Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
FERC Outlines Supply Chain Security Rules for Power Plants
The US Federal Energy Regulatory Commission spells out what electric utilities should do to protect their software supply chains, as well as their network "trust zones."
Attacks targeting SolarWinds and MOVEit in recent years have spotlighted supply chain risks in cybersecurity. In the wake of recent high-profile incidents at utilities, including one last week in Kansas, the US Federal Energy Regulatory Commission (FERC) called for updating standards for supply chain safety to improve the resilience of the US bulk power system.
At its September meeting, FERC asked the energy industry consortium North American Electric Reliability Corporation (NERC) to create a better supply chain security standard for power plants. Such utilities would have to:
Identify supply chain risks to electrical grid-related cybersecurity systems at regular intervals.
Assess and validate the information vendors submit during procurement.
Document, track, and respond to those risks.
The commission also directed NERC to add protected cyber assets (PCAs) to the systems subject to this supply chain scrutiny.
Internal Network Security Monitoring on the Docket
At that same meeting, FERC also addressed a new reliability standard for critical infrastructure protection that mandates monitoring of network traffic inside an electronic security perimeter.
Internal network security monitoring (INSM) monitors communication between devices inside the "trust zone" of a network, providing a backstop for detecting malicious activity that slipped through the security perimeter. In addition to allowing an early warning about intrusions, this east-west visibility provides a more complete picture of the scope of an attack.
At the meeting, FERC "proposed to approve" Reliability Standard CIP-015-1 but asked NERC to extend INSM to systems outside of the electronic security perimeter, such as physical and electronic access control systems.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024