FERC Order 850 Impact on Software Vendors and their Energy Customers - are you ready for June 2020
- May 13, 2019
- 419 views
FERC Order 850 was issued in October of 2018 with a goal to “improve the electric industry’s cybersecurity posture by requiring that entities mitigate certain cybersecurity risks associated with the supply chain for BES Cyber Systems”. Entities under FERC jurisdiction are expected to comply with the Order by June of 2020. Which means the software and hardware vendors of these BES supply chain products themselves are not subject to FERC jurisdiction, but many of the Companies that purchase these goods and services will have to ensure that these vendors are providing a compliant solution, else they run the risk of FERC actions, i.e. fines.
In defining the scope of the order, FERC requires its jurisdictional entities “to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations”. The supply chain security plan must focus on the following four security objectives: (1) software integrity and authenticity; (2) vendor remote access protections; (3) information system planning; and (4) vendor risk management and procurement controls. The Order also directs NERC to produce additional security policies to enhance “Electronic Access Control and Monitoring Systems (EACMS)” within 24 months of the Orders effective date”.
In this article, I chose to focus on objective 1 regarding software integrity and authenticity. So, what exactly is “software integrity and authenticity” and how will software vendors be tasked with demonstrating compliance, so that the buying Companies under FERC jurisdiction can show compliance with FERC Order 850 during a NERC audit. After some brief research into compliant options I was unable to identify any “industry best practices” underway within the US Energy Companies, however there are lots of examples from the software industry for how to ensure “software integrity and authenticity”. Fortunately, we have the SAFECode and BSA | The Software Alliance organizations providing some guidance in this regard in the form of a Framework for Secure Software which can be downloaded here.
The BSA framework is comprehensive and could serve as a foundational guideline for compliance to FERC Order 850 to ensure software integrity. However, this is only half of the story, what about “authenticity” (see Framework item EN.3-3), how will that be assured under FERC Order 850? The BSA framework does not specify exactly how Identity, and hence, authentication are to be ensured, however there is guidance offered in this regard from NIST Digital Identity Guidelines. These NIST guidelines are quite extensive and are intended to ensure the identity of “trustable entities”, in this case, the software vendors providing patches and upgrades to existing customers under FERC Order 850. These NIST guidelines are intended to address a broad spectrum of scenarios across Federal agencies, from the highest level of secrecy to the simplest level of email message integrity. There are many possible identity and authentication profiles possible from all of these options, which can make it difficult for a jurisdictional entity to pick a compliant profile from all the options in the NIST guidelines.
Fortunately, the North American Energy Standards Board (NAESB) has been at the forefront of developing standards for identity and authentication purposes across the Energy industry for over 10 years. The Wholesale Electric Quadrant (WEQ) developed a set of “Public Key Infrastructure (PKI)” standards called “WEQ-012” that define four profiles, referred to as “assurance levels” for use across the energy industry for integrity and authentication purposes. The WEQ-012 standard combines the best practices contained in the NIST Digital Identity Guidelines with other industry standards from the CAB Forum to create a best of breed standard for privacy, identity and authentication, to serve the needs of OASIS and other energy industry applications, such as the Energy Information Registry (EIR).
In summary, FERC Order 850 requires FERC jurisdictional entities with responsibilities for the bulk electric system (BES) to document plans that will ensure proper controls are in place to verify the integrity and authenticity of software used in medium and high-risk operations of the BES. The WEQ-012 standard of the North American Energy Standards Board provides a platform for companies to address the items covered by NIST’s Digital Identity Guidelines which may be used in conjunction with the SAFECode and BSA Framework for Secure Software as one possible means to meet FERC Order 850 requirements for software integrity and authenticity, along with other measures to ensure proper procurement is being followed, as specified in FERC Order 850.