Regulatory Update   |   Apr 6th, 2017 New NERC Standard Impacts Utility Supply Chain Process

Business20 Meeting20 Aerial20 Shot Jpg

In response to concerns regarding the security of control systems used for power delivery, the Federal Energy Regulatory Commission (FERC) issued Order No. 829 directing NERC to develop a new reliability standard to mitigate the risk of a cybersecurity breach of power system SCADA, DCS and EMS systems. The new standard will focus on cyber system supply chain risk resulting from unauthorized embedded firmware or software and calls for NERC to provide industry wide minimum supply chain oriented requirements. These new requirements will modify the processes and procedures used by utilities to acquire control system hardware and software.

FERC’s order specifically directed that the industry provide stronger management of the procurement process for power system control system hardware, software, computing and networking services associated with Bulk Electric System (BES) operations. NERC must file its new standard with FERC on or before September 2017.

NERC will develop this as a forward-looking, objective-based reliability standard that requires each affected utility to develop and implement a strong procurement process. The resulting final standard must achieve the following security objectives:

  1. Assure software integrity and authenticity
  2. Provide for vendor remote access controls
  3. Assure information system planning
  4. Establish vendor risk management and procurement controls

Since NERC reliability standards only identify the reliability objectives and desired results, utilities will be required to develop procurement and operational risk management oriented methods to deliver the required results related to these four objectives.   

To learn more about the standard and next steps for implementation and compliance, please download TRC’s Regulatory Update.