“But that’s not enough: To maintain energy security, one needs a supply system that provides a buffer against shocks. It needs large, flexible markets. And it’s important to acknowledge the fact that the entire energy supply chain needs to be protected.” —Daniel Yergin
The electricity industry faces significant risks to its operations via an exposed supply chain—potentially resulting in embedded access and future control by U.S. enemies enabled by compromised equipment.
As a result, FERC issued Order No. 829 that directs NERC to develop a standard “to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.”
On Nov. 18, 2016, NERC completed collecting comments on its proposed Critical Infrastructure Protection (CIP) regarding supply chain security. As the comments are being reviewed and incorporated into a new reliability standard, industry participants should be ready to comply. This article describes what key actors in the electricity industry can do to protect their supply chains and mitigate elevated operational risks.
Software Integrity and Authenticity
FERC Order No. 829 calls for software integrity and authenticity. For industry participants, authenticity requires confirmation before installation that the software and patches are not counterfeit, but come from the actual software publisher and that controls are in place to confirm source. Integrity comes from establishing processes used to source, create and deliver software components to ensure that the software is not modified between production at the vendor and installation by the customer. The third leg of authenticity and integrity is security, ensuring that the software design, development and testing addresses and incorporates protections against security threats in the first place. Such controls require a close working relationship with the software provider and verification protocols along with contractual requirements for vendors and their subcontractors to comply with supply chain risk management practices.
Vendor Remote Access
Remote access proliferates in today’s high-tech, Internet world and makes us more productive. Such remote access, however, also increases access to and control of critical infrastructure systems. The second objective in FERC Order No. 829 requires market participants to control remote access.
Protocols tied to protections against third-party initiated remote access are required for both user-initiated and machine-to-machine vendor remote access. In light of the Ukraine experience, where remote access allowed for an adverse party to gain control of a generator’s operations via personal computers, reliability controls must include a means of disabling remote access sessions.
Although pulling the plug may be the natural response in an analog world, more sophisticated digital intervention is required to quickly disengage unauthorized access via the Internet or other entrance.
Information System Planning
Most businesses today consider their information systems critical to operations, but fail to fully understand the risks to those systems. Given the rate of change in technology, increase in online malfeasance and difficulty assessing risk versus return on investment, it can be difficult to stay ahead of operational threats; planning tends to focus on business functionality versus security.
As a result, FERC Order No. 829 requires NERC to develop or expand an existing reliability requirement to motivate companies to identify and document risks for consideration in information system planning. To do this, the CIP manager, or delegate, can perform a security audit of the company’s systems, compare system processes, protocols and access rules to best practices, and institute risk mitigation measures as part of their system planning and investments.
Vendor Risk Management and Procurement Controls
The fourth area explicitly addressed in FERC Order No. 829 includes developing requirements for contractual provisions and verification of vendor compliance for supply chain cyber security risk management of industrial control system hardware, software, and computing and networking services.
Contractual requirements include: notifications of security events by vendor, access termination procedures, product/services vulnerability disclosures, incident response procedures and coordination, and other security measures with the objective of mitigating risks of a cybersecurity incident to the reliable operation of the bulk power system.
The supply chain serving the bulk power system is multi-faceted and composed of many participants and potential entry points. As a result, supply chain risk management has been highlighted by federal regulators as a critical aspect of grid operations that requires bolstered CIP standards. NERC currently is reviewing comments in response to its proposed approach to implementing FERC Order No. 829, a review that is likely the start of many efforts to harden the bulk power system against supply chain risks. The industry increasingly is recognizing that the supply chain presents a weakness to the security of the grid, a weakness that can enable an attack from the inside out by virtual land mines purposefully placed in our information systems and equipment by adverse actors. As the industry, regulators and government look to ensure the reliability of the grid, expect more focus on strengthening the security of the supply chain against virtual bullets.
About the author: Tanya Bodell is the Executive Director of Energyzt, a global collaboration of energy experts who create value for investors in energy through actionable insights. Visit www.energyzt.com. She can be reached at: firstname.lastname@example.org or 617-416-0651.
The author would like to thank the members of the 2016 Public-Private Analytical Exchange Program for their work protecting the electricity supply chain and Joyce Corell at the Office of the Director of National Intelligence for her leadership.