On July 21, 2016, in Order No. 829, FERC directed the North American Electric Reliability Corporation (“NERC”) to develop a new or modified Critical Infrastructure Protection (“CIP”) Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services associated with Bulk Electric System operations. FERC directed NERC to submit the new or modified Reliability Standard within one year of the effective date of the order, which is 60 days after the order’s publication in the Federal Register.
Order No. 829 is the final rule in a proceeding initiated by FERC’s July 16, 2015 Notice of Proposed Rulemaking (“NOPR”) in which FERC described a number of recent malware campaigns targeting electric industry supply chain vendors, and expressed its belief that such attacks evidenced a “gap” in the CIP Reliability Standards (see July 20, 2015 edition of the WER). In order to address this gap, FERC proposed to direct NERC to develop a “forward-looking” and “objective-driven” Reliability Standard that provides security controls for supply chain management for industrial control system hardware, software, and services associated with Bulk Electric System operations.
In Order No. 829, FERC specified that the new or modified Reliability Standard should address four security objectives: (1) software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. FERC clarified that it was not requiring NERC to develop a Reliability Standard that imposes any specific controls, nor one that requires a “one-size-fits-all” approach to compliance, but rather a Reliability Standard that affords NERC-registered entities flexibility in meeting these four objectives. FERC emphasized that this flexibility “should account for, among other things, differences in the needs and characteristics of responsible entities and the diversity of [Bulk Electric System] Cyber System environments, technologies and risks.”
FERC dismissed arguments raised by protestors that it lacks authority under Section 215 of the Federal Power Act to direct NERC to develop a Reliability Standard related to supply-chain management risks, explaining that its directive to close an identified gap in the CIP Reliability Standards constituted “cybersecurity protection,” which fell squarely within the statutory definition of the term “Reliability Standard,” as defined in Section 215. FERC also emphasized that the Reliability Standard developed by NERC would respect Section 215’s jurisdictional limitations by only imposing obligations on NERC-registered entities, and would not directly impose obligations on suppliers, vendors or other entities that provide products or services to NERC-registered entities.
In a separate dissent, Commissioner LaFleur noted that the four security objectives identified in Order No. 829 were not identified in the July 16, 2015 NOPR, and observed that “no party has yet had an opportunity to comment on those objectives or consider how they could be translated into an effective and enforceable standard.” Commissioner LaFleur expressed her view that, in light of the importance and complexity of the issues examined, FERC should not have proceeded directly to a final rule, but should instead have issued a supplemental NOPR to “provide NERC, industry, and stakeholders the opportunity to comment on [FERC’s] proposed directives.”
Order No. 829 is available here.