The Federal Energy Regulatory Commission (FERC) in October approved new mandatory reliability standards to bolster supply chain risk management protections for the bulk electric system of the United States.
The North American Electric Reliability Corporation (NERC) proposed the standards in response to FERC Order No. 829, which directed it to develop standards to address supply chain risk management for industrial control system hardware, software, and computing and networking services.
The Commission noted that while the global supply chain provides opportunity for significant benefits to customers, it also presents opportunities to affect management or operations of generation or transmission companies that may result in risks to end-users.
The supply chain risk management reliability standards are forward-looking and objective-based, requiring each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software and services associated with bulk electric system operations.
NERC has requested an 18-month implementation period, saying it was justified because longer time-horizon capital budgets and planning cycles may be necessary for the technical upgrades to meet the security objectives.
Smart Energy International spoke with Sharon Chand, the power and utilities leader for Deloitte Cyber Risk Services and a Principal in Deloitte & Touche about the standards and what they mean for utilities.
“FERC has recently approved the two standards as a requirement within the critical infrastructure protection regulation that NERC is responsible for. There are a series of changes which are now part of the regulation that are going to go into enforcement in July 2020,” Chand explains.
“Utilities therefore have 18 months to understand the requirements, understand the impact on their businesses and figure out how they are going to implement that programme ahead of the deadline.”
FERC had a couple of specific objectives which were focused around the management of the supply chain, namely management and validating that counterfeit components could not be inserted into elements of the regulated utilities supply chain, helping address concerns around insecure manufacturing practices and overall defence improvement specifically in light of the increased occurrence attacks which are targeting the supply chain.
Their objective is to identify and mitigate risks to the supply chain and ensure entities are able to:
1. Identify incidents and notify the utility that an incident has occurred.
2. Coordinate with the entity if an incident does occur.
3. Ensure integrity and authenticity of all the software and patches – this is important specifically for the utility industry. Often there is a reliance on the vendor to maintain and patch platforms – vendor will now need to validate that the patch comes from a verified source.
4. Communicate with vendor personnel when they no longer need access to utility systems.
5. Put a vulnerability identification process in place. Identify vulnerabilities that may be present and notify the utility.
6. Coordinate with the entity when a vendor requires remote access to the system. A lot of the responsibility lies with the vendor and this is an interesting element. Utilities are regulated by FERC and NERC and they purchase from vendors that are not regulated by these bodies; there is therefore a transitive impact on the vendor. Utilities will need to demonstrate compliance to all the requirements and put in place programmes to show that their vendors are adhering to the standards they need to. This applies across the large, multinational vendors of hardware right down to smaller software or component vendors.
Supply chain management is likely to become more and more of a focus in utility risk and vulnerability management strategies. The utility sector is not the only one to address this. Banking and other financial services have had the same types of regulations for the last 1015 years. Others such as medical devices or automotive have very advanced programmes around the management and monitoring of supply chains. This is new for utilities but this does mean there are opportunities to borrow best practice from other industries.
The critical infrastructure requirements have been in place since 2003 and the changes are in response to the evolution of the industry and are regularly amended and updated in order to keep pace with the threats and attacks which are being seen in the cybersecurity space. Supply chain risk – and thus extended enterprise risk – is growing as attacks through vendors increase across all industries. There have been some pretty public events which have spurred the regulatory interest, and this is making sure that there is some visibility as to how the industry is managing protection for these kinds of incidents.
Carrots and sticks
Enforcement fines of up to a $1 million per day per violation can be issued for non-compliance, and while the fines that have been issued have not been quite as high as that, “we have seen some pretty significant fines,” Chand confirms.
“Make no mistake, there are real financial penalties for non-compliance.”
The benefits in terms of risk mitigation and understanding where cyber risks are within a supply chain and extended enterprise risk are important. Being able to manage that is a real benefit for those involved too.
There are some synergies with supply chain benefits as well – these requirements are going to realistically mean that utilities will need to inventory all of their vendors, understand the service they are performing and the products they are delivering, examine all of their contractual language, update these to ensure compliance with requirements; and in the process of doing that, there ought to be synergies that can be realised that could come from a more programmatic approach.
Speaking about next steps, Chand highlights that utilities will need to consider the following three steps in order to be ready on time for the deadline:
1. Utilities will need to understand the full impact of their vendor universe, what existing contracts in place and their renewal dates. They will need to identify the internal sponsors for these.
For big utilities this could be a fairly significant effort, as they will need to work with the different procurement organisations and the various line managements who are responsible for procurement of equipment.
2. Next, they will need to consider what needs to be done to comply with the regulations. This is a collaborative effort between legal, IT and operational technology. They will need to define the governance elements of the regulation and the steps involved in ensuring they are compliant by July 2020.
3. This will then need to be implemented across the different contracts that are in place. As these come up for renewal, they will need to ensure the right language is in place across all the contracts. They will also need to determine communication and coordination channels with the vendors. This will likely impact on their technology asset management platforms so those will have to be designed, implemented and tested well before the July 2020 deadline. These are some of the high-level things that they need to get started on quickly.
Chand cautions though: “Do not confuse compliance with security. They are two separate circles with a little bit of overlap in between. These are good requirements that will help you with your security programme, but if you just do these things, you can be fully compliant with the regulations, and still have massive security risks. Utilities have to do this to be compliant, but they need to be thinking about what else they can be doing given their risk profiles and how they rely on vendors for their supply chain security.” SEI Note re the new regulations:
According to FERC: “It should be noted that significant cybersecurity risk remains because the standards exclude electronic access control and monitoring systems (EACMS). EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems. They control electronic access into electronic security perimeters and help protect high and medium impact bulk electric system (BES) cyber systems. Once an EACMS is compromised, an attacker could more easily control the BES cyber system or protected cyber asset.
To address that gap, FERC gave NERC 24 months to develop modifications that will include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards.”