LaFleur objects to FERC plans for new cyberthreat standard

Source: Hannah Northey, E&E reporter • Posted: Friday, July 22, 2016

The Federal Energy Regulatory Commission today voted to order up a new standard to tackle cyberthreats lurking in industrial parts and software used to support the U.S. electric grid, despite objections from Commissioner Cheryl LaFleur.

FERC Chairman Norman Bay and Commissioners Tony Clark and Colette Honorable approved an order that gives the federally appointed grid monitor, the North American Electric Reliability Corp. (NERC), one year to develop a new standard to better protect industrial control system hardware, software, and computing and networking services tied to the power grid.

Separately, FERC also voted to take comment on whether it should modify existing standards that govern protections within control centers used to monitor and control the bulk electric system in real time. The agency pointed to a high-profile attack on Ukraine’s electric grid last year as an example of such vulnerabilities.

But LaFleur cast the lone dissent, arguing that her colleagues were moving ahead too quickly without fully fleshing out the order.

“I believe that the commission is essentially giving the standards development team a homework assignment without adequately explaining what it expects them to hand in,” LaFleur wrote in a dissenting statement.

FERC has for months been taking comment on what sorts of threats may exist within the supply chain of vendors, subcontractors and sub-subcontractors whose hardware and software are essential components of the power grid. Many of the supply chain companies are based outside the United States (EnergyWire, Jan. 29).

Although some industry experts have called for voluntary guidelines as opposed to formal rules, FERC moved ahead today and called on NERC to develop a forward-looking critical infrastructure protection reliability standard that requires affected entities to develop plans for boosting oversight and security of industrial control system hardware, software and services.

The plans will need to address four areas: software integrity and authenticity, vendor remote access, information system planning, and vendor risk management and procurement controls.

Bay, Clark and Honorable applauded the rule for appropriately balancing the urgent need for additional grid protections with providing NERC flexibility. Clark said the closest parallel would be a standard the commission requested from NERC, also with a quick turnaround, to boost physical grid security. “We weren’t telling fence builders how to build their fences,” Clark said.

Honorable agreed, saying she sees the rule formation as an “organic process,” while acknowledging it’s a lengthy one.

But LaFleur said she could not support the commission’s decision to jump directly to a rulemaking given that the issue has proved “tremendously complicated” and fraught with jurisdictional, technical, economic and business relationship issues.

The commission, she said, should have given NERC, the industry and other stakeholders more time by issuing a supplemental notice of proposed rulemaking instead of skipping directly to an order.

When the commission issued a notice of proposed rulemaking last summer, the agency never took comment on a specific standard, she said. What was clear was that undertaking such a rule would be difficult given the wide range of views and disagreement over whether the threat exists and how to manage it. Moreover, LaFleur noted that four objectives contained in today’s final rule were not in the notice of proposed rulemaking and weren’t vetted.

“Given the importance of this issue, I believe that more considered action and a more developed Commission order, even if delayed by a few months, is better than a quick decision to ‘do something,'” she wrote.

Moving ahead too quickly, LaFleur said, increases the chances the standard will be delayed because FERC will need to remand the standard back to NERC to correct any flaws.

“Given the realities of the standards development and approval process, we are likely years away from a supply chain standard being implemented, even under the aggressive schedule contemplated in the order,” she wrote.