FERC Outlines Supply Chain Security Rules for Power Plants

Attacks targeting SolarWinds and MOVEit in recent years have spotlighted supply chain risks in cybersecurity. In the wake of recent high-profile incidents at utilities, including one last week in Kansas, the US Federal Energy Regulatory Commission (FERC) called for updating standards for supply chain safety to improve the resilience of the US bulk power system.

At its September meeting, FERC asked the energy industry consortium North American Electric Reliability Corporation (NERC) to create a better supply chain security standard for power plants. Such utilities would have to:

The commission also directed NERC to add protected cyber assets (PCAs) to the systems subject to this supply chain scrutiny.

Internal Network Security Monitoring on the Docket

At that same meeting, FERC also addressed a new reliability standard for critical infrastructure protection that mandates monitoring of network traffic inside an electronic security perimeter.

Internal network security monitoring (INSM) monitors communication between devices inside the "trust zone" of a network, providing a backstop for detecting malicious activity that slipped through the security perimeter. In addition to allowing an early warning about intrusions, this east-west visibility provides a more complete picture of the scope of an attack.

At the meeting, FERC "proposed to approve" Reliability Standard CIP-015-1, but asked NERC to extend INSM to systems outside of the electronic security perimeter, such as physical and electronic access control systems.