BLOG POST

Power & Pipes

FERC, CFTC, and State Energy Law Developments

FERC approved revisions to three Critical Infrastructure Protection (CIP) North American Electric Reliability Corporation (NERC) Reliability Standards to expand the scope of the assets subject to supply chain cybersecurity requirements and related obligations. Supply chain cybersecurity continues to be a focus of NERC, energy industry stakeholders, and government regulatory and securities agencies.

The revisions affect CIP-013-2, Cyber Security – Supply Chain Risk Management; CIP-005-7, Cyber Security – Electronic Security Perimeter(s); and CIP-010-4, Cyber Security – Configuration Change Management and Vulnerability Assessments which were modified to address bulk electric system (BES) security and address concerns identified by FERC when the prior iteration of each Reliability Standard was approved.

In Order No. 850 (October 2018), the prior versions of each standard, which are currently in effect, were approved by FERC. While FERC found that the Reliability Standards were “forward-looking” and “objective-based,” as per FERC’s directive to NERC in Order No. 829 to develop CIP supply chain cybersecurity requirements, FERC determined that a significant cybersecurity risk associated with the supply chain for BES Cyber Systems remained because the Reliability Standards did not address Electronic Access Control or Monitoring Systems (EACMS) which are the assets that authenticate, restrict, and monitor access to CIP-protected systems. Order No. 850 also determined that the Reliability Standards largely did not address Physical Access Control Systems (PACS) (which control physical access to protected systems) and Protected Cyber Assets (PCAs) (non-critical assets within protected systems), and noted that the exclusion of these components could leave a gap in the supply chain risk management Reliability Standards. Therefore, FERC directed NERC to revise the Reliability Standards to address EACMS, PACS, and PCAs.

In compliance with the directive from Order No. 850, NERC revised CIP-013 to require responsible entities to consider and address cybersecurity risks from vendor products or services during planning for the procurement of BES Cyber Systems as well as EACMS and PACS. Under Requirement 1 of the CIP-013-2, responsible entities must add EACMS and PACS associated with medium and high impact BES Cyber Systems to their documented supply chain cybersecurity risk management plans.

NERC also revised CIP-005 to address remote access controls for EACMS and PACS associated with high impact BES Cyber Systems and medium impact BES Cyber Systems with external routable connectivity. The addition of new Parts 3.1 and 3.2 to CIP-005-7 will work in tandem with Requirement R1 of CIP-013-2 to address vendor remote access, which has remained an area of heightened security concerns. Further, NERC revised CIP-010’s applicability to EACMS associated with high and medium impact BES Cyber Systems, and PACS associated with high and medium impact BES Cyber Systems. NERC stated that the revisions to CIP-010-4 will reduce the risk of an attacker exploiting a legitimate vendor patch management process for EACMS and PACs by requiring responsible entities to apply these protections to EACMS and PACS.

The revised Reliability Standards will further enhance the reliability of the nation’s electric system by maintaining the integrity of the supply chain for critical energy infrastructure. In compliance with the revised Reliability Standards, entities registered with NERC and subject to the Reliability Standards will need to modify their planning processes, particularly regarding engineering design and procurement of BES Cyber Systems, EACMS, PACS, and PCAs. These new requirements are likely to be a significant challenge, as vendors and suppliers of these devices do not focus on the energy industry, but rather supply these assets to a near-infinite variety of businesses. As a result, many such vendors will need to address these NERC requirements for the very first time, even though only utilities themselves are directly subject to these requirements.