By Rich Heidorn Jr.
FERC on Thursday approved reliability standards for mitigating supply chain risks in industrial control system hardware, software and computing and networking services. The commission also ordered NERC to develop rules expanding the supply chain protections to include electronic access control and monitoring systems (EACMS).
The commission’s final rule, intended to build on existing critical infrastructure protection (CIP) standards, approved NERC reliability standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments). The final rule hews closely to the commission’s January 2018 Notice of Proposed Rulemaking (RM17-13). (See FERC Backs NERC Supply Chain Standards.)
The new rules, effective 60 days after publication in the Federal Register, will be implemented over 18 months, as requested by NERC. The commission said the transition was needed because compliance will likely require technical upgrades, with implications for capital budgets and planning cycles that have longer time horizons.
Counterfeits, Malicious Software
The rules are intended to protect the bulk electric system from counterfeits or malicious software and tampering. They require affected entities to implement security controls addressing: software integrity and authenticity; vendors’ remote access; information system planning; and vendor risk management. FERC said the rules will cover 288 reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities and transmission owners.
FERC acknowledged the rules did not cover the supply chain risks of EACMS such as firewalls, authentication servers, security event monitoring systems, and intrusion detection and alerting systems. The commission said NERC must propose rules to address the gap within 24 months. “Once an EACMS is compromised, an attacker could more easily enter the [electronic security perimeters] and effectively control the BES cyber system or protected cyber asset,” FERC said.
The commission also noted the standards generally don’t address physical access control systems (PACS) or protected cyber assets (PCAs). “We remain concerned that the exclusion of these components may leave a gap in the supply chain risk management reliability standards. Nevertheless, in contrast to EACMS, we believe that more study is necessary to determine the impact of PACS and PCAs,” the commission said. “Compromise of PACS and PCAs are less likely. For example, a compromise of a PACS, which would potentially grant an attacker physical access to a BES cyber system or PCA, is less likely since physical access is also required.”
Budgets OK’d
The commission also approved NERC’s 2019 business plan along with almost $166 million in spending allocated for the U.S. share of funding NERC, its regional entities and the Western Interconnection Regional Advisory Body (WIRAB) (RR18-9).
The 2019 budgets include $62.5 million for NERC; $102.8 million for its seven regional entities’ funding and almost $630,000 for WIRAB.
Including funding from other sources, NERC’s 2019 budget is $79.1 million, an 8.4% increase over 2018. Most of the increase is attributed to expanding staffing and functions at its electricity information sharing and analysis center (E-ISAC). (See New NERC Chief Not ‘Smartest Guy in the Room’.)
NERC’s budget includes 205 full-time equivalents, an increase of six from 2018.
