At today’s open meeting, the Federal Energy Regulatory Commission (FERC) proposed to approve new Critical Infrastructure Protection (CIP) Reliability Standards developed by the North American Electric Reliability Corporation (NERC) to protect the cybersecurity of the supply chains for critical utility systems. While recognizing the benefits of using a global supply chain to produce the assets used to operate the bulk electric system, FERC staff’s accompanying presentation recognized that relying on a global supply chain “also enables opportunities for adversaries to directly or indirectly affect the management or operations of generation and transmission companies in a manner that may result in risks to end users, such as through the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software.”
NERC’s proposed standards were developed in response to a commission directive and would require registered entities to develop a plan to mitigate supply chain cybersecurity risks posed by vendor products and services, particularly during the vendor procurement process. Morgan Lewis’s overview of the new standards is available here. If ultimately adopted by FERC, these standards could significantly alter the procurement process for utilities purchasing new assets and services for their critical IT infrastructure. Although the new standards do not require a specific outcome in those procurement processes, utilities will need to demonstrate that their purchasing activities did address each of the minimum cybersecurity criteria outlined in the new standards. As a result, those companies providing goods and services to electric utilities will also need to adapt to the new requirements in order to demonstrate that they can assist electric utilities in meeting these compliance obligations, even though only utilities themselves would be subject to the standards and could be fined for noncompliance.
FERC is also proposing to direct NERC to modify the proposed standards to cover those Electronic Access Control and Monitoring Systems for medium- and high-impact BES Cyber Systems. FERC also expressed concern that the proposed standards do not cover Physical Access Controls and Protected Cyber Assets, but is not proposing to order NERC to cover those systems in a revised standard. Instead, FERC is proposing to direct NERC to analyze the risk posed by those systems so that the commission can further consider whether those systems also need supply chain protections.
Comments on the FERC Notice of Proposed Rulemaking will be due 60 days after publication in the Federal Register.