Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

👉 Watch drones inspect power assets live—click here to register for the June 17 webinar.

Energy Business
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
 · Posted in Energy Business

FERC NOPR ISSUED ON 9/19/2024 RM24-4-000 to boost software supply chain security in the BES

[UPDATE November 27, 2024] I asked Microsoft Copilot to summarize NESCOE's comment filing to NERC on Docket RM24-4-000, here is what I received:

Summerize NESCOE comments to FERC in Docket RM24-4-000

The New England States Committee on Electricity (NESCOE) submitted comments in response to FERC's Notice of Proposed Rulemaking (NOPR) in Docket RM24-4-000, which focuses on Supply Chain Risk Management Reliability Standards Revisions. Here are the key points from NESCOE's comments:

  1. Support for Cybersecurity Efforts: NESCOE strongly supports efforts to enhance cybersecurity and appreciates FERC's initiative to improve the cybersecurity posture of the Bulk-Power System.

  2. Grid Transformation: NESCOE highlights that grid transformation is increasing the potential for cyberattacks due to emerging technologies, additional communications, and remote control capabilities.

  3. Supply Chain Risks: NESCOE emphasizes the importance of addressing supply chain risks, as software and hardware used in the electric industry can be targeted by hackers via direct network attacks or supply chain breaches.

  4. Call for Action: NESCOE urges the Commission to take all necessary steps to ensure that malicious actors cannot threaten the security of the electric grid.

In summary, NESCOE supports the proposed revisions and stresses the need for comprehensive measures to mitigate supply chain risks and enhance the security of the electric grid.

SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes to direct the North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization, to develop and submit for Commission approval new or modified Reliability Standards that address the: sufficiency of responsible entities’ supply chain risk management plans related to the identification of, assessment of, and response to supply chain risks, and applicability of Reliability Standards’ supply chain protections to protected cyber assets.

Also, take time to ask your suppliers the "challenging questions" about Cybersecurity practices in use at their company following this profound advice from Cassie Crosley at Schneider Electric ( a 5 minute video clip) one of the leading vendors of ICS control products to the electric industry used in grid management.

This FERC announcement also aligns well with a 2024 Annual plan item within NAESB, 3d.

d)

Consider and develop business practice standards for cybersecurity disclosure best practice policies, such as software supply chain risks, to support industry implementation of any applicable regulations

Status: Not Started

Filed my comments with FERC  suggesting that FERC direct NERC to not "reinvent the wheel" and adopt current SCRM best practices, standards and guidelines provided by our Nations cybersecurity and SCRM experts at CISA and NIST, adopted broadly by US Federal Agencies, described in CISA's Secure by Design Secure Software Acquisition Guide

Software and supply chain attack paths are being used by hackers to wreak havoc, as CISA Director Easterly points out in her recent keynote address.

Remember; Risk always exists, but trust must be earned and awarded. Risk ALWAYS exists. Trustworthiness DOESN'T ALWAYS exist. We don't have to "take action" to protect ourselves and our Companies from hackers, but we will need to be prepared to deal with the "consequences of inaction".
Always ask for the trust score (SAGScore) before buying and installing a software product. Never trust software, always verify and report! (TM)

I've been testing Microsoft Copilot AI for the past several weeks and I decided to ask Microsoft Copilot about this FERC NOPR. The answer was accurate and concise; Amazing - I would be comfortable giving this answer to my Management.

Tell me about FERC's latest NOPR on Supply Chain Risk Management, located here https://www.ferc.gov/media/e-1-rm24-4-000

Sent by Copilot:

The Federal Energy Regulatory Commission (FERC) recently issued a Notice of Proposed Rulemaking (NOPR) aimed at enhancing supply chain risk management for the bulk-power system. Here are the key points:

Key Proposals in the NOPR

  1. New or Modified CIP Standards: FERC proposes requiring the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) standards. These standards will address the growing risks posed by malicious actors targeting the bulk-power system1.

  2. Supply Chain Risk Identification: Entities will be required to identify their current supply chain risks related to grid cybersecurity systems at specified intervals1.

  3. Vendor Validation: Entities must assess and validate the accuracy of information received from vendors during the procurement process1.

  4. Risk Documentation and Response: Entities will need to document, track, and respond to identified supply chain risks1.

  5. Extended Applicability: The proposal extends the applicability of supply chain standards to include protected cyber assets (PCAs)1.

  6. Internal Network Security Monitoring: FERC also proposes approving a CIP reliability standard that requires internal network security monitoring within an entity’s electronic security perimeter. This is to provide greater defense-in-depth for CIP-networked environments1.

Goals of the NOPR

  • Enhance Reliability: By closing gaps in supply chain risk management, the proposal aims to improve the reliability of the bulk-power system.

  • Proactive Risk Management: Encourages entities to take proactive steps in identifying and mitigating supply chain risks.

  • Comprehensive Security: Extends protections to include internal network security monitoring and protected cyber assets.

This NOPR reflects FERC’s ongoing commitment to enhancing the security and reliability of the bulk-power system in the face of evolving cyber threats.

IMO, this NOPR emphasizes to registered entities that software vendor attestations will be required in order to comply with the new SCRM standards. Evidence will likely be needed showing what information software vendors provided to entities AND the risk assessment processes and conclusions reached by the registered entity, based on these vendor attestation materials and other findings, during an audit. This approach is inline with other federal government approaches to assess software supply chain risk. An example of vendor attestation expectations is provided in this article titled "Advice for Software Vendors to Prepare for OMB M-22-18 Requirements and the CISA Attestation Form"

Â