FERC on Thursday approved revisions to three of NERC’s critical infrastructure protection (CIP) reliability standards, submitted last year under Project 2019-03 (Cybersecurity supply chain risks).

The commission’s order approved the following standards:

• CIP-005-7: Cybersecurity — Electronic security perimeter(s)
• CIP-010-4: Cybersecurity — Configuration change management and vulnerability assessments
• CIP-013-2: Cybersecurity — Supply chain risk management

Also approved Thursday were the implementation plan, violation risk factors and violation severity levels for each of the revised standards.

Project 2019-03 began in response to FERC Order 850, in which the commission approved the currently effective standards CIP-005-6, CIP-010-3 and CIP-013-1, which will be retired because of Thursday’s order. (See FERC Finalizes Supply Chain Standards.) While the commission found the requirements of the standards “forward-looking and objective-based,” it noted that they did not address electronic access control or monitoring systems (EACMS), physical access control systems (PACS) or protected cyber assets, leaving “a significant cybersecurity risk associated with the supply chain.”

The new standards attempt to address this vulnerability in several ways. Under CIP-013-2, responsible entities will be required to add EACMS and PACS associated with high- and medium-impact bulk electric system cyber systems “to their documented supply chain cybersecurity risk management plans,” thus raising the likelihood that potential risks are uncovered during the planning and procurement stages of new electronic equipment.

CIP-005-7 applies to supply chain risk management from an operational standpoint, adding requirements regarding remote access controls for EACMS and PACS associated with high-impact BES cyber systems, along with medium-impact BES cyber systems with external routable connectivity. These measures are intended to supplement the new requirements in CIP-013-2 “to address vendor remote access.”

Finally, CIP-010-4 now applies to EACMS and PACS associated with both high- and medium-impact BES cyber systems, reducing “the risk of an attacker exploiting a legitimate vendor patch management process for EACMS and PACS by requiring responsible entities to apply these protections.”

FERC said the new standards satisfied its concerns regarding the exclusion of EACMS and PACS. The standards will take effect the first day of the quarter beginning 18 calendar months after the effective date of the commission’s approval order, a time frame requested by NERC to allow entities enough time to alter their cyber supply chain risk management plans to account for the new requirements.