FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)
The Federal Energy Regulatory Commission (FERC) has released a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-4-000, focusing on supply chain risk management (SCRM) for the Bulk-Power System (BPS). This proposed directive aims to fill critical gaps in existing NERC Critical Infrastructure Protection (CIP) standards and bolster the defenses of our nation’s critical infrastructure.
Key Takeaways
1. Sufficiency of SCRM Plans
FERC’s new directive will require NERC to develop or modify standards that ensure responsible entities have sufficient supply chain risk management plans. These plans must effectively identify, assess, and respond to risks. Currently, there is a lack of clear and specific requirements that lead to gaps in how entities identify and assess risks from their suppliers.
FERC observed that several entities rely heavily on vendor questionnaires with limited validation, which leaves the BPS vulnerable to the introduction of compromised hardware, software, and services. The new standards will compel entities to validate vendor information through certifications or third-party assessments and establish clear protocols for periodic risk assessments and responses.
2. Extension of SCRM to Protected Cyber Assets (PCA)
One of the most significant changes proposed is the extension of supply chain protections to Protected Cyber Assets (PCAs). Currently, these assets, which reside within the Electronic Security Perimeter (ESP), receive minimal protections under existing CIP standards. FERC has identified PCAs as an attack vector that adversaries could exploit to compromise critical systems.
Recent cybersecurity incidents, such as the SolarWinds Orion breach, demonstrate how supply chain vulnerabilities in non-critical assets can pose significant threats to the overall security of BES Cyber Systems. With these new requirements, PCAs will be treated with the same level of scrutiny as high and medium impact BES Cyber Systems.
3. Clear Timelines and Triggers for Risk Assessment
The proposed rule emphasizes the need for entities to reassess risks periodically and provides a timeline to ensure vendor equipment is assessed before installation. FERC is advocating for specific intervals between procurement and installation to prevent obsolete risk assessments. Furthermore, the rule encourages responsible entities to track and document all supply chain risks, including risks identified in ongoing vendor relationships.
4. Holistic Approach to Supply Chain Risk
FERC’s focus is not only on compliance but on improving security across the entire supply chain. The directive will also require entities to enhance their vendor risk management and procurement controls to ensure that supply chain threats are adequately mitigated from contract inception through to the operational phase. Entities will be required to develop processes to handle vendor patching, remote access, and other potential attack vectors more effectively.
What Does This Mean for Industry Stakeholders?
For utility operators, the key takeaway is that the supply chain threat landscape is evolving rapidly, and current defenses are not sufficient. The new standards will impose stricter requirements around vendor assessments, supply chain transparency, and risk management. Operators will need to invest more resources in vendor validation, improve the accuracy of their risk assessments, and document how they mitigate any potential risks in their supply chains.
For vendors, the rule means greater scrutiny of their processes, especially regarding the security and integrity of the products and services they offer to the energy sector. Vendors should expect more stringent due diligence from utilities and may need to provide certifications or independent audits to satisfy the upcoming requirements.
Next Steps
Comments on the NOPR are due within 60 days after the Federal Register publication. As this rulemaking moves forward, it’s critical for all stakeholders—utilities, vendors, and security professionals—to engage with the process and ensure they are ready for the changes.
The implementation of these directives could take up to 12 months or more, but now is the time for entities to start assessing how they will adjust their supply chain security practices to meet these new requirements.
At Ampyx Cyber, we are monitoring this development closely and are here to help our clients navigate the changing regulatory landscape. Reach out to us to discuss how we can support your efforts in preparing for these enhanced SCRM standards and ensuring your organization remains secure and compliant.
