U.S. grid regulators are calling for additional cybersecurity safeguards for vital, often foreign-made equipment installed in the bulk power system, according to a report filed yesterday with the Federal Energy Regulatory Commission.
The North American Electric Reliability Corp.’s first pass at supply chain security requirements didn’t cover key parts of the power grid, including the "electronic access control or monitoring systems" — like firewalls and routers — that ring America’s electricity networks, FERC said last year while directing NERC to revisit the issue.
NERC, a private nonprofit, drafts and enforces physical and cyber security rules for U.S. utilities, while reporting to regulators at FERC.
NERC said in a final staff report yesterday that "over time," the power industry has developed "a more sophisticated understanding of the potential impacts" of supply chain risks. Regulators concluded it’s worth tweaking supply chain rules to include devices that control electronic and physical access to sensitive facilities.
"Even well-designed products may have malicious components introduced in the supply chain, and it may prove difficult to identify these components before they are deployed," NERC warned.
Examples of real-world attacks on supply chains are few. But even one successful hack of a supplier can have far-reaching consequences, as NERC noted in its analysis of electronic access controls.
"Half of the market share of substation networking equipment is held by only two vendors, one of which has a 55 percent world-wide enterprise network market share in the corporate environment of many industries, including the electric power industry," NERC pointed out, citing a recent study by the Electric Power Research Institute. A compromise of that unnamed company "could have widespread negative impacts on reliability," NERC added.
Hackers have hijacked channels for software updates in grid equipment in past cyberattacks, including the Havex malware that compromised three industrial control system vendors five years ago (Energywire, July 1, 2014). U.S. grid officials say that incident prompted FERC to review supply chain security practices, even though Havex primarily affected Europe.
FERC ordered NERC to take action in 2016, and by the following year, NERC had revised its critical infrastructure protection standards to account for threats lurking within the global supply chains of grid hardware and software.
NERC’s rules are also meant to protect against counterfeit products, a common supply chain hazard for U.S. utilities. Earlier this month, Japanese electrical engineering firm Yokogawa Electric Corp. warned that "unauthorized manufacturers" in China "have gone to great lengths to imitate Yokogawa products," including pressure transmitters for pipelines.
NERC standards require utilities to examine their supply chains for security gaps, covering cyber systems that could have "medium" or "high" impact to the bulk power grid. The rules also force utilities to keep the ability to cut off any vendor connections to operational networks, among other requirements set to take effect later this year.
The standards leave out "low-impact" systems, including many U.S. generators and smaller distribution utilities.
In its report yesterday, NERC called for further study to determine whether low-impact parts of the power grid should be held to the same supply chain security standards as transmission-level substations or control centers.
"Applying basic cyber hygiene practices could limit the reach and impact" of a cyberattack on suppliers to smaller facilities in the meantime, NERC noted.
Skeptics of the new supply chain rules have pointed out that basic cybersecurity practices may take care of bigger threats, as well.
The Electricity Consumers Resource Council (ELCON), which represents large, industrial users of electricity like petrochemical manufacturers, said the remedy for most cybersecurity risks "is robust cyber hygiene, not expensive system upgrades" whose costs are ultimately passed to consumers.
In a May 24 comment, ELCON warned FERC and NERC not to repeat past regulatory "mistakes" when it comes to supply chain security, "where rigid mandatory reliability standards that encroach on commercial space could undermine best practices."