Assaults focusing on SolarWinds and MOVEit lately have spotlighted provide chain dangers in cybersecurity. Within the wake of current high-profile incidents at utilities, together with one final week in Kansas, the US Federal Power Regulatory Fee (FERC) known as for updating requirements for provide chain security to enhance the resilience of the US bulk energy system.
At its September assembly, FERC requested the power trade consortium North American Electrical Reliability Company (NERC) to create a greater provide chain safety customary for energy crops. Such utilities must:
-
determine provide chain dangers to electrical grid-related cybersecurity programs at common intervals;
-
assess and validate the data distributors submit throughout procurement; and
-
doc, observe, and reply to these dangers.
The fee additionally directed NERC so as to add protected cyber belongings (PCAs) to the programs topic to this provide chain scrutiny.
Inside Community Safety Monitoring on the Docket
At that very same assembly, FERC additionally addressed a brand new reliability customary for crucial infrastructure safety that mandates monitoring of community visitors inside an digital safety perimeter.
Inside community safety monitoring (INSM) screens communication between units contained in the “belief zone” of a community, offering a backstop for detecting malicious exercise that slipped by way of the safety perimeter. Along with permitting an early warning about intrusions, this east-west visibility offers a extra full image of the scope of an assault.
On the assembly, FERC “proposed to approve” Reliability Normal CIP-015-1, however requested NERC to increase INSM to programs outdoors of the digital safety perimeter, comparable to bodily and digital entry management programs.