MANHATTAN BEACH, Calif. — NERC stakeholders last week got a first look at a draft report on supply chain risks as part of a FERC directive to develop a standard addressing risk management of the industry’s vendors.
Roy Thilly, chairman of NERC’s Board of Trustees, called the initiative a “very important undertaking,” but he also cautioned that it is not a “silver bullet.”
Supply chain risk management “requires a practical, effective, measured response,” he said during the NERC Member Representative Committee’s Feb. 6 meeting.
NERC staff have been working with the Electric Power Research Institute to assess the bulk electric system’s (BES) product and manufacturer types, analyze BES cyber assets, and gather best practices and standards used by other industries to mitigate supply chain risks.
At the board’s request, the North American Transmission and Generator Forums and other industry groups have developed white papers, which can be found on the initiative’s website.
The report suggests applying industry practices to third-party accreditation processes; ensuring that hardware and software are protected during physical transport; processes to mitigate risks from unsupported or open-sourced technology components; and using supply chain controls to address common-mode vulnerabilities.
Staff are recommending the standards include electronic access and physical access controls for medium- and high-impact BES cyber systems, and to collecting more data on low-impact BES cyber systems. They also plan to monitor emerging technologies for new risks.
Howard Gugel, NERC’s senior director of engineering and standards, said the industry’s reliance on technology and the use of single platforms to host multiple applications has increased the risk of access through “the back door.”
Despite that, he said he would be reluctant to endorsing a particular methodology for certifying third parties.
“I’m not sure we as the reliability regulator would want to get into any sort of third-party endorser of people selling in the market,” Gugel said. “However, if there are third-party options for providing that, we’d certainly like to be involved with it.”
FERC ordered NERC in 2016 to draft a “new or modified” standard addressing supply chain risk management for industrial control system hardware, software, and computing and network services associated with the BES. (See FERC Orders NERC to Develop ‘Flexible’ Supply Chain Standard.)
NERC responded with three supply chain standards — CIP-005-6, CIP-010-3 and CIP-013-1 — which FERC approved in October 2018. (See FERC Finalizes Supply Chain Standards.)
Staff are still accepting comment on the report. A final draft will be presented to the board in May.
Members Elect 4 Trustees to Board
The MRC elected the board’s class of 2022, filling a vacancy created to add a Canadian trustee and re-electing three incumbents to three-year terms.
Colleen Sidford will step into the Canadian vacancy. She spent 10 years with Ontario Power Generation in various financial positions, following a career in international banking.
NERC is required to have two Canadian trustees. It has three with Sidford’s election, but it is expected to reduce the number to two when Fred Gorbet’s term expires next year. That will also leave NERC with 11 trustees.
Re-elected to three-year terms were:
- Robert Clarke, who has served on the board since 2013. He chairs the Corporate Governance and Human Resources committees and serves on the Enterprise-wide Risk and Nominating committees.
- Ken DeFontes, a trustee since 2016. He is the liaison to the Standards Committee and serves on the Compliance and Technology and Security committees.
- David Goulding, who was first elected to the board in 2010. He chairs the Enterprise-wide Risk Committee and serves on the Finance and Audit Committee.
NERC’s trustee succession policy provides that no independent trustee may be re-nominated or re-elected if he or she has served 12 consecutive years.
Ford, Sterling Step into New Leadership Positions
The meeting marked Greg Ford’s first as MRC chair. Ford, CEO of Georgia System Operations Corp., replaces Wabash Valley Power Association’s Jason Marshall, who cycled off the committee.
Jennifer Sterling, vice president of NERC compliance and security for Exelon, is serving as vice chair.
NERC Develops Participant Conduct Policy
NERC General Counsel Charles Berardesco shared with the MRC the organization’s Participant Conduct Policy, which is applicable to participants in all organization activities. The policy was based on similar rules for the NERC Operating Committee and standards development process.
However, the policy doesn’t apply to the MRC itself, Ford said. “The MRC is a creature of the bylaws,” he explained.
Berardesco said the policy will create a professional environment for all participants supporting NERC’s mission, including standing committee members and observers, drafting team members and observers, and other stakeholder volunteers that participate in the organization’s activities or groups.
The policy calls for those it covers to conduct themselves in a professional manner, not to use NERC activities for commercial or private purposes, and not to distribute confidential information or certain work products.
— Tom Kleckner