The Federal Energy Regulatory Commission (FERC) is set to approve new mandatory reliability standards that it says will bolster supply chain risk management protections for the nation’s bulk electric system.
The proposed standards are intended to augment current critical infrastructure protection standards and mitigate cybersecurity risks associated with the supply chain for grid-related cybersystems.
The North American Electric Reliability Corp. (NERC) proposed the standards in response to FERC Order No. 829. That order directed the electric reliability organization to develop standards to address supply chain risk management for industrial control system hardware, software and computing and networking services.
The FERC says that the global supply chain presents "opportunities to affect management or operations of generation or transmission companies that may result in risks to end-users."
The Notice of Proposed Rulemaking (NOPR) finds that NERC’s proposals show "substantial progress" in addressing supply chain cybersecurity risks. But, it also finds a "significant" cybersecurity risk remains because the proposed standards exclude Electronic Access Control and Monitoring Systems (EACMS), Physical Access Controls (PACs) and Protected Cyber Assets (PCAs).
To address that gap, FERC proposes to direct NERC to include EACMS associated with medium- and high-impact bulk electric cybersystems within the scope of the supply chain risk management reliability standards. It also proposes evaluating the risks presented by PACs and PCAs.
In a separate order, the Commission approved a series of new Emergency Preparedness and Operations (EOP) Reliability Standards. FERC says the standards will enhance reliability by:
- providing accurate reporting of events to NERC’s event analysis group to examine the impact on reliability of the grid (EOP-004-4);
- delineating the roles and responsibilities of entities that support system restoration from blackstart resources (EOP-005-3);
- clarifying the procedures and coordination requirements for reliability coordinator personnel to execute system restoration processes (EOP-006-3); and
- refining the required elements of an operating plan used to continue reliable operation of the grid if primary control functionality is lost (EOP-008-2).