By Holden Mann

The standard drafting team updating NERC’s standards to address cybersecurity supply chain risks is seeking a way forward in the face of widespread opposition to its proposed changes.

Project 2019-03 was initiated in response to FERC Order 850, which directed NERC to modify standards to address electronic access control or monitoring systems (EACMS) for high- and medium-impact bulk electric cyber systems. (See FERC Finalizes Supply Chain Standards.)

Meeting via conference call this week, the SDT focused on the results of the initial ballot that concluded March 11. The weighted results indicated just over 50% acceptance of the proposal, short of the two-thirds majority required for approval. (See Commenters See Overreach in Supply Chain Standards.)

Push for PACS Removal

Many of the negative comments accompanying the ballot focused on the inclusion of physical access control systems (PACS) in the proposed modifications to CIP-005, CIP-010 and CIP-013. This was not part of the original FERC mandate but was added after NERC staff’s supply chain risks report last May recommended that standards include requirements for PACS on high- and medium-impact systems.

The addition of PACS had been a subject of disagreement during the drafting process, and some team members pointed to the opposition as justification for removing the term from the proposal altogether. (See Supply Chain Team Wary of Changing Access Control Terms.) Tony Hall of Louisville Gas & Electric and Kentucky Utilities cited a comment from Meaghan Connell of Chelan County Public Utility District that noted that protected cyber assets (PCAs) are excluded from the CIP-013 reliability standards because their risk is difficult to quantify, and recommended PACS be excluded on the same basis.

However, others pushed back against the idea that PACS had no place in the standards, arguing that they could still represent a security vulnerability and that overlooking such systems in earlier standards is no excuse for not recognizing their potential threat.

“The fact that NERC and FERC left PCAs out of the CIP-013 standards is not lost on me. … It seems that they should have both been included, but they were not,” said Jeffrey Sweet, manager of cybersecurity testing and assessments for American Electric Power, adding that he would have preferred to include PCAs in the supply chain standards if the order allowed it. “[We] only addressed the PACS because that was all we were told to address: PACS and EACMS.”

More Warnings of Scope Creep

Team members also responded to concerns about a perceived expansion in the definition of EACMS. Several commenters argued that FERC had only asked for modifications to address EACMS that pose a known risk to the bulk electric system, but the proposed standard would affect all EACMS. This wider scope could cause unintended confusion for utilities and disrupt their workflows, they said.

Hall urged the drafting team to take these warnings seriously and try to clarify its language in order to avoid “messing something up through a process, because there’s always a different way to follow the process.” He observed that an overly vague standard with difficult-to-parse language could quickly bog down both utilities and auditors in trying to verify whether compliance has been achieved.

“I personally don’t want to get into the situation of maintaining lists for the sake of maintaining lists,” Hall added. “Early on in these CIP standards, we had so many violations in CIP-004 because the list didn’t match who actually had access. … We ended up with violation after violation because the list was wrong.”

The SDT’s next meeting has not yet been scheduled. Currently all drafting teams are meeting via conference call in accordance with NERC’s business continuity plan, invoked in response to the COVID-19 coronavirus pandemic.