Electric industry participants asked FERC for flexibility in setting the new supply chain risk management (SCRM) standards the commission suggested in a notice of proposed rulemaking issued in September (RM24-4).  

Edison Electric Institute, Electric Power Supply Association and the National Rural Electric Cooperative Association filed joint comments Dec. 2 saying they support efforts to improve supply chain risk management practices but have qualms with FERC’s specific proposals. 

“As FERC states in this NOPR, while the global supply chain introduces risk to the security and reliability of the BPS by creating potential attack surfaces for threat actors to exploit, it also provides the opportunity for significant customer benefits such as low cost, product variety and rapid innovation,” the joint trade groups said. 

As the technology to operate the grid evolves, grid owners and operators will continue to be responsible for security, but that responsibility is shared by suppliers, vendors and manufacturers. Revisions to mandatory standards need to strike the proper balance between the responsibilities of industry and suppliers, the trade groups said. 

FERC’s proposed rule would require responsible entities to evaluate equipment and vendors to better identify supply chain risks, requiring NERC to establish a maximum time frame between when an entity performs its initial risk assessment during the procurement process and when it installs the equipment. Responsible entities would have to take steps to validate supplier claims around any risks. (See FERC Proposes Further Cybersecurity Measures.) 

The trade groups said they don’t support the commission’s recommendation that entities should reevaluate the risks of installing any piece of equipment that has sat in storage for a long time.  But they did agree with a proposal to perform periodic reassessments of vendors that consider the criticality of a service or product and changed circumstances, such as a merger or a security event associated with a supplier. 

Forcing such reassessments could prove difficult contractually with overseas suppliers, who might not be required to go through reviews, the groups said. 

While FERC stopped short of requiring responsible entities to guarantee the accuracy of information they get from vendors, the trade groups oppose overarching requirements for vendors to supply supporting evidence or independent certifications. 

“Mandatory Reliability Standards should use a risk-based approach that allows entities to determine when and what validation is required for vendor-provided supply chain risk management information based on entity-defined criteria,” the groups wrote. “This approach allows entities to focus on products and services that represent the greatest risk to reliability while minimizing the increased workload associated with validating vendor responses.” 

The trade associations asked FERC to support a risk-based approach to developing future supply chain standards, which, given the growing number of suppliers, will require scalable mechanisms to identify and address risks. 

‘Continuous Monitoring’

Amazon Web Services (AWS) also weighed in on the NOPR, urging FERC to use a risk-based approach on any requirement to restudy equipment in storage before it gets installed. AWS advised against a blanket requirement for reassessment, saying it should only be triggered by events such as a change in supplier ownership, geopolitical events or new security exploits. 

Rigid time frames could lead industry participants to miss important risks that arise right after a reassessment, while adding costs with no major benefits, AWS said. 

“Continuous monitoring of assets in production is a more effective approach to supply chain risk management by increasing visibility into potential risks and the ability to respond to emerging risks,” AWS said. “NERC should credit programs that include continuous monitoring to complement periodic full reassessments.” 

AWS urged FERC to accept the use of third-party certifications and technology solutions to help responsible entities stay on top of supply chain risk management. 

“Use of third-party certifications should be explicitly supported as a valuable aspect of risk assessment because such use leverages high-quality risk analyses and security practice verification provided by disinterested third parties,” the company added. 

‘Aggressive Approach’

The ISO/RTO Council said it supports robust supply chain risk management practices and argued that any directives to NERC should recognize that responsible entities are best suited to determine how and when to evaluate risks. 

“Neither NERC nor a NERC standards drafting team will fully understand or appreciate each individual responsible entity’s unique supply chain risks,” the IRC said. “Although NERC can develop a requirement that responsible entities identify risks and specify the timing requirements for equipment and vendor evaluations, each individual responsible entity is in a better position to understand the risks related to its unique supply chain.” 

IRC also urged FERC to tread lightly on requiring confirmation of vendor’s claims about supply chain risks because that is difficult and potentially cost-prohibitive. Any rules should give responsible entities flexibility to pick a validation process — such as a direct or third-party audit, it said. 

“This flexibility will assist compliance in the short-term,” IRC said. “Any commission directive to NERC should also encourage and drive further consideration of a longer-term evolution that would take validation responsibilities off of each responsible entity and allow for the development of third-party verification and other means to more efficiently undertake this important validation task.” 

While many in the industry argued for flexibility, the Secure the Grid Coalition, which calls itself “an ad hoc group of policy, energy and national security experts,” argued the NOPR is a small step and said FERC should do more to secure the industry’s supply chain risk management (SCRM). 

“The continued reliance on generic improvements to SCRM standards without targeted action against known risks from Chinese-manufactured transformers and other critical grid equipment leave significant vulnerabilities unaddressed,” the conservative group told FERC. “To ensure the reliability and safety of the U.S. electric grid, FERC must take a more comprehensive and aggressive approach.” 

Utilities should be incentivized to buy American products, something FERC can encourage with an aggressive messaging campaign that it is no longer satisfied with the “status quo of its entities purchasing vital assets — particularly transformers and other critical grid equipment — from hostile nations,” the coalition said.