May 26, 2020

May 26, 2020

Subscribe to Latest Legal News and Analysis

Significant Cyber Supply Chain Management Changes on the Horizon for Electric Utilities

On October 18, 2018 the Federal Energy Regulatory Commission (“FERC”) approved three (3) Critical Infrastructure Protection (CIP) Reliability Standards including a long awaited supply chain risk management standard for the electric sector which, among other things, will require electric utilities to develop, document, and implement a supply chain cybersecurity risk management plan for any cyber systems that are classified as “medium” or “high” impact as defined by the North American Electric Reliability Corporation (“NERC”). The new regulations are aimed at ensuring software integrity and authenticity, strengthening vendor remote access protections and addressing vendor risk management procedures and controls. Responsible entities will have until June 2020 to comply with the new standards, in large part because it is projected that compliance will require significant technical upgrades which could impact long-term capital budgets and planning cycles.

Currently there are 1,250 U.S. entities (“responsible entities”) subject to mandatory compliance with NERC’s Reliability Standards.  While responsible entities are within NERC’s jurisdiction and must comply with NERC Reliability Standards, NERC cannot impose obligations on non-jurisdictional entities such as suppliers, vendors or other companies that tangentially provide products or services to responsible entities in the energy space.  However, these regulations will indirectly impose obligations on those doing business with electric utilities because the regulations influence the procurement process by requiring responsible entities to mitigate any risk resulting from the interface with outside vendors.

In addition to approving the three (3) new Reliability Standards, FERC directed NERC to expand the scope of the standards to incorporate Electronic Access Control and Monitoring Systems (“EACMS”).  EACMS include firewalls, authentication servers, security event monitoring systems and other intrusion detection or alert systems.  In its order, FERC explained that EACMS provide the first line of defense against cyber threats to several integral operational systems and therefore must be included in the new Reliability Standards.  In addition to adding EACMS, NERC has committed to further evaluating whether the reliability standards should be expanded even further to include other cyber assets and systems such as motion sensors and badge readers that control access to a facility’s physical perimeter.  Given that the industry has asked NERC to take an active role in helping utilities tackle cybersecurity supply chain risk management challenges, moving forward, NERC may consider establishing a third party accreditation process to augment utility procurement processes and further bolster resiliency and national security.

© 2020 Van Ness Feldman LLP


About this Author

Gwen Fleming, Van Ness Feldman Law Firm, Washington DC, White Collar and Environmental Law Litigation Attorney

Gwen Keyes Fleming has more than twenty years of public sector experience, having served as both an elected and appointed official at the state and local levels, as well as in various branches of the federal government.  Most recently, she served as the Principal Legal Advisor (General Counsel) for Immigration & Customs Enforcement (ICE) in the U.S. Department of Homeland Security (DHS), and as Chief of Staff to the Environmental Protection Agency (EPA) during the Obama Administration.  In addition to her time at the DHS and EPA, Gwen served as the EPA Region 4 (...

Darshana Singh, Van Ness Feldman Law Firm, Washington DC, Cybersecurity and Energy Law Attorney

Darsh Singh assists clients and firm professionals in the energy regulatory arena. Prior to joining Van Ness Feldman, Darsh served as a law clerk in the Office of Administrative Litigation at the Federal Energy Regulatory Commission (FERC) and interned at the Federal Trade Commission (FTC).   While at FERC, Darsh assisted Trial Staff in natural gas and oil pipeline rate proceedings and conducted research on market-based rates.   During her time at the FTC, Darsh focused on complex antitrust and consumer protection issues. 

While at The George Washington University Law School, Darsh served as a Vice President of the Antitrust Club and participated in the school’s Moot Court teams.