The Federal Energy Regulatory Commission (“FERC”) released a final rule approving three new Critical Infrastructure Protection (“CIP”) standards which address supply chain risk management for bulk electric systems (“BES”) operations.  The new standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which directed NERC to create new CIP standards to address risks associated with the supply chain for grid-related cyber systems.  The final rule will take effect sixty days after it is published in the Federal Register.  The new standards must be implemented in eighteen months.  More details regarding the new CIP standards, which may be of interest to entities that develop, implement, or maintain hardware or software for industrial control systems associated with bulk electric systems (“BES”), are provided below.

The three new CIP standards require responsible entities (such as distribution providers, generator owners and operators, and transmission owners and operators) to develop and implement security controls for industrial control system hardware, software, and services associated with BES operations.  FERC noted that these new standards respond to supply chain risks, including the insertion of counterfeit or malicious software, unauthorized production, tampering, and theft.

Specifically, the new CIP standards will impose the following high-level requirements:

  • Cyber Security – Supply Chain Risk Management: According to FERC, this standard “does not require any specific controls or mandate ‘one-size-fits-all’ requirements.” Instead, this standard requires the development of a documented supply chain cyber security risk management plan for higher-risk covered systems that addresses, as applicable, six “baseline” security concepts:
    • Vendor security event notification;
    • Coordinated incident response;
    • Vendor personnel termination notification;
    • Product/services vulnerability disclosures;
    • Verification of software integrity and authenticity; and
    • Coordination of vendor remote access controls.
  • Cyber Security – Electronic Security Perimeter(s): This standard will include two new requirements for identifying active vendor remote access sessions and having method(s) for disabling active vendor remote access sessions.
  • Cyber Security – Configuration Change Management and Vulnerability Assessments: Finally, this standard requires responsible entities to verify the “identity of the software source and the integrity of the software obtained from the software source” prior to any installing software that changes established baseline configurations, “when methods are available to do so.”  According to NERC, these requirements could help reduce the risk that an attacker could “exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a [covered system].”

FERC directed NERC to develop modifications that will include Electronic Access Control and Monitoring Systems (“EACMS”) in the scope of the standards within twenty-four months.  EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems, and alerting systems.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.