FERC approves Reliability Standard CIP-003-9 covering supply chain risk management of low-impact BES cyber systems

FERC approves Reliability Standard CIP-003-9 covering supply chain risk management of low-impact BES cyber systems

The U.S. Federal Energy Regulatory Commission (FERC) published an order approving the proposed Reliability Standard CIP-003-9 put forward by the North American Electric Reliability Corporation (NERC) in December. The agency also approved the associated implementation plan, associated violation risk factors, violation severity levels, and the retirement of the currently effective Commission-approved Reliability Standard CIP-003-8 immediately prior to the effective date of Reliability Standard CIP-003-9.

The new standard has been modified to include requirements addressing supply chain risk management for assets containing low-impact bulk electric system (BES) cyber systems. These modifications responded to a NERC Board directive to study supply chain risks associated with low-impact BES cyber systems.

Reliability Standard CIP-003-8 will be retired, as FERC has determined ‘that proposed Reliability Standard CIP-003-9 improves upon the currently effective Reliability Standard CIP-003-8 by adding new requirements focused on supply chain risk management for low impact bulk electric system (BES) Cyber Systems.’ NERC appreciates FERC’s focus on reliability matters and will continue to work toward assuring the reliability and security of the North American bulk power system.​

“On December 6, 2022, NERC submitted a petition seeking approval of proposed Reliability Standard CIP-003-9. NERC also requested that the Commission approve the associated violation risk factors and violation severity levels, the proposed implementation plan, and the retirement of the currently effective Reliability Standard CIP-003-8 immediately prior to the effective date of the revised Reliability Standard,” Debbie-Anne A. Reese, deputy secretary of the FERC, wrote in the order issued Thursday. “NERC states that proposed Reliability Standard CIP-003-9 improves upon Commission approved Reliability Standard CIP-003-8 by adding new requirements that focus on supply chain risk management for low impact BES Cyber Systems and enhanced reliability controls that grant responsible entities additional visibility into threats.”

The FERC order identified that Reliability Standard CIP-003-9 would do so by requiring responsible entities to include the topic of ‘vendor electronic remote access security controls’ in their cyber security policies, requiring responsible entities with assets containing low impact BES Cyber Systems to have methods for determining and disabling vendor electronic remote access, and requiring responsible entities with assets containing low impact BES Cyber Systems to have methods for detecting malicious communications for vendor electronic remote access,” it added.

Reese also wrote in the order that the FERC approves the implementation plan. “We agree that the proposed implementation plan reflects consideration that there are a large number of low impact BES Cyber Systems and that responsible entities need time to procure and install equipment that may be subject to delays given high demand. Therefore, we find that the implementation plan strikes an appropriate balance between the urgency to implement Reliability Standard CIP-003-9, the high number of assets containing low impact BES Cyber Systems, and supply chain constraints for equipment necessary to implement the Reliability Standard.” 

Additionally, “we approve the associated violation risk factors and violation severity level assignments for Reliability Standard CIP-003-9,” Reese added. “Finally, we approve the retirement of the currently effective Commission-approved Reliability Standard CIP-003-8 immediately prior to the effective date of Reliability Standard CIP-003-9.”  

The NERC explains that the proposed modifications stem from recommendations of the 2019 NERC Supply Chain Risk Assessment. Consistent with the findings of the 2019 NERC Supply Chain Risk Assessment and directives of the NERC Board, the proposed Reliability Standard CIP-003-9 would require responsible entities to include the topic of ‘vendor electronic remote access security controls’ in their cyber security policies and require responsible entities with assets containing low impact BES Cyber Systems to have methods for determining and disabling vendor electronic remote access. 

“NERC states that when the NERC Board adopted the initial supply chain Reliability Standards applicable to medium and high impact BES Cyber Systems in 2017, it concurrently directed further study of supply chain risks associated with low impact BES Cyber Systems,” according to the order. “Pursuant to that directive, NERC asserts that it identified supply chain risks affecting low impact BES Cyber Systems similar to those affecting medium and high impact BES Cyber Systems, such as the introduction of malicious code in the supply chain and remote access of vendors’ employees.” 

NERC states that assets associated with low impact BES Cyber Systems pose a lower risk to the bulk electric system if compromised than assets associated with medium or high impact BES Cyber Systems, the NERC order read. “However, NERC observed that there is the potential for a greater impact if multiple low impact assets are simultaneously compromised through remote access or if a medium or high impact asset is accessed through a low impact asset.” 

The 2019 NERC Supply Chain Risk Assessment reported that most low impact assets are contained in organizations with higher impact assets, although the low impact assets may not receive the same protections, particularly if the low impact assets use separate vendors.

The order added that the 2019 NERC Supply Chain Risk Assessment further stated that the risk of a coordinated attack on multiple low impact assets with remote electronic access connectivity could result in an event with an interconnection-wide impact on the bulk electric system. 

The 2019 NERC Supply Chain Risk Assessment recommended modification of the Critical Infrastructure Protection (CIP) Reliability Standards to apply supply chain risk management requirements to low impact BES Cyber Systems with remote access connectivity. Consistent with the 2019 NERC Supply Chain Risk Assessment, NERC proposes new Requirement R1.2.6 that would require responsible entities to include the topic of  ‘vendor electronic remote access security controls’ in their cyber security policies and redesignate the currently effective Requirement R1.2.6 as Requirement R1.2.7. 

The order said that the NERC also proposes to modify Attachment 1, section 6 to require responsible entities with assets containing low impact BES Cyber Systems that have established vendor electronic remote access to have methods for determining and disabling that vendor electronic remote access, as well as one or more methods for detecting malicious communications for vendor electronic remote access. 

NERC explains that the controls in proposed Attachment 1, section 6 seek to limit the ability to leverage trusted vendor access through supply chain vulnerabilities. 

“Proposed section 6.1 requires responsible entities to have one or more method(s) for determining vendor electronic remote access. This determination provides visibility into vendor electronic remote access should any issues arise that need attention,” the order said. “Proposed section 6.2 requires responsible entities to have one or more methods for disabling vendor electronic remote access. Requiring responsible entities to have such a method is intended to prevent propagation of any further issues caused by vendor electronic remote access.”

Additionally, Proposed section 6.3 requires responsible entities to have one or more methods to detect known or suspected inbound and outbound malicious communications for vendor electronic remote access. The control provides additional visibility to responsible entities in identifying threats and is consistent with the recommendations of the NERC staff. 

The order outlined that the NERC proposes an implementation plan that provides that proposed Reliability Standard CIP-003-9 would become effective on the first day of the first calendar quarter 36 months after Commission approval and that the currently effective Reliability Standard CIP-003-8 would be retired immediately prior to the effective date of proposed Reliability Standard CIP-003-9.  

“NERC states that the proposed implementation plan reflects the consideration that there are a large number of low impact BES Cyber Systems and responsible entities need time to procure and install equipment that may be subject to delays given high demand,” the order said. 

NERC also proposes modifications to the associated violation severity levels of the proposed Reliability Standard CIP-003-9, Requirements R1 and R2. For Requirement R1, the modifications to the violation severity level reference the addition of new Requirement 1.2.6. For Requirement R2, the modifications to the violation severity level reference the new policy topic in Attachment 1, Section 6 ‘vendor electronic remote access security controls.’

“As NERC observed – and FERC agreed – this reflects the consideration that there are a large number of low-impact BES cyber systems, and responsible entities need time to procure and install equipment that may be subject to delays, given high demand,” Stephen J. Humes, Bart Huffman, and Brendan H. Connors wrote in a Holland & Knight Alert on Friday. “Among other things, the new standard will likely require revisions to a number of contracts and updates to cybersecurity controls for service providers that were previously not the subject of NERC CIP requirements because they did not impact medium- or high-risk BES assets,” they added.

Last month, the NERC presented its 2022 Annual Report underscoring that the electricity ecosystem is going to have to come to grips with cost-effectively protecting lower-impact assets from physical and cyber threats. The alert comes as cybersecurity remains at the forefront of addressing reliability risks. The report covered the agency’s accomplishments in the year gone by and sets the stage for 2023’s strategic focus areas.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related