecurity standards applicable to the electric utility sector. They will require electric utilities and transmission grid operators to develop and implement plans that include security controls for supply chain management for industrial control systems, hardware, software and services.
These standards have been in development for some time. The North American Electric Reliability Corporation (“NERC”) proposed them in September 2017 in response to an earlier Commission directive which identified potential supply chain threats to the utility sector. The reliability standards focus on the following four security objectives: (1) software integrity and authenticity; (2) vendor remote access protections; (3) information system planning and (4) vendor risk management and procurement controls. The new standards will become effective on the first day of the first calendar quarter that is 18 months following the effective date of Order No. 850 (which will be 60 days after its publication in the Federal Register).
In addition to adopting NERC’s proposed standards, the Commission also directed NERC to expand them to include Electronic Access Control and Monitoring Systems (“EACMS”) associated with “medium” and “high” impact BES Cyber Systems within the scope of the supply chain risk management standards. NERC and others had opposed this expansion but were overruled by the Commission. NERC has 24 months to develop and file EACMS rules. By contrast, FERC decided not to require NERC to develop additional rules that would apply to Physical Access Control Systems (“PACS”) or Protected Cyber Assets (“PCAs”) at this time. Instead, NERC must study the cybersecurity supply chain risks presented by PACS and PCAs and report back to the Commission as part of a broader supply chain risk study.