Tougher Standards for Cybersecurity Supply Chains
John Simpson | August 16, 2016The U.S. Federal Energy Regulatory Commission (FERC) has ordered the North American Electric Reliability Corp. (NERC) to develop a new supply chain risk management standard that addresses threats to information systems and related bulk electric system (BES) assets.
FERC directed NERC to develop a Critical Infrastructure Protection (CIP) Reliability Standard that requires each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software and services associated with bulk electric system operations. The new or modified reliability standard should address "software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls," FERC says.
The FERC separately issued a Notice of Inquiry into modifying CIP standards regarding the protection of control centers that are used to monitor the bulk electric system in real time. Cyber systems are used to operate and maintain interconnected transmission networks.
FERC cited the 2015 cyberattack on the electric grid in Ukraine as an example of how cyber systems used to operate and maintain interconnected networks more efficiently can have the unintended effect of creating cyber vulnerabilities. As a result of the attack, three regional electric power distribution companies in Ukraine incurred power outages that affected at least 225,000 customers.
The FERC is seeking comment on possible changes to CIP Reliability Standards and any potential impacts on the operation of the bulk power system resulting from such modifications. Commenters are asked to address: (1) separation between the Internet and BES cyber systems in control centers performing transmission operator functions; and (2) computer administration practices that prevent unauthorized programs from running, referred to as “application whitelisting,” for cyber systems in control centers.