- Federal regulators have directed the North American Electric Reliability Corp. (NERC) to develop an improved cybersecurity protocol to protect the nation's electric grid, calling for a supply chain risk management standard that protects both information systems and related bulk electric system assets, Smart Grid News reports.
- The Federal Energy Regulator Commission directed NERC to develop a "forward-looking, objective-based" reliability standard that requires security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.
- Also, FERC is considering changing Critical Infrastructure Protection (CIP) standards regarding the protection of control centers that are used to monitor and control the bulk electric system in real-time, and has issued a Notice of Inquiry.
FERC is calling for improved cybersecurity across all parts of the grid, but rather than a uniform approach, is instead directing transmission owners to develop plans specific to their own needs.
"There is no requirement for any specific controls, nor does FERC require any 'one-size-fits-all' requirements," the agency said in an announcement. But the standard should four aspects: software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls.
"The new or modified Reliability Standard should instead require responsible entities to develop a plan to meet the four objectives while providing flexibility to responsible entities as to how to meet those objectives," FERC said.
The final rule will be publiushed in the Federal Register and go into effect 60 days after.
FERC is also taking comments on plans to modify CIP standards regarding the protection of control centers that are used to monitor and control the bulk electric system in real-time. The agency pointed to the 2015 cyberattack in Ukraine, and the resulting blackout, as "an example of how cyber systems used to operate and maintain interconnected networks more efficiently can have the unintended effect of creating cyber vulnerabilities."
FERC said it is seeking comment on possible modifications to address separation between the internet and the cyber systems in control centers that perform transmission operator functions, and computer administration practices that prevent unauthorized programs from running.
A simulated attack on the North American electric grid last year showed the power industry had made progress in protecting the system, but NERC also issued a report calling for improvements in communications, including upgrading the Electricity Information Sharing and Analysis Center portal and enhancing coordination with law enforcement.