The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.
Background
Last year, the Commission approved new and revised Critical Infrastructure Protection (CIP) Reliability Standards addressing supply chain cybersecurity risks that are set to take effect at the beginning of July 2020 (Supply Chain Standards). The Supply Chain Standards require electric utilities with high- and medium-impact BES Cyber Systems (i.e., the cyber systems most critical to grid reliability) to develop processes that reduce the cyber risks posed by the supply chain for industrial control system assets (our summary here).
In approving the Supply Chain Standards, the Commission directed NERC to further address the cyber risks associated with certain categories of assets that currently fall outside the scope of the Supply Chain Standards. First, the Commission directed NERC to include Electronic Access Control and Monitoring Systems (EACMS) within the scope of the Supply Chain Standards. Second, it directed NERC to move forward with a planned study evaluating the need to expand the scope of the requirements to include other sets of assets, such as Physical Access Control Systems (PACS), low impact BES Cyber Systems, and Protected Cyber Assets (PCAs). The May 28 report reflects the results of NERC’s assessment.
May 28 Report
In response to the Commission’s first directive, the May 28 report concluded that the Supply Chain Standards should be modified to include EACMSs that perform only electronic access control for high and medium BES Cyber Systems. In other words, the report recommended excluding EACMSs that perform only monitoring or logging functions from the scope of the Supply Chain Standards. NERC Staff reasoned that the supply chain for EACMSs that perform electronic access control functions deserved more scrutiny because those assets serve as “gatekeepers” for critical systems and present the greatest risk to reliability if compromised. In response to the Commission’s second directive, the May 28 report concluded that the Supply Chain Standards should be revised to also address PACS that provide physical access control (excluding alarming and logging) to high- and medium-impact BES Cyber Systems.
The May 28 report stopped short of recommending an expansion of the Supply Chain Standards to include all low-impact BES Cyber Systems and PCAs at this time. According to NERC Staff, further study would be necessary to examine those low-impact BES Cyber Systems that can routably connect to assets outside their secure electronic perimeters. NERC Staff also acknowledged that PCAs represent a very wide variety of assets with a lower risk profile, and that requiring all those assets to be subject to the Supply Chain Standards could create an unnecessary regulatory burden. In lieu of recommending a mandatory requirement through the Supply Chain Standards, NERC Staff plans to develop guidelines to assist entities with evaluating their PCAs on a case-by-case basis to determine what, if any, additional supply chain protections are needed.
Next Steps
NERC will continue to work through its existing stakeholder processes to review the recommendations in the May 28 report and develop next steps. Any further modifications to the Supply Chain Standards (or other CIP standards) as a result of the report will be subject to Commission review.