Nerc

Home>Topics>Nerc
Refine Results
  1. All
  2. Online Articles
  3. Magazine Articles
  4. Videos
  1. What you can do to decrease operational risk part II: Securing your supply chain

    “But that's not enough: To maintain energy security, one needs a supply system that provides a buffer against shocks. It needs large, flexible markets. And it's important to acknowledge the fact that the entire energy supply chain needs to be protected." —Daniel Yergin The electricity industry faces significant risks to its operations via an exposed supply chain—potentially resulting in embedded access and future control by U.S. enemies enabled by compromised equipment. As a result, FERC issued Order No. 829 that directs NERC to develop a standard “to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.” On Nov. 18, 2016, NERC completed collecting comments on its proposed Critical Infrastructure Protection (CIP) regarding supply chain security. As the comments are being reviewed and incorporated into a new reliability standard, industry participants should be ready to comply. This article describes what key actors in the electricity industry can do to protect their supply chains and mitigate elevated operational risks. Software Integrity and Authenticity FERC Order No. 829 calls for software integrity and authenticity. For industry participants, authenticity requires confirmation before installation that the software and patches are not counterfeit, but come from the actual software publisher and that controls are in place to confirm source. Integrity comes from establishing processes used to source, create and deliver software components to ensure that the software is not modified between production at the vendor and installation by the customer. The third leg of authenticity and integrity is security, ensuring that the software design, development and testing addresses and incorporates protections against security threats in the first place. Such controls require a close working relationship with the software provider and verification protocols along with contractual requirements for vendors and their subcontractors to comply with supply chain risk management practices. Vendor Remote Access Remote access proliferates in today’s high-tech, Internet world and makes us more productive. Such remote access, however, also increases access to and control of critical infrastructure systems. The second objective in FERC Order No. 829 requires market participants to control remote access. Protocols tied to protections against third-party initiated remote access are required for both user-initiated and machine-to-machine vendor remote access. In light of the Ukraine experience, where remote access allowed for an adverse party to gain control of a generator’s operations via personal computers, reliability controls must include a means of disabling remote access sessions. Although pulling the plug may be the natural response in an analog world, more sophisticated digital intervention is required to quickly disengage unauthorized access via the Internet or other entrance. Information System Planning Most businesses today consider their information systems critical to operations, but fail to fully understand the risks to those systems. Given the rate of change in technology, increase in online malfeasance and difficulty assessing risk versus return on investment, it can be difficult to stay ahead of operational threats; planning tends to focus on business functionality versus security. As a result, FERC Order No. 829 requires NERC to develop or expand an existing reliability requirement to motivate companies to identify and document risks for consideration in information system planning. To do this, the CIP manager, or delegate, can perform a security audit of the company’s systems, compare system processes, protocols and access rules to best practices, and institute risk mitigation measures as part of their system planning and investments. Vendor Risk Management and Procurement Controls The fourth area explicitly addressed in FERC Order No. 829 includes developing requirements for contractual provisions and verification of vendor compliance for supply chain cyber security risk management of industrial control system hardware, software, and computing and networking services. Contractual requirements include: notifications of security events by vendor, access termination procedures, product/services vulnerability disclosures, incident response procedures and coordination, and other security measures with the objective of mitigating risks of a cybersecurity incident to the reliable operation of the bulk power system. “Bullet” Proofing The supply chain serving the bulk power system is multi-faceted and composed of many participants and potential entry points. As a result, supply chain risk management has been highlighted by federal regulators as a critical aspect of grid operations that requires bolstered CIP standards. NERC currently is reviewing comments in response to its proposed approach to implementing FERC Order No. 829, a review that is likely the start of many efforts to harden the bulk power system against supply chain risks. The industry increasingly is recognizing that the supply chain presents a weakness to the security of the grid, a weakness that can enable an attack from the inside out by virtual land mines purposefully placed in our information systems and equipment by adverse actors. As the industry, regulators and government look to ensure the reliability of the grid, expect more focus on strengthening the security of the supply chain against virtual bullets. About the author: Tanya Bodell is the Executive Director of Energyzt, a global collaboration of energy experts who create value for investors in energy through actionable insights. Visit www.energyzt.com. She can be reached at: tanya.bodell@energyzt.com or 617-416-0651. The author would like to thank the members of the 2016 Public-Private Analytical Exchange Program for their work protecting the electricity supply chain and Joyce Corell at the Office of the Director of National Intelligence for her leadership.

    Online Articles

    Online Articles

    Wed, 23 Nov 2016

  2. Stored energy solutions

    Power management: EnerSys expands line of backup power solutions with PowerSafe OGi batteries.

    Online Articles

    Online Articles

    Tue, 22 Nov 2016

  3. NERC sees improved electric reliability in 2015

    Key recommendations in the report for NERC and the power industry to focus on in the coming years are enhanced monitoring of the changing generation mix 

    Online Articles

    Online Articles

    Wed, 18 May 2016

  4. NERC : Frequency support, power plant ramping essential to reliability

    All resources should support frequency and voltage, NERC says

    Online Articles

    Online Articles

    Wed, 30 Dec 2015

  1. Clean Power Plan reliability measures will continue, says NERC

    Online Articles

    Online Articles

    Wed, 17 Feb 2016

  2. FERC, NERC staff report identifies beneficial practices for power grid restoration and recovery

    System restoration and recovery plans maintained by nine utilities with regional bulk power grid responsibilities are thorough and highly detailed, finds a new report by staff at the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corp. ( NERC ).

    Online Articles

    Online Articles

    Mon, 1 Feb 2016

  3. Embracing NERC PRC-005-2 Compliance

    NERC PRC-005-2, the new standard developed by the North American Electric Reliability Corporation ( NERC ) for bulk power systems, went into effect last year. Here is a look at what makes this standard so unique and some tips on how best to comply.

    Online Articles

    Online Articles

    Fri, 30 Jan 2015

  4. FERC approves revised reliability standard proposed by NERC for reclosing relays

    FERC directs that NERC develop a modification to the reliability standard to include maintenance and testing of supervisory relays

    Online Articles

    Online Articles

    Mon, 26 Jan 2015

  5. Power News: Belden, Tripwire announce NERC CIP strategy

    Belden and Tripwire announce a market-leading NERC CIP compliance and cyber security strategy for power transmission and distribution organizations

    Online Articles

    Online Articles

    Wed, 6 May 2015

  6. FERC approves NERC's risk-based approach to electric reliability compliance

    According to NERC , the reliability assurance initiative approach to compliance focuses resources on higher-risk issues that matter more to reliability, while still identifying, correcting and tracking lesser-risk issues 

    Online Articles

    Online Articles

    Thu, 26 Feb 2015

  7. NERC CIP Report Showcase

    An extensive view of the Industrial Defender ASM™ that automates the mandatory collection of data and artifacts to fulfill the NERC CIP v5 rules and regulations. This guide summarizes key features and reports that will help you target audit success. Download this guide to view: Customizable ...

    White Paper

    White Paper

    Wed, 14 Oct 2015

  8. Utility safety: NERC CIP Version 5 webinar series to prepare utilities for full compliance

    Safety products / power infrastructure: ABB launches NERC CIP Version 5 webinar series to prepare utilities for full compliance. Free, interactive, eight-part webinar series to help utilities with upcoming preparation, planning and submissions for mandatory compliance with NERC ’s Critical ...

    Online Articles

    Online Articles

    Mon, 6 Oct 2014

Get More Results