On Jan. 18, 2018, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) on Docket No. RM17-13-000, Supply Chain Risk Management Reliability Standards. This issued notice includes one new standard, CIP-013-1 (Cybersecurity – Supply Chain Risk Management), an update to the CIP-005 standard (Cybersecurity – Electronic Security Perimeter(s)) and an update to the CIP-010 standard (Cybersecurity – Configuration Management and Vulnerability).
The NOPR also included a concurring opinion statement by Commissioner Cheryl LaFleur explaining why she concurred with the NOPR despite her previous disapproval of the commission’s order to develop the new standard. Originally believing that “the Commission was proceeding too quickly to require a supply chain standard,” Commissioner LaFleur concluded in her statement that she supported “the proposal to shorten the implementation date for the new standards,” and that “the revised deadline will allow industry, NERC, and the Commission to put the standards in place sooner while continuing to evaluate how best to protect the bulk power system against supply chain threats.”
Translation: The risk to the supply chain is significant enough to warrant a change and it is better to begin the process now and work through potential changes as the results are seen.
In reviewing the NOPR, a few items stood out as important for responsible entities to understand:
- FERC is in agreement with the North American Electric Reliability Corp. (NERC) in that the new standard will presently only cover medium- and high-impact Bulk Electric System (BES) Cyber Systems (BCS). They also concurred with the NERC Board of Trustees (BOT) directive ordering that NERC study the risks posed by not covering low-impact BCS and directed NERC to submit the interim and final results to FERC.
- FERC, under section 215(d)(5) of the Federal Power Act, proposes that Electronic Access and Control Monitoring Systems, the first line of defense within an ICS network environment associated with medium- and high-impact BCS, be included within the scope of the supply chain management Reliability Standards based upon their controlling remote access to BCS.
- FERC is also in agreement with the NERC petition that Physical Access Control Systems and Protected Cyber Assets be included in the study mentioned in item 1.
- FERC found that the proposed 18-month implementation period is longer than what should be required since the changes are mainly process-based. As a result, FERC has proposed that the implementation period be reduced to 12 months.
So, with all that said, what does this mean to responsible entities whose critical infrastructure protection personnel are already overworked?
The proposed CIP-013-1 standard, as noted by the Standard Drafting Team (SDT) 2016-03 in a note to R2, states:
“Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract.”
It could be said that this new NERC compliance standard requires a responsible entity to spend time and effort in developing and collecting evidence on this plan with no results required from a cybersecurity perspective. It is important to focus on the fact that the plan is a risk mitigation plan, in which entities identify and assess cyber risks; however, the most important thing is to mitigate the identified risks, making each individual plan more effective. After all, supply chain management was initiated by FERC in response to real world cyber attacks.
Wish you had a say in all this? Well, the good news is there’s still time to get involved and make a difference. The NOPR was posted to the Federal Register on January 25, 2018 and comments will be accepted until March 26, 2018. So, be sure to make your voice heard before time runs out!
Smart devices and interconnected systems enable improved efficiency and operational visibility for energy supply networks. But they also heighten cybersecurity risk. Consider the best practices that help secure supply chains, mitigate vulnerability and keep complex energy systems safe.