NERC eyes stronger measures to secure utility supply chains, forms EMP task force

Dive Brief:

The North American Electric Reliability Corp. (NERC) published its annual report Feb. 7, outlining how the organization will continue to ensure reliability of the bulk power system, including through a focus on combating cybersecurity threats and other physical disruptions.
NERC officials say they are concentrating on expanding voluntary information sharing through the Electricity Information Sharing and Analysis Center and the Cybersecurity Risk Information Sharing Program, and are considering new rules to shore up potential vulnerabilities in utility supply chains.
NERC has also launched a task force to identify reliability concerns associated with electromagnetic pulses (EMPs), and to collaborate with government agencies and the utility sector.

Dive Insight:

Experts say electric utilities are generally prepared and well-defended against cyber threats, but as the grid embraces distributed resources and connected devices, the risk has morphed to ancillary stakeholders.

"A weak link is all the vendors that support the utility," Alex Santos, CEO of Fortress Information Security, told Utility Dive. "Because those vendors are not as well-defended, adversaries are moving in that direction."

That means hackers are increasingly looking at industrial control systems (ICS) and communications technology, which have become integral to modern grid operations. And among distribution systems, transmission networks and generation, Santos said transmission presents the greatest potential for disruption by an attacker.

"Typically, transmission is riskiest in that it has the most connections to the grid, or control over the grid," Santos said.

Recognizing the threat, NERC, in its annual report, noted work it is doing to help utilities secure supply chains for information and communications technology as well as ICS equipment.

NERC already has critical infrastructure protection (CIP) standards aimed at vendors, which require entities possessing medium- and high-impact cyber systems to ensure supply chain risks are being managed through the procurement process. Now, the organization says it is considering supply chain risks associated with "certain categories of assets not currently subject to the Supply Chain Standards."

Last year, the NERC Board of Trustees accepted a Cyber Security Supply Chain Risks report, which concluded that supply chain CIP standards should be modified to include electronic and physical access controls for medium- and high-impact bulk electric system cyber systems.

NERC "is working with stakeholders to review the recommendations and determine follow-up actions in order to continue to protect the grid from supply chain risks," according to the annual report.

The report also notes NERC has "launched efforts to identify reliability concerns associated with electromagnetic pulses."

President Donald Trump in 2019 signed an executive order designed to address the EMP threat by requiring government-wide policies to strengthen critical infrastructure and improve national response plans.

NERC has formed an EMP task force which it says "collaborates with governmental authorities and applicable industry members to provide front-end, high-level leadership; recommendations; and guidance to the Board on next steps based on current research."

EMPs have for years been recognized by the utility sector as a potential threat, but there is no simple fix as the pulses could result from a natural event — such as a large sun flare — or a malicious attack potentially linked to the detonation of a nuclear device overhead.