Client Portal Contact Us Search
x Cookie Disclaimer: This website uses cookies to collect certain information about your browsing session. To learn more, view our Cookies Policy.

Supply Chain Risk Management Reliability Standards: FERC October 26th Issuance of Final Rule

October 29, 2018

By: Walter G. Wright

Category: Arkansas Environmental, Energy, and Water Law

Download PDF

The Federal Energy Regulatory Commission (“FERC”) published an October 26th Federal Register notice approving supply chain risk management Reliability Standards:

  • CIP-013-1 (Cyber Security – (Supply Chain Risk Management)
  • CIP-005-6 (Cyber Security – (Electronic Security Perimeters)
  • CIP-010-3 (Cybersecurity – (Configuration Change Management Vulnerability Assessments)

See 83 Fed. Reg. 53992.

Section 215 of the Federal Power Act required an FERC-certified ERO to develop mandatory and enforceable Reliability Standards. However, such standards are subject to FERC approval. The Reliability Standards may be enforced by the ERO – pursuant to FERC oversight or by that governmental organization independently.

The North American Electric Reliability Corporation (“NERC”) had submitted supply chain risk management Reliability Standards for FERC approval. NERC submitted these standards in response to a directive issued by FERC in Order No. 829. See Revised Critical Infrastructure Protection Reliability Standards, Order No. 829.

FERC concludes in the October 26th notice that the supply chain risk management Reliability Standards are:

  • responsive to Order No. 829, and
  • improve the electric industry’s cybersecurity posture by requiring that entities mitigate certain cybersecurity risks associated with the supply chain for BES Cyber Systems.

FERC previously concluded that global supply chain provides significant benefits to customers such as:

  • low cost;
  • interoperability;
  • rapid innovation; and
  • a variety of product features and choice.

However, it further states that the global supply chain creates:

. . . opportunities for adversaries to directly or indirectly affect the management or operations of companies with potential risks to end users.

Such supply chain risks are stated to include:

  • insertion of counterfeit or malicious software;
  • unauthorized production;
  • tampering;
  • theft; and
  • poor manufacturing and development practices.

FERC concludes that the Reliability Standards largely address these supply chain cybersecurity risks as set out within the scope of Order No. 829.

A copy of the Federal Register notice can be found here.

The Between the Lines blog is made available by Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C. and the law firm publisher. The blog site is for educational purposes only, as well as to give general information and a general understanding of the law. This blog is not intended to provide specific legal advice. Use of this blog site does not create an attorney client relationship between you and Mitchell Williams or the blog site publisher. The Between the Lines blog site should not be used as a substitute for legal advice from a licensed professional attorney in your state.