NERC proposal targets cybersecurity risks in electric system supply chains
NERC on Tuesday filed with federal regulators a petition stretching almost 3,500 pages, proposing new cybersecurity standards that aim to address the increasingly-sophisticated attacks on the nation’s bulk power system.
The new standards were proposed in response to FERC Order 829, issued last summer, directing NERC to up its security protocols. In that order, FERC concluded that supply chains for information and communications technology and industrial control systems present risks to BES security, providing various opportunities for adversaries to initiate cyberattacks.
“The targeting of vendors and software applications with potentially broad access to BES Cyber Systems marks a turning point in that it is no longer sufficient to focus protection strategies exclusively on post-acquisition activities at individual entities,” FERC found in Order 829.
The new standards aim to: reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates; address the risk that entities could unintentionally plan to procure and install unsecure equipment or software within their information systems; and address the risk that a compromised vendor would not provide adequate notice of security events and vulnerabilities.