The Federal Energy Regulatory Commission (“FERC”) released a final rule approving three new Critical Infrastructure Protection (“CIP”) standards which address supply chain risk management for bulk electric systems (“BES”) operations. The new standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which directed NERC to create new CIP standards to address risks associated with the supply chain for grid-related cyber systems. The final rule will take effect sixty days after it is published in the Federal Register. The new standards must be implemented in eighteen months. More details regarding the new CIP standards, which may be of interest to entities that develop, implement, or maintain hardware or software for industrial control systems associated with bulk electric systems (“BES”), are provided below.
The three new CIP standards require responsible entities (such as distribution providers, generator owners and operators, and transmission owners and operators) to develop and implement security controls for industrial control system hardware, software, and services associated with BES operations. FERC noted that these new standards respond to supply chain risks, including the insertion of counterfeit or malicious software, unauthorized production, tampering, and theft.
Specifically, the new CIP standards will impose the following high-level requirements:
- Cyber Security – Supply Chain Risk Management: According to FERC, this standard “does not require any specific controls or mandate ‘one-size-fits-all’ requirements.” Instead, this standard requires the development of a documented supply chain cyber security risk management plan for higher-risk covered systems that addresses, as applicable, six “baseline” security concepts:
- Vendor security event notification;
- Coordinated incident response;
- Vendor personnel termination notification;
- Product/services vulnerability disclosures;
- Verification of software integrity and authenticity; and
- Coordination of vendor remote access controls.
- Cyber Security – Electronic Security Perimeter(s): This standard will include two new requirements for identifying active vendor remote access sessions and having method(s) for disabling active vendor remote access sessions.
- Cyber Security – Configuration Change Management and Vulnerability Assessments: Finally, this standard requires responsible entities to verify the “identity of the software source and the integrity of the software obtained from the software source” prior to any installing software that changes established baseline configurations, “when methods are available to do so.” According to NERC, these requirements could help reduce the risk that an attacker could “exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a [covered system].”
FERC directed NERC to develop modifications that will include Electronic Access Control and Monitoring Systems (“EACMS”) in the scope of the standards within twenty-four months. EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems, and alerting systems.