Commenters See Overreach in Supply Chain Standards

Mar 17, 2020

The drafting team working on changes to NERC standards on supply chain risks will regroup after an initial ballot indicated opposition to the changes.

By Holden Mann

The drafting team working on changes to NERC standards on supply chain risks will regroup next week after an initial ballot indicated widespread opposition to the team’s proposed changes.

Comments on Project 2019-03 opened on Feb. 7 and closed last Wednesday. With 266 votes cast, the weighted results indicated 50.51% acceptance for the proposal — short of the two-thirds majority required for approval by the ballot pool.

Project 2019-03 was initiated in response to FERC Order 850, which directed NERC to submit modifications to address electronic access control or monitoring systems (EACMS) for high- and medium-impact bulk electric cyber systems. (See FERC Finalizes Supply Chain Standards.) The proposed standard also includes a recommendation from NERC staff’s supply chain risks report, which called for requirements on physical access control systems (PACS), excluding alarming and logging, for high- and medium-impact cyber systems.

The comment form asked stakeholders whether:

they agree with FERC’s justification for adding EACMS to CIP-005, CIP-010 and CIP-013;
they agree with the addition of PACS to CIP-005-7, CIP-010-4 and CIP-013-2;
they agree with designating failing to have a method for determining or disabling PACS as a moderate violation severity level (VSL), and failing to have a method for determining and disabling as a high VSL;
the proposed 12-month implementation plan is sufficient; and
the modifications in CIP-005-7, CIP-010-4 and CIP-013-2 meet the FERC directives in a cost-effective manner.

Utilities Question PACS Inclusion

Most of the negative comments focused on the first two questions, with a number of operators objecting to the inclusion of PACS at all. Meaghan Connell of Chelan County Public Utility District observed that the supply chain risks report had recommended that protected cyber assets (PCAs) be excluded from critical infrastructure protection (CIP) standards because the risk is difficult to quantify, and suggested the same thinking applied to PACS.

Supply Chain Standards — | *Shutterstock*

“PCAs, like PACS, have no direct 15-minute BES impact. PACS, unlike PCAs, do not reside within an ESP [electronic security perimeter] and have no network access to the BCS [BES cyber system] or related ESP,” Connell said. “Therefore, if PCAs are not included, it seems logical for PACS to be treated in the same manner.”

Greg Davis of Georgia Transmission echoed this view, noting that NERC’s report “correctly refers to various reliability standards that mitigate security risks relating to PACS.” Naming CIP-004-6, CIP-006-6, CIP-007-6, CIP-009-6 and others, Davis said that “these protections are sufficient given the attenuated relationship that a PACS compromise has to BES reliability impacts.”

Broad Focus Taken on EACMS

Commenters were more accepting of the addition of EACMS to CIP-005, CIP-010, and CIP-013, although some registered concern about the burden that the proposed changes would bring to utilities. A common argument was that the team had defined EACMS much more broadly than FERC envisioned.

“The SDT has chosen to include all EACMS while the commission provided the SDT with enough latitude to include only those EACMS that represent a known risk to the BES,” said Mark Gray of Edison Electric Institute. “With this in mind, we encourage the SDT to re-evaluate its approach and develop more targeted [modifications] that only address the known risks associated with EACMS that perform the function of controlling electronic access.”

Several respondents took this argument further, such as Pamela Hunter of Southern Co., who provided an example of how the new standards could produce unintended confusion among utilities and disrupt their workflow to such an extent that it would outweigh any reliability benefits.

“[If] I must only allow vendor remote access through an authorized and authenticated session at an EACMS, and that EACMS is the asset I would use to prevent vendor remote access to a BCS, how then can I also prevent vendor remote access to that very asset that I use to terminate that remote access? This results in [an] illogical loop,” Hunter said. She recommended that the SDT remove EACMS from CIP-005 or consider a new definition of the term that would avoid this kind of conflict.

Dissents on Time and Expense

A number of commenters expressed misgivings about the proposed implementation time frame of 12 months, calling for an extension to 18 or even 24 months. Bobbi Welch of MISO said the proposed changes “may not be as simple as merely adding a few additional systems”; in particular, utilities may need to develop a different process for EACMS and PACS systems. Dennis Sismaet of Northern California Power Agency also said the SDT had not given enough thought to the financial burden that the standard would impose on operators.

“In my view, all these multiple changes and proposals are unnecessary and costly to entities, let [alone] confusing to [us and] our governing boards, and have little, if any, real reliability value,” Sismaet said.

The drafting team will hold its next meeting via conference call March 23-26 to discuss the feedback and plan its next steps. A second posting is being considered for April.

CIP Supply Chain