Skip to main content
close search
site logo
Dive Brief

NERC proposal targets cybersecurity risks in electric system supply chains

Published Sept. 28, 2017
Robert Walton's headshot
Senior Reporter

Dive Brief:

  • The North American Electric Reliability Corporation has proposed new reliability standards aimed at shoring up the vendor supply chain that delivers software and critical updates to manage the country's bulk electric supply (BES) system.
  • Specifically, the new standards require entities to develop and implement plans to address supply chain cybersecurity risks during the planning and procurement of bulk electric grid security systems.
  • The standards, filed with the Federal Energy Regulatory Commission, will address concerns that supply chains for information and communications technology and industrial control systems present risks to grid security, providing opportunities for cyberattacks.

Dive Insight:

NERC on Tuesday filed with federal regulators a petition stretching almost 3,500 pages, proposing new cybersecurity standards that aim to address the increasingly-sophisticated attacks on the nation's bulk power system.

The new standards were proposed in response to FERC Order 829, issued last summer, directing NERC to up its security protocols. In that order, FERC concluded that supply chains for information and communications technology and industrial control systems present risks to BES security, providing various opportunities for adversaries to initiate cyberattacks.

"The targeting of vendors and software applications with potentially broad access to BES Cyber Systems marks a turning point in that it is no longer sufficient to focus protection strategies exclusively on post-acquisition activities at individual entities," FERC found in Order 829.

The new standards aim to: reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates; address the risk that entities could unintentionally plan to procure and install unsecure equipment or software within their information systems; and address the risk that a compromised vendor would not provide adequate notice of security events and vulnerabilities.

Additionally, the standards will deal with vendor remote access-related threats, "including the threat that vendor credentials could be stolen and used to access a BES Cyber System," as well as the threat that a compromise at a trusted vendor could traverse over an unmonitored connection.

Cybersecurity is an increasing focus of the electric utility industry.

Over the summer, United States officials said they were investigating multiple cyberattacks that unsuccessfully targeted nuclear generation sites earlier this year. The event was code named "Nuclear 17." In May, cybersecurity firm Dragos issued a report concluding malware that was used in a 2015 cyberattack resulting in power outages in Ukraine could be modified by developers to target the United States.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Utility Broadband Alliance 2024 Summit & Plugfest Shatters Attendance Milestone
From Utility Broadband Alliance
November 21, 2024
General Atlantic’s BeyondNetZero Fund and TA Partner to Drive Continued Growth of Technosylva
From Technosylva
November 21, 2024
Technosylva and KatRisk Join Forces to Expand Wildfire Management and Catastrophe Risk Modelin…
From Technosylva
November 18, 2024
Edo and EPRI Earn Award from the California Energy Commission (CEC) to Advance VPPs
From Edo
October 31, 2024
Editors' picks
Latest in Transmission & Distribution
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell