trending Market Intelligence /marketintelligence/en/news-insights/trending/DmMOXUFGV_6AMRYRxHUQFw2 content
Log in to other products

Login to Market Intelligence Platform


Looking for more?

Contact Us

Request a Demo

You're one step closer to unlocking our suite of comprehensive and robust tools.

Fill out the form so we can connect you to the right person.

If your company has a current subscription with S&P Global Market Intelligence, you can register as a new user for access to the platform(s) covered by your license at Market Intelligence platform or S&P Capital IQ.

  • First Name*
  • Last Name*
  • Business Email *
  • Phone *
  • Company Name *
  • City *
  • We generated a verification code for you

  • Enter verification Code here*

* Required

Thank you for your interest in S&P Global Market Intelligence! We noticed you've identified yourself as a student. Through existing partnerships with academic institutions around the globe, it's likely you already have access to our resources. Please contact your professors, library, or administrative staff to receive your student login.

At this time we are unable to offer free trials or product demonstrations directly to students. If you discover that our solutions are not available to you, we encourage you to advocate at your university for a best-in-class learning experience that will help you long after you've completed your degree. We apologize for any inconvenience this may cause.

In This List

FERC approves supply chain reliability standards, directs work on remaining risk

Essential Energy Insights - September, 2020

Rate case activity slips, COVID-19 proceedings remain at the forefront in August

Bull market leaves US utilities behind in August

Utilities, midstream reckon with energy transformation on the horizon

FERC approves supply chain reliability standards, directs work on remaining risk

The Federal Energy Regulatory Commission has signed off on mandatory reliability standards aimed at safeguarding the power system from cybersecurity attacks on the electric industry's supply chain. The commission also gave the North American Electric Reliability Corp. two years to propose standards for a remaining "significant" related risk.

The new requirements, which FERC directed NERC more than two years ago to develop, gives affected entities such as power plant owners and grid operators 18 months to create and implement a plan for managing supply chain risks on industrial control system hardware, software, and computing and networking services.

Officials from major U.S. electric utilities over the years have indicated their companies regularly face attempted cyberattacks. Moreover, Bloomberg Businessweek in early October reported that Chinese spies allegedly exploited weaknesses in the U.S. technology supply chain and during the manufacturing process planted microchips in computers supplied to more than 30 U.S. companies, including major technology companies, a bank and government contractors.

Nevertheless, there have been no reports to date of a cyberattack actually impacting power supplies to customers in the U.S., and utilities are already subject to a number of mandatory physical and cybersecurity related reliability standards.

But FERC saw the need to expand those standards and on Oct. 18 signed off on additional NERC requirements aimed at managing supply chain risks, such as the insertion of counterfeit or malicious software, unauthorized production, tampering, theft, and poor manufacturing and development practices.

FERC in January proposed to direct NERC to give entities 12 months instead of 18 months to implement a plan for managing supply chain risks, but the Oct. 18 order said comments on that proposal convinced the agency that related needed technical upgrades "could involve longer time-horizon capital budgets and planning cycles."

The agency also identified a remaining "significant cybersecurity risk associated with the supply chain" that the NERC standards do not address regarding electronic access control and monitoring systems, or EACMS. Those systems include firewalls, authentication services, intrusion detection and alerting systems, and security event monitoring programs.

"Once an EACMS is compromised, an attacker could more easily enter the [electronic security perimeters] and effectively control the [bulk electric system] cyber system or protected cyber asset," the order said. FERC also noted that the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team identified firewalls as the first line of defense within an industrial control system network.

FERC therefore gave NERC 24 months from the effective date of the order to propose modifications to the standards to include EACMS associated with medium- and high-impact jurisdictional cyber systems.

The commission also noted that NERC has committed to examining the risks that may exist for physical access control systems and protected cyber assets.