The Federal Energy Regulatory Commission (FERC) proposed a new rule this month that aims to address the growing risks posed by malicious actors seeking to compromise the bulk-power system and related supply chains.
If enacted, the rule would direct the North American Electric Reliability Corporation (NERC) to submit new reliability standards that address ongoing risks to the security of the bulk-power system posed by gaps in the Critical Infrastructure Protection (CIP) Reliability Standards related to supply chain risk management (SCRM).
Specifically, FERC is proposing that NERC develops new standards to require entities to identify their current supply chain risks to their grid-related cybersecurity systems; assess and take steps to validate the accuracy of the information received from vendors during the procurement process; and document, track, and respond to these risks to their systems.
The rule would also direct NERC to extend the applicability of the supply chain standards to include a category of products known as protected cyber assets.
The proposed rule would require NERC to submit new standards within 12 months of the effective date of a final rule.
“Although the currently effective SCRM Reliability Standards provide a baseline of protection against supply chain threats, there are increasing opportunities for attacks posed by the global supply chain,” FERC wrote on Sept. 19. “As we have observed in prior proceedings, while the global supply chain provides the opportunity for significant customer benefits such as low cost, variety of products, and rapid innovation, it also introduces risk to the security and reliability of the Bulk-Power System by facilitating attacks by adversaries.”
“Using the global supply chain, adversaries have inserted counterfeit and malicious software, tampered with hardware, and enabled remote access,” FERC said. “Based on these known risks, over the last decade, the Commission, other federal agencies, and the energy industry have focused on SCRM and mitigating cybersecurity risks associated with the supply chain for critical infrastructure.”
“We believe that directing NERC to address these gaps in the SCRM Reliability Standards will strengthen the reliability and security of the Bulk-Power System. These reliability gaps present an increasingly urgent threat to the Bulk-Power System that requires timely action,” the commission said.
Comments on FERC’s proposed rule are due before Nov. 19.
