NERC proposal targets cybersecurity risks in electric system supply chains

Original Post Source

Dive Brief:

  • The North American Electric Reliability Corporation has proposed new reliability standards aimed at shoring up the vendor supply chain that delivers software and critical updates to manage the country’s bulk electric supply (BES) system.
  • Specifically, the new standards require entities to develop and implement plans to address supply chain cybersecurity risks during the planning and procurement of bulk electric grid security systems.
  • The standards, filed with the Federal Energy Regulatory Commission, will address concerns that supply chains for information and communications technology and industrial control systems present risks to grid security, providing opportunities for cyberattacks.

Dive Insight:

NERC on Tuesday filed with federal regulators a petition stretching almost 3,500 pages, proposing new cybersecurity standards that aim to address the increasingly-sophisticated attacks on the nation’s bulk power system.

The new standards were proposed in response to FERC Order 829, issued last summer, directing NERC to up its security protocols. In that order, FERC concluded that supply chains for information and communications technology and industrial control systems present risks to BES security, providing various opportunities for adversaries to initiate cyberattacks.

“The targeting of vendors and software applications with potentially broad access to BES Cyber Systems marks a turning point in that it is no longer sufficient to focus protection strategies exclusively on post-acquisition activities at individual entities,” FERC found in Order 829.

The new standards aim to: reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates; address the risk that entities could unintentionally plan to procure and install unsecure equipment or software within their information systems; and address the risk that a compromised vendor would not provide adequate notice of security events and vulnerabilities.

Additionally, the standards will deal with vendor remote access-related threats, “including the threat that vendor credentials could be stolen and used to access a BES Cyber System,” as well as the threat that a compromise at a trusted vendor could traverse over an unmonitored connection.

Cybersecurity is an increasing focus of the electric utility industry.

Over the summer, United States officials said they were investigating multiple cyberattacks that unsuccessfully targeted nuclear generation sites earlier this year. The event was code named “Nuclear 17.” In May, cybersecurity firm Dragos issued a report concluding malware that was used in a 2015 cyberattack resulting in power outages in Ukraine could be modified by developers to target the United States.

Leave a Reply

Your email address will not be published. Required fields are marked *