FERC Approves NERC’s Supply Chain Risk Management Reliability Standards and Directs NERC to Expand Their Scope

A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector.  Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities.  The hackers, one of the reports notes, could have used such access to cause blackouts.

Against this backdrop, it is unsurprising that energy regulators have increasingly focused their attention on cybersecurity issues.  Consistent with this focus, the Federal Energy Regulatory Commission (“FERC”) recently issued a final rule approving three mandatory Reliability Standards that the North American Electric Reliability Corporation (“NERC”) proposed to improve the electric industry’s safeguards against cybersecurity threats.  FERC also used the rule to direct NERC to expand scope of the Reliability Standards so that they covered Electronic Access Control and Monitoring Systems (“EACMS”) associated with medium and high impact bulk electric system (“BES”) Cyber Systems.

Procedural History.  FERC’s approval comes over two years after it first directed NERC to develop Reliability Standards that would address supply chain risk management for industrial control system hardware, software and computing and networking services associated with BES operations.  Specifically, FERC directed NERC to require responsible entities to develop and implement a plan with supply chain management security controls focused on four forward-looking security objectives: (1) software integrity and authenticity, (2) vendor remote access, (3) information system planning, and (4) vendor risk management and procurement controls.

On September 26, 2017, NERC submitted for FERC approval proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 and their associated violation risk factors and severity levels, implementation plan, and effective date.  On January 18, 2018, FERC issued a notice of proposed rulemaking proposing to approve these Reliability Standards and indicating that they “will enhance existing protections for bulk electric system reliability by addressing” FERC’s four objectives.  FERC’s final rule, issued on October 18, 2018, closely follows its proposed rulemaking.

Description of Standards.  The Reliability Standards are intended to fulfil the goals FERC established more than two years ago:

  • Reliability Standard CIP-010-3 addresses software authenticity and integrity by creating a requirement that responsible entities verify the identity of the source of software and the integrity of the software obtained prior to installing software that changes established baseline configurations, when methods are available to do so.
  • Reliability Standard CIP-005-6 addresses vendor remote access by creating two new requirements for determining active vendor remote access sessions and for having at least one method to disable active vendor remote access sessions.
  • Finally, Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and focuses on the steps that responsible entities must take “to consider and address cybersecurity risks from vendor products and services during BES Cyber System planning and procurement.”  To that end, Reliability Standard CIP-013-1 requires the development and implementation of a documented supply chain cybersecurity risk management plan that must address, as applicable, a baseline set of six security concepts: (1) vendor security event notification, (2) coordinated incident response, (3) vendor personnel termination notification, (4) product/services vulnerability disclosures, (5) verification of software integrity and authenticity, and (6) coordination of vendor remote access controls.  With respect to assessing compliance with Reliability Standard CIP-013-1, NERC and Regional Entities will focus on whether responsible entities implement the process in good faith and develop processes reasonably designed to assess risks associated with vendor products and services and ensure that the relevant security items are an integrated part of procurement activities.  (It is worth noting that NERC will not require responsible entities to apply their supply chain risk management plans to the acquisition of vendor products or services under contracts executed prior to the effective date of Reliability Standard CIP-013-1.)

Timing of Implementation.  Although the final rule generally tracks the proposed rulemaking, there is at least one change worth noting.  FERC initially proposed directing NERC to give responsible entities 12 months, rather than NERC’s proposed 18 months, to implement supply chain risk management plans.  In the final rule, however, FERC ultimately accepted NERC’s implementation timeline, because it concluded the technical upgrades necessary to meet the Reliability Standard’s security objectives may require longer time-horizon capital budgets and planning cycles. The Reliability Standards will therefore be effective on July 1, 2020 – i.e., the first day of the first calendar quarter that is 18 months following the effective date of the final rule.

Mandated Expansion of Reliability Standards.  FERC also affirmed its proposal to require that NERC include within the scope of the Reliability Standards EACMS associated with medium and high impact BES Cyber Systems, even amidst NERC and additional commenter objection to such an expansion of the requirements.  EACMS are defined as “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems” and include, among other things, firewalls, authentication services, security event monitoring systems, intrusion detection systems, and alerting systems.  Finding NERC’s and additional parties’ objections unpersuasive, FERC indicated that “the burden of possible procurement inefficiencies or resource constraints must be weighed against the significant risk of a cyber incident resulting from unmitigated supply chain vulnerabilities,” and that EACMS “represent the most likely route an attacker would take to access a BES Cyber System.”  FERC has given NERC 24 months from the effective date of the final rule to propose modifications to the Reliability Standards to include EACMS associated with medium and high impact BES Cyber Systems.

* * * * *

The final rule was published in the Federal Register on October 26 and accordingly becomes effective on December 26, 2018.