By Rich Heidorn Jr.
NERC announced Thursday it will conduct a formal review of the effectiveness of its new supply chain standards, which take effect July 1.
Howard Gugel, NERC’s vice president for engineering and standards, outlined the plan during the Board of Directors’ conference call Thursday, at which the board also approved its 2019 Long-Term Reliability Assessment and the revised ERO Enterprise Long-Term Strategy.
Gugel said NERC plans to report on its findings to the board after the first two years of the standards’ implementation.
The critical infrastructure protection (CIP) standards — CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments) — were developed in response to FERC Order 829, issued in 2016.
The commission approved the standards, intended to mitigate supply chain risks in industrial control system hardware, software, and computing and networking services, in 2018. (See FERC Finalizes Supply Chain Standards.)
Gugel said ERO staff will conduct surveys on supply chain awareness and collect statistics on identified “key risk indicators,” including software validation discrepancies, vendor vulnerability and cybersecurity incidents.
NERC will examine supplier contracts to determine whether entities have been able to negotiate language that includes required supply chain controls and analyze supply chain training and communications, including inquiries to the Electricity Information Sharing and Analysis Center (E-ISAC), to determine how well vulnerabilities have been identified and communicated.
Gugel said staff will make periodic reports to the Reliability and Security Technical Committee, and its formal report to the board could include recommendations for improvements to the standards.
“Every time I hear a presentation about supply chain risk, I am impressed with the complexity of this challenge and how important it is, so I think following through on the effectiveness review is really important,” Chair Roy Thilly said.
In response to Thilly’s question, Gugel said staff will look at how consistently the standards are being enforced and how facilities are characterized for application to the rules.
“I agree with your analysis” of supply chain issues, he told Thilly. “It seems like an onion. Every time we go to it, there’s another skin that needs to be peeled back.”
Trustee Jan Schori asked for interim reports on staff’s findings. “It’s also a very high visibility issue; people are extremely interested in it,” she said. Two years “seems kind of long to me.”
“Yes. We could absolutely do that,” Gugel responded.
Strategy Update OK’d
The board approved a revised ERO Enterprise Long-Term Strategy, which was last updated in 2017. NERC said the revisions were part of an effort to streamline its strategic and operational documents and ensure alignment with the Reliability Issues Steering Committee’s identification of bulk power system risks.
The document is based on four “value drivers,” including the use of innovative, risk-based programs, and balancing industry collaboration with independence and objectivity.
It identifies five long-term “focus areas,” including further development of the E-ISAC, strengthening “engagement” and seeking opportunities for “effectiveness, efficiency and continuous improvement.”
NERC CEO Jim Robb described the document as “the culmination of very collaborative work between NERC and the regional entities” and also incorporates feedback from stakeholders’ comments on earlier drafts. (See Strategy Plan Prompts ‘Cost-benefit’ Discussion at MRC.)
Robb said “alignment” between NERC and the REs “was something we were aiming for and I think a big step forward from what we had the last time we [wrote] the strategy.”
“Much of the social fabric that’s embedded in the strategy in terms of improving collaboration … I think we already have good proof points that that’s well in motion,” he continued, citing NERC’s “positive steps with the Transmission Forum.”
Thilly acknowledged that the final draft incorporated the board’s comments as well. “I particularly appreciate that it’s only nine pages long and not 80 pages long,” he added. “It’s concise and clear, which is really helpful.”
The 2019 Long-Term Reliability Assessment, which the board also approved, will be released next week.