The Federal Energy Regulatory Commission has ordered the North American Electric Reliability Corp. to develop a new or modified reliability standard for industrial-control system hardware, software and computing and networking services associated with bulk-electric system operations.
The FERC order observes that “changes in the bulk electric system cyber threat landscape, exemplified by recent malware campaigns targeting supply chain vendors, have highlighted a gap in the Critical Infrastructure Protection (CIP) Reliability Standards.” The new standard it has ordered the NERC to develop is intended to mitigate the risk of a cybersecurity incident affecting the reliable operation of the bulk-power system.
FERC’s action is in response to a cyberattack in Ukraine last winter on three regional electricity-distribution companies that caused alarm in many western countries and has led to efforts to protect industrial control systems from the threat of future attacks. In late afternoon Dec. 23, 2015, some 225,000 customers in Ukraine lost power for about three hours. Subsequent investigation found that remote cyber intrusions were responsible for the outages. At the conclusion of the cyberattack, the actor wiped some systems at all three companies by executing the KillDisk malware.
Security objectives of the reliability standard are aimed at addressing supply-chain risk. The “supply chain” refers to the sequence of processes involved in the production and distribution of industrial control system hardware, software and services, among other things. The objectives include software integrity and authenticity, vendor remote access, information system planning and vendor risk management and procurement controls.
In the comments on the Notice of Proposed Rulemaking preceding this FERC order, NERC acknowledged that “supply chains for information and communications technology and industrial control systems present significant risks to [Bulk-Power System] security, providing various opportunities for adversaries to initiate cyberattacks.”
FERC’s order was published in the Federal Register on July 29 and will take effect 60 days later. It gives the North American Electric Reliability Corp. one year to develop the new or revised standard. NERC normally develops its standards internally with stakeholder input.