The Federal Energy Regulatory Commission has signed off on mandatory reliability standards aimed at safeguarding the power system from cybersecurity attacks on the electric industry's supply chain. The commission also gave the North American Electric Reliability Corp. two years to propose standards for a remaining "significant" related risk.
The new requirements, which FERC directed NERC more than two years ago to develop, gives affected entities such as power plant owners and grid operators 18 months to create and implement a plan for managing supply chain risks on industrial control system hardware, software, and computing and networking services.
Officials from major U.S. electric utilities over the years have indicated their companies regularly face attempted cyberattacks. Moreover, Bloomberg Businessweek in early October reported that Chinese spies allegedly exploited weaknesses in the U.S. technology supply chain and during the manufacturing process planted microchips in computers supplied to more than 30 U.S. companies, including major technology companies, a bank and government contractors.
Nevertheless, there have been no reports to date of a cyberattack actually impacting power supplies to customers in the U.S., and utilities are already subject to a number of mandatory physical and cybersecurity related reliability standards.
But FERC saw the need to expand those standards and on Oct. 18 signed off on additional NERC requirements aimed at managing supply chain risks, such as the insertion of counterfeit or malicious software, unauthorized production, tampering, theft, and poor manufacturing and development practices.
FERC in January proposed to direct NERC to give entities 12 months instead of 18 months to implement a plan for managing supply chain risks, but the Oct. 18 order said comments on that proposal convinced the agency that related needed technical upgrades "could involve longer time-horizon capital budgets and planning cycles."
The agency also identified a remaining "significant cybersecurity risk associated with the supply chain" that the NERC standards do not address regarding electronic access control and monitoring systems, or EACMS. Those systems include firewalls, authentication services, intrusion detection and alerting systems, and security event monitoring programs.
"Once an EACMS is compromised, an attacker could more easily enter the [electronic security perimeters] and effectively control the [bulk electric system] cyber system or protected cyber asset," the order said. FERC also noted that the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team identified firewalls as the first line of defense within an industrial control system network.
FERC therefore gave NERC 24 months from the effective date of the order to propose modifications to the standards to include EACMS associated with medium- and high-impact jurisdictional cyber systems.
The commission also noted that NERC has committed to examining the risks that may exist for physical access control systems and protected cyber assets.