The Federal Energy Regulatory Commission is implementing new security standards for the energy sector intended to improve the cyber resiliency of the electrical grid supply chain.
Guidelines for the new cyber risk management framework were posted Thursday, and FERC has proposed moving up the deadline to implement the new security requirements by six months to address software vulnerability and potential theft concerns.
“The global supply chain provides the opportunity for significant benefits to customers, including low cost, interoperability, rapid innovation, a variety of product features and choice. However, the global supply chain also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to end users,” FERC officials wrote.
FERC commissioned the North American Electric Reliability Corporation (NERC) to develop new standards to improve the cyber posture of the supply chain for national electrical grid systems.
Current cyber vulnerabilities in the supply chain, if left unmitigated, could lead to tampering of grid data, poor manufacturing procedures or the adoption of malicious software. Previous standards for electrical grid operators neglected to factor in Electronic Access Control and Monitoring Systems, Physical Control Systems and Protected Cyber Assets, according to FERC officials.
The new standards, first proposed by NERC in September, focus on improving software integrity, vendor remote access and vendor risk management and procurement controls to reduce supply chain cyber risk.
FERC is mandating grid operators implement the new guidelines to reduce the current likelihood of an attacker being able to exploit vendor software patches or gain access to access to vendor credentials.
The cyber risk management effort is aiming to eliminate the risk of unintentionally procuring then installing malicious software intended to compromise grid systems.
Grid operators would have up to 12 months from the unannounced implementation date to follow the new guidelines. This is six months earlier from the initial period of 18 months.