FERC approves new supply chain reliability standards
The Federal Energy Regulatory Commission (FERC) recently approved new mandatory Reliability Standards to strengthen supply chain risk management protections for the nation’s bulk electric system.
The standards will augment current Critical Infrastructure Protection standards to address cybersecurity risks associated with the supply chain for grid-related cyber systems. Last week’s final rule closely follows what FERC outlined in the Notice of Proposed Rulemaking issued in January 2018.
The North American Electric Reliability Corporation (NERC) proposed the standards in response to FERC Order No. 829, which directed the organization to develop standards to address supply chain risk management for industrial control system hardware, software, and computing and networking services.
The standards require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services related to bulk electric system operations. FERC approved NERC request for a 19-month implementation period.
FERC noted that, because the standards exclude Electronic Access Control and Monitoring Systems (EACMS), a significant cybersecurity risk remains. EACMS, which includes firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems, control access into Electronic Security Perimeters to help protect bulk electric system (BES) cyber systems.
To address this issue, FERC gave NERC 24 months to develop modifications that include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards.
The final rule takes effect 60 days after publication in the Federal Register.
FERC also approved last week the 2019 business plan and budget for NERC, its regional entities, and the Western Interconnection Regional Advisory Body.
