LaFleur: Rule Lacks Guidance
By Michael Brooks
WASHINGTON — FERC directed NERC on Thursday to develop a “forward-looking, objective-based” critical infrastructure protection (CIP) reliability standard for supply chain management, one that would place the onus on utilities to develop their own plans for protecting the production and distribution of industrial control system hardware and software (RM15-14-002).
Commissioner Cheryl LaFleur dissented in the 3-1 decision.
The commission’s order requires each affected entity’s plan to address four objectives: software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls.
FERC emphasized the flexibility it provided NERC in developing the standard. “There is no requirement for any specific controls, nor does FERC require any ‘one-size-fits-all’ requirements,” it said. “The new or modified reliability standard should instead require responsible entities to develop a plan to meet the four objectives while providing flexibility to responsible entities as to how to meet those objectives.”
“The draft final rule directs ‘what’ gap NERC should address,” the Office of the General Counsel’s Kevin Ryan told the commission at its open meeting, “not ‘how’ NERC addresses that gap.”
“I’m happy to support today’s order because I do think it reaches the appropriate balance of pairing together an appropriate sense of urgency on the issue with a prudent flexibility that’s going to be needed by NERC to develop the rule,” Commissioner Tony Clark said.
This is only the third time that FERC has directed NERC to develop a reliability standard; usually, NERC proposes new or revised standards, and FERC issues Notices of Proposed Rulemaking (NOPRs) to adopt them. The commission previously ordered NERC to develop standards on geomagnetic disturbances and physical security.
Clark drew a comparison to the physical security standard in his support for the order. “With the physical security standard, we weren’t telling NERC to tell fence builders how to build their fences, which would be beyond our authority, but rather to come up with a standard so that utilities can incorporate those best practices to ensure physical security of the grid.”
LaFleur Issues Lengthy Dissent
It was this flexibility that led Commissioner Cheryl LaFleur to vote against the order. “I recognize that today’s order on the face appears to afford a great deal of flexibility, but I believe that flexibility is in fact a lack of guidance on the issue we’re addressing,” she said at the open meeting.
LaFleur argued that the rule should have been issued as a NOPR instead to allow more input from stakeholders.
FERC first issued a NOPR addressing cybersecurity, including supply chain management, almost exactly a year ago. While the commission approved seven NERC-proposed standards in the NOPR in January, it held off on addressing the supply chain, holding a technical conference later that month. (See FERC Postpones Action on Supply Chain Protections.)
FERC on Thursday also denied a request for rehearing of its approval of the seven standards (RM15-14-001).
Commissioner Colette Honorable noted that FERC received comments from 34 parties on the NOPR and 24 additional post-technical conference comments. “I think our work in this particular effort demonstrates that we did heed the concerns raised by industry, government, vendors, folks in academia and others,” she said.
“It is worth noting,” LaFleur wrote in a four-page dissent, “that the four objectives that will define the scope and content of the standard were not identified in the supply chain NOPR. Therefore, even though the final rule reflects feedback received on the supply chain NOPR, and is not obviously inconsistent with the supply chain NOPR, no party has yet had an opportunity to comment on those objectives or consider how they could be translated into an effective and enforceable standard.”
And in a rare — albeit low-key and brief — debate at an open meeting, LaFleur rebutted Clark’s comparison of the new rule to the physical security standard. Clark said the latter standard had a quicker turnaround than FERC had required, while there has been “significantly more comment … and process leading up to this particular order.”
“Although the timeline was short, I thought that was actually an example of very focused outreach in advance,” LaFleur said. “We actually ordered the Office of Electric Reliability to work with NERC on the structure of the standard before we issued the directive and [to] agree in advance on a timeline. And as a result, I think we issued — even though we didn’t say ‘build a fence’ — a pretty focused standard, and they complied pretty quickly.
“But of course reasonable minds can differ.”
The rule will take effect 60 days after its publication in the Federal Register. NERC will then have a year to submit the standard.
Further Cybersecurity Measures
FERC also issued a Notice of Inquiry on Thursday seeking comment on potentially revising CIP standards to address separating the Internet and industrial control systems in transmission control centers (RM16-18).
The notice is in response to last year’s cyberattack in Ukraine, in which hackers, likely from the Russian government, infected three Ukrainian utilities with the BlackEnergy virus. Workers at the utilities downloaded seemingly innocent Microsoft Office files that had been emailed to them and enabled macros that allowed the hackers to gain control of the companies’ cyber systems, eventually knocking out power to 225,000 customers in the country. (See How a ‘Phantom Mouse’ and Weaponized Excel Files Brought Down Ukraine’s Grid.)
In its report on the incident, the Department of Homeland Security recommended, among other measures, isolating industrial control systems from the Internet and other unsecured networks at control centers. FERC seeks comment on any potential impacts on the grid from doing this.