By Rich Heidorn Jr.

NERC has opened a 45-day formal comment period on proposed reliability standards addressing cybersecurity supply chain risks.

Project 2019-03 was initiated in response to FERC Order 850, which directed NERC to submit modifications to address electronic access control or monitoring systems (EACMS) that provide electronic access control to high- and medium-impact bulk electric cyber systems. (See FERC Finalizes Supply Chain Standards.)

The proposed standard also includes a recommendation from NERC staff’s supply chain risks report in May, which called for requirements on physical access control systems (PACS) that provide physical access control (excluding alarming and logging) to high- and medium-impact cyber systems.

Comments will be accepted until 8 p.m. ET March 11 on CIP-005-7 (Cyber Security – Electronic Security Perimeter(s)); CIP-010-4 (Cyber Security – Configuration Change Management and Vulnerability Assessments); and CIP-013-2 (Cyber Security – Supply Chain Risk Management), which required responsible entities to “develop one or more documented supply chain cyber security risk management plan(s) for high- and medium-impact BES cyber systems and their associated EACMS and PACS” (emphasis added).

Ballot pools will be formed through 8 p.m. Feb. 25. An initial ballot for the standards and implementation plan, and a nonbinding poll for the associated violation risk factors (VRFs) and violation severity levels (VSLs), will be held March 2-11.

The comment form asks stakeholders whether:

• they agree with FERC’s justification of adding EACMS to CIP-005, CIP-010 and CIP-013;
• they agree with the addition of PACS to CIP-005-7, CIP-010-4 and CIP-013-2;
• they agree with the designation of a violation for failing to have a method for determining or disabling PACS as a moderate VSL, and a violation for failing to have a method for determining and disabling as a high VSL;
• the proposed 12-month implementation plan is sufficient; and
• the modifications in CIP-005-7, CIP-010-4 and CIP-013-2 meet the FERC directives in a cost-effective manner.

The standards development team for the project will meet March 24-26 to consider the comments and plans a second posting in April, team members said during a webinar Tuesday.

The standard proposes a 12-month implementation plan. “However, if you feel 18 months is more appropriate, give us some reason why,” SDT member Tony Hall, of Louisville Gas & Electric and Kentucky Utilities, said in response to one question from the audience.

In November, the drafting team said it would leave the definitions of PACS and EACMS unchanged, at least in the first ballot. Some have called for replacing EACMS with EACS (electronic access control system) and EAMS (electronic access monitoring system) and removing alerting and logging functions from the current definition of PACS. These, along with monitoring functions, would be reclassified as physical access monitoring systems (PAMS). But some team members said accepting the changes now could lead to confusion with other standards teams that rely on the original definitions. (See Supply Chain Team Wary of Changing Access Control Terms.)