The supply chain risks facing utilities have long been a concern for industry stakeholders and regulators. Reflecting these concerns, NERC submitted a report on May 28 to FERC recommending the expansion of the requirements that address supply chain cybersecurity risks for electric utility companies, concluding that the scope of those requirements should be expanded to allow matches the scope of cybersecurity risk. The development of such revised standards will be a long process in itself and subject to an additional review of the FERC.
Last year, the Commission approved new and revised Critical Infrastructure Protection (CIP) Reliability Standards (CIPs) that address the supply chain cybersecurity risks that will enter into force in early July 2020 (Chain of Supply Chain Standards). Supply). The Supply Chain Standards require that public service companies have BES cyberspace systems of high and medium impact (that is, the most critical cybernetic systems for network reliability) to develop processes that reduce cyber risks the supply chain for the assets of the industrial control system (our summary here).
In approving the Supply Chain Standards, the Commission ordered NERC to address the cyber risks associated with certain categories of assets that are currently outside the scope of the Supply Chain Standards. First, the Commission ordered NERC to include Access Control and Electronic Monitoring Systems (EACMS) within the scope of the Supply Chain Standards. Second, he directed NERC to move forward with a planned study that assesses the need to broaden the scope of the requirements to include other sets of assets, such as Physical Access Control Systems (PACS), low impact BES cyber systems, and Protected cyber resources (PCAs). The May 28 report reflects the results of the NERC evaluation.
Report of May 28
In response to the first directive of the Commission, the May 28 report concluded that the Supply Chain Standards should be modified to include EACMS that only perform electronic access control for high and medium BES cyber systems. In other words, the report recommends excluding EACMS that perform only monitoring functions or record the scope of the Supply Chain Standards. NERC staff reasoned that the supply chain for EACMSs that perform electronic access control functions deserved more control because those assets serve as "gatekeepers" for critical systems and present the greatest risk to reliability if they are committed. In response to the Commission's second directive, the May 28 report concluded that the Supply Chain Standards should be revised to also address the PACS that provides physical access control (excluding alarm and registration) to BES cybernetic systems of high and medium impact.
The May 28 report failed to recommend an expansion of supply chain standards to include all low impact BES and PCA cyber systems at this time. According to NERC staff, additional study would be necessary to examine low-impact BES cyber systems that can routinely connect to assets outside their secure electronic perimeters. NERC staff also recognized that PCAs represent a very wide variety of assets with a lower risk profile, and that requiring all those assets to be subject to the Supply Chain Standards could create an unnecessary regulatory burden. Instead of recommending a mandatory requirement through the Supply Chain Standards, NERC staff plans to develop guidelines to help entities evaluate their PCAs on a case-by-case basis to determine what additional supply chain protections, if any. that are necessary.
NERC will continue to work through its existing stakeholder processes to review the recommendations in the May 28 report and develop the next steps. Any additional changes to the Supply Chain Standards (or other CIP standards) as a result of the report will be subject to review by the Commission.