Utilities and others cautioned FERC that vendors providing hardware and software equipment and services are part of a global supply network that is subject to best practices on security and grid reliability, and that business relationships that utilities and independent system operators have with suppliers are not covered under FERC’s authority on reliability.
The comments filed Sept. 21 are in response to FERC’s proposed rule to have NERC develop reliability standards on supply chain management (FERC Docket No. RM15-14).
When it approved the draft notice of proposed rulemaking (NOPR) in July, FERC said there is a vulnerability in supply chain management as recent malware campaigns targeting vendors are based on injecting malware while a product or service remains in the control of a hardware or software vendor, prior to delivery to a customer. In the case of a utility or ISO customer, FERC reasoned that the supply chain presented a reliability gap that needs to be addressed.
A collection of industry trade groups did not agree that a gap exists. While cybersecurity is a high priority and power grid technologies are evolving, supply chain management is not something that should be subject to mandatory reliability standards, according to joint comments filed by the Edison Electric Institute (EEI), the American Public Power Association, the National Rural Electric Cooperative Association, the Electric Power Supply Association, the Electricity Consumers Resource Council, the Transmission Access Policy Study Group and the Large Public Power Council (trade associations).
In early September, EEI’s board approved a set of principles for managing supply chain cybersecurity risk to facilitate discussion among utilities and their vendors, and NERC could also develop supply chain guidelines rather than mandatory standards, the trade associations said.
Agreements and contracts with third-party suppliers involve complex systems and sensitive technical issues that are inappropriate for providing details on procurement, testing and operations of such systems, the trade groups said. Under section 215 of the Federal Power Act, which lays out FERC’s reliability oversight, the commission has no direct oversight of third-party suppliers or vendors, and indirectly asserting authority through jurisdictional entities would set “a troubling precedent,” the trade associations claimed.
Similar concerns were raised by the ISO/RTO Council. Unlike other reliability risks and cybersecurity issues that are uniquely faced by the power sector, information technology supply chain risks are broad and ubiquitous, involving multiple vendors, commercial off-the-shelf software and computer hardware used by many industries, the ISO/RTO Council said.
ISOs and RTOs have worked hard to mitigate reliability risks through their vendor procurement efforts in contracting with hardware and software firms, and FERC should let the industry work out such measures on its own instead of through the NOPR, the council said.
Both the ISO/RTO Council and the trade associations – as well as NERC – said FERC should hold a technical conference or some type of gathering before issuing a final rule in the proceeding, which would allow jurisdictional companies, third-party suppliers and others to discuss a broad range of policy and technical issues.
NERC did not directly oppose a final rule on supply chain management, but it told FERC that developing a reliability standard consistent with FPA Section 215 poses a significant challenge.
Imposing a reliability standard on registered entities covering their supply chain risks would mean NERC would have to analyze those risks without imposing an undue burden, NERC said.
“To that end, NERC should review what entities are currently doing to mitigate supply chain risks, understand how to account for those activities in a mandatory standard, and examine how to leverage existing supply chain management and procurement guidelines,” it said.
NERC said FERC should provide two years for standard development in this area, which would be used to engage in such analysis, education and outreach efforts.
Several comments on the NOPR generally supported the other areas of the proposed rule where FERC sought to approve seven revised critical infrastructure protection (CIP) reliability standards that were submitted by NERC in February. The standards are designed to mitigate the cybersecurity risks to bulk electric system facilities and equipment.
The trade associations encouraged FERC to issue a final rule approving the standards, without modification, by Dec. 31.
Those standards are CIP-003-6 pertaining to security management controls; CIP-004-6 pertaining to personnel and training; CIP-006-6 pertaining to physical security of bulk electric system cyber systems; CIP-007-6 pertaining to systems security management; CIP-009-6 pertaining to recovery plans for bulk electric system cyber systems; CIP-010-2 pertaining to configuration change management and vulnerability assessments; and CIP-011-2 pertaining to information protection.
For instance, in addressing CIP-006-6, of which FERC asked whether NERC should modify the standard involving protections for communication network components and data communicated between all bulk electric system (BES) control centers, the trade associations said the protections should only cover control centers with a high and medium impact on BES operations. That would be consistent with NERC’s risk-based standard process, where a lower risk to reliability does not warrant the same protections as medium and higher risks, the groups said.