FERC Plans Changes to Critical Infrastructure Protection Standards

The Federal Energy Regulatory Commission is planning to update critical infrastructure protection standards amid increasing attacks on the software supply chains of electric utilities and other energy-sector entities. At a technical conference on Wednesday, FERC Chair Richard Glick solicited comments from the industry on the potential CIP standard changes.

Currently, regulated entities can formulate their own cybersecurity plans using a risk-based approach. During the conference, entities recommended setting common standards that the sector should meet in developing their cyber plans, Nextgov reported.

According to a World Economic Forum report, more than 50 percent of the attacks on the energy and utility industry worldwide targeted the software of vendor partners, including the SolarWinds hack and the Colonial Pipeline ransomware attack. WEF said the supporting technologies from third parties help build a reliable and flexible energy infrastructure but they increase the sector’s attack surface.

Jeanette McMillian, assistant director of supply chain and the cyber directorate at the National Counterintelligence and Security Center, attended the conference, where she highlighted how nation-state actors and common cyber criminals exploit software vulnerabilities. 

McMillian shared that under a May 2021 executive order on improving the nation’s cybersecurity, the Federal Acquisition Regulatory Council is adding new FAR clauses that would guide federal agency officials when procuring software.