FERC Acts on Cybersecurity Risks

FERC Acts on Cybersecurity Risks

On October 18, The Federal Energy Regulatory Commission (FERC) approved new mandatory reliability standards that are intended to address risks to cybersecurity. These new standards will augment the current Critical Infrastructure Protection (CIP) standards in order to mitigate the current risks to cybersecurity that are in the supply chain for grid-related systems.

The standards require transmission grid operators and electric utilities to create and implement plans that have security controls for supply chain management for industrial control systems, software, hardware, and services.

“Reliability of the bulk power system requires our attention to security issues as well as ensuring that the system serves consumers during peak-demand times,” FERC Chairman Joseph T. Kelliher said. “These proposed standards are intended to provide the adequate safeguards and training to help us do that.”

These standards have been in the works since September 2017, when they were first proposed by the North American Electric Reliability Corporation (NERC) as a response to a FERC directive that identified some possible threats to the utility center. NERC has a period of 18 months to implement the new standards; according to FERC the longer timeline to implement everything was justified because of the technical upgrades needed.

FERC also told NERC to implement the new standards into Electronic Access Control and Monitoring Systems (EACMS) associated medium and high Bulk Electric System Cyber Systems that fall under the supply chain risk management standards; they have 24 months to implement these changes. According to FERC, the EACMS can include authentication servers, intrusion detection systems, firewalls, and alerting systems. Once an EACMS has been compromised, the Bulk Electric System can be controlled.

The standard does not “require that every contract with a vendor include provisions for each of the listed items,” NERC said. The utilities would instead need to “ensure that these security items are an integrated part of procurement activities, such as a request for proposal or in the contract negotiation process.”

As part of a bigger security risk study, NERC will be giving FERC any cybersecurity risks they uncover in Physical Access Control Systems and Protected Cyber Assets, instead of developing new standards for those. These include things like electronic locks, motion sensors, networked printers, local area network switches, badge readers, and file transfer services.

In January 2018, FERC outlined the new standards in a Notice of Proposed Rulemaking, and this final ruling on the changes follows that notice closely. In FERC’s outline, they had initially given a 12-month timeline for implementation, even though NERC had requested 18 months, but they decided to allow for 18 months in the final rule.

FERC specified in Order No. 829, that the standards should focus on four security objectives: (1) software integrity and authenticity; (2) vendor remote access protections; (3) information system planning; (4) vendor risk management and procurement controls.

In March 2018, the American Public Power Association and other groups urged FERC to approve the proposal. At the same time, they requested that FERC wait to include EACMS in the new policies, which were given a longer timeline for implementation.

“The proposed standards fulfill Order No. 829’s directive and would mitigate supply chain cybersecurity risks to the BES while appropriately focusing on the systems and assets that are most critical to reliable operation of the BES,” the Association told FERC.

“While the standard is not a panacea, it is an important step forward to tackle a tough problem,” Commissioner Neil Chatterjee said. “It will be particularly important to revisit the standard after several years of experience to see what is working and what aspects could be improved. But again, today’s order is a good step in the right direction.”

The final rule will take effect 60 days after it is published in the Federal Register.