The Federal Energy Regulatory Commission Thursday approved a new cybersecurity standard extending supply chain risk management requirements to “low-impact” bulk electric system cyber systems.
A coordinated attack on multiple low-impact assets with remote electronic access connectivity could have an interconnection-wide effect on the bulk power system, according to a 2019 supply chain risk assessment by the North American Electric Reliability Corp., FERC said in its decision.
“The vast majority of [bulk electric system] assets today are considered low-impact and that number is only expected to grow,” FERC Acting Chairman Willie Phillips said in a statement. “To not protect these [bulk electric system] assets against one of the most frequent attack scenarios — supply chain — would be a big mistake.”
The standard requires owners, operators and users of the bulk power system to include the topic of “vendor electronic remote access security controls” in their cybersecurity policies. The standard also requires that they can disable vendor electronic remote access and can detect malicious communications through a vendor’s remote access.
As part of its cybersecurity standards, NERC requires “responsible entities” to characterize their assets, such as control centers, power plants and transmission facilities, as being of high-, medium- and low-impact.
The standard takes effect April 1, 2026.
The three-year delay in the start date reflects “consideration that there are a large number of low impact [bulk electric system] cyber systems and that responsible entities need time to procure and install equipment that may be subject to delays given high demand,” FERC said.
FERC and NERC have been tackling supply chain risks since 2016, Phillips said during the agency’s monthly meeting Thursday.
“This order is the latest product of our joint cybersecurity efforts with NERC and stakeholders in support of the reliable operation of the bulk power system,” he said. “We must continue to focus on cybersecurity, physical security, extreme weather events, and the rapidly changing resource mix.”
