The Federal Energy Regulatory Commission (FERC) has approved supply chain risk management reliability standards to address bulk electric systems (BES) security, which were proposed by the North American Electric Reliability Corporation (NERC) last December.
The three Critical Infrastructure Protection (CIP) supply chain standards include the CIP-013-2 (Cyber Security – Supply Chain Risk Management), CIP-005-7 (Cyber Security – Electronic Security Perimeter(s)), and the CIP-010-4 (Cyber Security – Configuration Change Management and Vulnerability Assessments).
Approvals were granted after the Commission found that the requirements were forward-looking and objective-based, and required each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software and services.
“Pursuant to section 215(d)(2) of the FPA, we approve Reliability Standards CIP-013-2, CIP-005-7 and CIP-010-4, their associated implementation plan, violation risk factors and violation severity levels,” wrote Kimberly D. Bose, secretary of the Commission. “We determine that the proposed Reliability Standards satisfy the directive in Order No. 850 to modify these Reliability Standards to include EACMS as applicable systems. The proposed Reliability Standards also address the Commission’s concern that the exclusion of PACS may leave a gap in the supply chain risk management Reliability Standards,” she added.
Electronic Access Control or Monitoring Systems (EACMS) refer to the cyber assets that perform electronic access control or electronic access monitoring of the electronic security perimeter(s) or the BES cyber systems, including intermediate systems. Physical Access Control Systems (PACS) are those cyber assets that control, alert, or log access to the physical security perimeter(s), exclusive of locally mounted hardware or devices at the physical security perimeter like, for example, motion sensors, electronic lock control mechanisms, and badge readers.
The proposed reliability standard CIP-013-2 will bring about a significant change, as it requires responsible entities to consider and address cybersecurity risks from vendor products or services during planning for the procurement of BES cyber systems, as well as EACMS and PACS. In order to comply with the revised Reliability Standards, entities registered with NERC and subject to the Reliability Standards will be required to adapt their engineering design and procurement of BES cyber systems, EACMS, PACS, and PCAs.
The NERC had petitioned the Commission for approval of proposed Reliability Standards since supply chain cybersecurity continues to be an area of focus for the NERC, energy industry stakeholders, and government regulatory and securities agencies. These reliability standards follow up from Order No. 850, released in October 2018, the prior versions of each standard, which are currently in effect.
The energy agency also sought approval of the associated implementation plan, violation risk factors, and violation severity levels, in addition to the retirement of currently-effective Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3.
NERC filed the Supply Chain Report with the Commission, which recommended revising the Supply Chain Standards to address EACMS that provide electronic access control (excluding monitoring and logging) to high and medium-impact BES cyber systems. It also revised the Supply Chain Standards to address PACS that provide physical access control (excluding alarming and logging) to high and medium impact BES cyber systems.
Last week, the U.S. Government Accountability Office (GAO) released data that the electric grid’s distribution systems are increasingly at risk from cyberattacks. While a cyberattack on distribution systems may be less significant than one on the bulk power system, the impacts of such an attack could still result in outages of national significance, the agency pointed out.
Unless the Department of Energy (DOE) addresses risks to the grid’s distribution systems in its updated plans, federal support intended to help states and industries improve distribution systems’ cybersecurity will likely not be effectively prioritized.
GAO recommended that the DOE address risks to the grid’s distribution systems from cyberattacks, including their potential impact, in its plans to implement the national cybersecurity strategy, and the energy agency agreed with the recommendation.
The industry remains hopeful that the energy sector will do the right thing, as it is part of a nation’s critical infrastructure. The inclusion of any cybersecurity control in the industrial network or in general in the value chain should not affect the ultra-high availability required for service delivery, wrote Fernando Guerrero B, OT Security Expert at Airbus Cybersecurity, in a company blog post.
At the moment of generating, updating, and protecting the infrastructure each element must have the technical specifications that guarantee the operation (availability), confidentiality, and integrity since any delay in the transmission of information can result in failures to the power system (given the real-time nature of power systems), he added.