Supply Chain Risk Management Reliability Standards

DEPARTMENT OF ENERGY <SUBAGY>Federal Energy Regulatory Commission</SUBAGY> <CFR>18 CFR Part 40</CFR> <DEPDOC>[Docket No. RM24-4-000]</DEPDOC> <SUBJECT>Supply Chain Risk Management Reliability Standards</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Energy Regulatory Commission, DOE. <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Energy Regulatory Commission (Commission) proposes to direct the North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization, to develop and submit for Commission approval new or modified Reliability Standards that address the: sufficiency of responsible entities' supply chain risk management plans related to the identification of, assessment of, and response to supply chain risks, and applicability of Reliability Standards' supply chain protections to protected cyber assets. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments are due December 2, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Comments, identified by docket number, may be filed in the following ways. Electronic filing through <E T="03">https://www.ferc.gov,</E> is preferred. • <E T="03">Electronic Filing:</E> Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery. ○ <E T="03">Mail via U.S. Postal Service Only:</E> Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. ○ <E T="03">Hand (including courier) delivery</E> : Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <FP SOURCE="FP-1"> Simon Slobodnik (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, <E T="03">simon.slobodnik@ferc.gov</E> </FP> <FP SOURCE="FP-1"> Alexandra Holmes (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6229, <E T="03">alexandra.holmes@ferc.gov</E> </FP> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">Notice of Proposed Rulemaking</HD> <HD SOURCE="HD1">(Issued September 19, 2024)</HD> 1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA), <SU>1</SU> <FTREF/> the Commission proposes to direct the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), to submit new or modified Reliability Standards within 12 months of the effective date of a final rule that address ongoing risks to the reliability and security of the Bulk-Power System posed by gaps in the Critical Infrastructure Protection (CIP) Reliability Standards related to supply chain risk management (SCRM) (collectively, the SCRM Reliability Standards). <SU>2</SU> <FTREF/> Specifically, we propose to direct NERC to develop new or modified Reliability Standards to address the: (A) sufficiency of responsible entities' SCRM plans related to their (1) identification of, (2) assessment of, and (3) response to supply chain risks, and (B) applicability of SCRM Reliability Standards to protected cyber assets (PCA). <SU>3</SU> <FTREF/> Our proposed directives in this NOPR are forward-looking and objective-driven. <SU>4</SU> <FTREF/> <FTNT> <SU>1</SU>  16 U.S.C 824o(d)(5); <E T="03">see also</E> 18 CFR 39.5(f). </FTNT> <FTNT> <SU>2</SU>  In this notice of proposed rulemaking, the term SCRM Reliability Standards includes Reliability Standards CIP-005-7 (Electronic Security Perimeter(s)), CIP-010-4 (Configuration Change Management and Vulnerability Assessments), and CIP-013-2 (Supply Chain Risk Management). </FTNT> <FTNT> <SU>3</SU>  The Glossary of Terms Used in NERC Reliability Standards (NERC Glossary) defines PCAs as “[o]ne or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. . . .” The NERC Glossary defines Electronic Security Perimeter as “[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.” <E T="03">See</E> NERC, <E T="03">Glossary of Terms Used in NERC Reliability Standards</E> (July 2024), <E T="03">https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf.</E> </FTNT> <FTNT> <SU>4</SU>   <E T="03">See Revised Critical Infrastructure Prot. Reliability Standards,</E> Order No. 829, 81 FR 49878 (July 29, 2016), 156 FERC ¶ 61,050, at P 43 (2016). </FTNT> 2. Although the currently effective SCRM Reliability Standards provide a baseline of protection against supply chain threats, there are increasing opportunities for attacks posed by the global supply chain. As we have observed in prior proceedings, while the global supply chain provides the opportunity for significant customer benefits such as low cost, variety of products, and rapid innovation, it also introduces risk to the security and reliability of the Bulk-Power System by facilitating attacks by adversaries. <SU>5</SU> <FTREF/> Using the global supply chain, adversaries have inserted counterfeit and malicious software, tampered with hardware, and enabled remote access. <SU>6</SU> <FTREF/> Based on these known risks, over the last decade, the Commission, other Federal agencies, and the energy industry have focused on SCRM and mitigating cybersecurity risks associated with the supply chain for critical infrastructure. In light of the increasing threat environment and the need for improved mitigation strategies, we have identified significant gaps in the provisions of the SCRM Reliability Standards. Specifically, we preliminarily find that gaps remain in the SCRM Reliability Standards related to the: (A) sufficiency of responsible entities' SCRM plans related to the (1) identification of, (2) assessment of, and (3) response to supply chain risks, and (B) applicability of SCRM Reliability Standards to PCAs. <FTNT> <SU>5</SU>   <E T="03">See, e.g., Id.</E> at PP 11, 25; <E T="03">see also, e.g., Supply Chain Risk Mgmt. Reliability Standards,</E> Order No. 850, 83 FR 53992 (Oct. 26, 2018), 165 FERC ¶ 61,020, at P 2 (2018). </FTNT> <FTNT> <SU>6</SU>   <E T="03">See infra</E> n.80 (discussing SolarWinds Orion network management software compromise). </FTNT> 3. We believe that directing NERC to address these gaps in the SCRM Reliability Standards will strengthen the reliability and security of the Bulk-Power System. These reliability gaps present an increasingly urgent threat to the Bulk-Power System that requires timely action. As such, we propose to direct NERC to file new or modified Reliability Standards with the Commission within 12 months of the effective date of a final rule addressing the reliability concerns discussed in this NOPR. We seek comments on all aspects of the proposed directive to NERC, including the appropriate deadline by which NERC would file the new or modified Reliability Standards. <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Legal Authority</HD> 4. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to establish and enforce Reliability Standards, which are subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. <SU>7</SU> <FTREF/> Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, <SU>8</SU> <FTREF/> and subsequently certified NERC as the ERO. <SU>9</SU> <FTREF/> <FTNT> <SU>7</SU>  16 U.S.C. 824o(e). </FTNT> <FTNT> <SU>8</SU>   <E T="03">Rules Concerning Certification of the Elec. Reliability Org. & Procs. for the Establishment, Approval, & Enf't of Elec. Reliability Standards,</E> Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶ 61,104, <E T="03">order on reh'g,</E> Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328 (2006). </FTNT> <FTNT> <SU>9</SU>   <E T="03">N. Am. Elec. Reliability Corp.,</E> 116 FERC ¶ 61,062, <E T="03">order on reh'g & compliance,</E> 117 FERC ¶ 61,126 (2006), <E T="03">aff'd sub nom. Alcoa, Inc.</E> v. <E T="03">FERC,</E> 564 F.3d 1342 (D.C. Cir. 2009). </FTNT> 5. The Commission has the authority pursuant to section 215(d)(5) of the FPA and consistent with § 39.5(f) of the Commission's regulations, upon its own motion or upon complaint, to order the ERO to submit to the Commission a proposed Reliability Standard or a modification to a Reliability Standard that addresses a specific matter if the Commission considers such a new or modified Reliability Standard appropriate to carry out section 215 of the FPA. <SU>10</SU> <FTREF/> Further, pursuant to § 39.5(g) of the Commission's regulations, when ordering the ERO to submit to the Commission a proposed or modified Reliability Standard that addresses a specific matter, the Commission may order a deadline by which the ERO must submit such Reliability Standard. <SU>11</SU> <FTREF/> <FTNT> <SU>10</SU>  16 U.S.C. 824o(d)(5); 18 CFR 39.5(f). </FTNT> <FTNT> <SU>11</SU>  18 CFR 39.5(g). </FTNT> <HD SOURCE="HD2">B. Supply Chain Risk Management</HD> 6. The supply chain refers to the sequence of processes involved in the production and distribution of, <E T="03">inter alia,</E> industrial control system hardware, software, and services. <SU>12</SU> <FTREF/> Such su ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 84k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━