The Federal Energy Regulatory Commission (FERC or the Commission) issued a notice of proposed rulemaking on September 19, 2024 to tighten its existing mandatory controls for certain electric assets. The proposal reflects FERC’s increasing concern that current controls are not up to the task of preventing bad actors from infiltrating the supply chain of critical electric infrastructure, thereby creating significant risk to electric system reliability.
Background
Reliability Standards have addressed supply chain risk management since 2018, providing basic protections against supply chain threats. However, FERC has identified an increasing potential for disruptions to the global supply chain, to the detriment of electric grid reliability. FERC opined that, although existing Reliability Standards and efforts by the industry “provide a strong foundation of protection,” there are concerning gaps that must be closed.
FERC noted, for example, that foreign suppliers might be compelled by their governments to embed spyware or other malicious software in supplied products, allowing foreign governments to collect personal information or trade secrets, or to sabotage equipment. FERC also explained that, through non-public audits, FERC staff identified instances of inconsistent or ineffective efforts to evaluate vendors. FERC staff also observed that many supply chain risk management plans did not contain procedures to respond to risks and document decisions.
FERC’s Proposed Reliability Standard Revisions
FERC proposes directing the North American Electric Reliability Corporation (NERC), the FERC-approved electric reliability organization that develops and enforces Reliability Standards, to submit new or modified Reliability Standards within 12 months of any final rule adopted by FERC in the rulemaking. Specifically, FERC proposes that NE RC address the following two gaps in existing Reliability Standards related to the supply chain:
- The sufficiency of supply chain risk management plans related to the identification of, assessment of, and response to supply chain risks; FERC proposes to have NERC require:
- Specific timing requirements to evaluate its equipment and vendors
- Identification of risks that develop after a contract commences so that supply chain risk management is not simply focused on the procurement process
- Supply chain risk management plans to include steps to validate information provided by vendors
- A process to document, track, and respond to all identified supply chain risks
- The applicability of supply chain risk management Reliability Standards to protected cyber assets (PCAs), which are ancillary equipment that resides behind an electronic access point within a critical infrastructure protected network but are not themselves Bulk Electric System Cyber Assets; FERC proposes to direct NERC to:
- Include PCAs as applicable assets under the Reliability Standards
- Protect PCAs from supply chain risks at the same level as other assets inside their electronic security perimeter
The Commission seeks comments on these proposals 60 days after official publication of this notice in the Federal Register. Subsequently, the Commission could issue a final rule providing direction to NERC on how to revise the Reliability Standards.
[View source.]
