The Federal Energy Regulatory Commission (FERC) released a final rule last week approving three new Critical Infrastructure Protection (CIP) standards addressing supply chain risk management for bulk electric systems.

The new standards require responsible entities (distribution providers, generator owners and operators, transmission owners and operators) to develop and implement security controls for industrial control system hardware, software and services. These new standards respond to supply chain risks, including the insertion of counterfeit or malicious software, unauthorized production, tampering and theft.

According to the National Law Review, the new CIP standards will impose the following high-level requirements:

• Cyber Security – Supply Chain Risk Management: According to FERC, this standard “does not require any specific controls or mandate ‘one-size-fits-all’ requirements.” Instead, this standard requires the development of a documented supply chain cyber security risk management plan for higher-risk covered systems that addresses, as applicable, six “baseline” security concepts:

• Vendor security event notification;
• Coordinated incident response;
• Vendor personnel termination notification;
• Product/services vulnerability disclosures;
• Verification of software integrity and authenticity; and
• Coordination of vendor remote access controls.

• Cyber Security – Electronic Security Perimeter(s): This standard will include two new requirements for identifying active vendor remote access sessions and having method(s) for disabling active vendor remote access sessions.
• Cyber Security – Configuration Change Management and Vulnerability Assessments: Finally, this standard requires responsible entities to verify the “identity of the software source and the integrity of the software obtained from the software source” prior to any installing software that changes established baseline configurations, “when methods are available to do so.”  According to NERC, these requirements could help reduce the risk that an attacker could “exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a [covered system].”

The final rule will take effect 60 days after it is published in the Federal Register, and the new standards must be implemented within 18 months.