On July 16, 2015, the Commission issued a Notice of Proposed Rulemaking (“NOPR”) in which it proposed, among other things, to direct the North American Electric Reliability Corporation (“NERC”) to develop a new or modified Reliability Standard to provide security controls for supply chain management of industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.  Comments are due 60 days after publication of the NOPR in the Federal Register.

In the NOPR, the Commission acknowledged that while a global and diversified supply chain for industrial control system hardware, software, and computing and networking services
provides many benefits,  it “also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to the end user.”  The Commission identified these “risks” as including the insertion into the supply chain of counterfeits or malicious software, unauthorized production, tampering, theft, as well as poor manufacturing and development practices.

In support of its risk assessment, the Commission cited a 2014 report issued by the Industry Control System – Computer Emergency Readiness Team (“ICS-CERT”)—a division of the Department of Homeland Security—that identified two supply chain-focused malware campaigns in April and December of 2014 that utilized the Havex Trojan and BlackEnergy malware to infect the products of industrial control systems vendors.  The Commission stated that “this new type of malware campaign is based on the injection of malware while a product or service remains in the control of the hardware or software vendor, prior to delivery to the customer.”

To address these risks, the Commission proposed to direct NERC to develop a new or modified Reliability Standard.  Specifically, the Commission stated that the overall goal of such an undertaking should be “to create a forward-looking, objective-driven standard that encompasses activities in the system development life cycle.”  The Commission identified this life cycle as stretching from the product research and development, design, and manufacturing stages (where applicable), to the acquisition, delivery, integration, operations, and retirement stages, and eventually, to the disposal of the registered entity’s information and communications technology and industrial control system supply chain equipment and services.

Lastly, in recognition of the “broadness of the topic” and the “individualized nature of many aspects of supply chain management,” the Commission listed a number of parameters that the Reliability Standard should conform to.  Specifically, the Commission stated that the eventual Reliability Standard developed by NERC would:

  1. only address the obligations of registered entities, and not directly impose obligations on suppliers, vendors or other entities that provide products or services to NERC-registered entities;
  2. not dictate the abrogation or re-negotiation of currently-effective contracts with vendors, suppliers, or other entities;
  3. recognize the individualized nature of many aspects of supply chain management by setting goals, while allowing flexibility in how a registered entity subject to the standard achieves that goal;
  4. possibly allow for exceptions, e.g., to meet safety requirements and fill operational gaps if no secure products are available; and
  5. provide enough specificity so that compliance obligations are clear and enforceable.

In addition to the supply chain management proposal illustrated above, the Commission in the July 16, 2015 NOPR also proposed to approve seven CIP Version 5 Reliability Standards, and to direct NERC to make modifications to CIP-006-6 (Physical Security of BES Cyber Systems).

Comments are due 60 days after publication in the Federal Register.  A copy of the July 16, 2015 NOPR may be found here.