FERC Orders a Supply Chain Security Standard

Yesterday, FERC released Order 829, a Final Rule ordering that NERC develop a CIP standard for supply chain security, and deliver it to FERC within a year of the effective date of the Final Rule (roughly two months from now). To be honest, I was surprised they did this. I hadn’t attended the Technical Conference on supply chain in January, but I have been reading the transcript lately. Since the comments from NERC entities were so overwhelmingly against a mandatory standard, and since the Commissioners who spoke didn’t seem that committed to such a standard either, I thought FERC might just order that NERC draw up voluntary guidelines or something like that.

Instead, FERC’s document was quite clear: Given the serious nature of the supply chain threats, voluntary guidelines aren’t enough. And the threats are so imminent that NERC only has a year to develop the standard and submit it to FERC. Folks, this is lightning speed, considering that:

1. NERC has to constitute a Standards Drafting Team to address FERC’s request. Say that takes two months.
2. The team has to hold at least a few face-to-face monthly meetings, plus probably multiple conference calls each of the other weeks.
3. The first draft will need to be put out for comment and ballot no more than probably four months after the team first meets. In other words, the SDT has to decide on the form and content of the standard by this time. That is six months from now, assuming the team is constituted and meets within two months.
4. The first draft will almost certainly be voted down; the SDT will have to meet two or three times and put out a second draft.
5. If this is voted down again, they’ll have to repeat the process.
6. At this point, there will probably be no time for further revisions; NERC will have to approve the standard and send it to FERC.

When I started this post yesterday, I was going to say something like “Yeah, the timeline is tough. But NERC will be able to do it. They developed CIP-014 in 90 days!” But on further thought, I think this deadline is a big mistake, and I hope NERC will petition FERC to reconsider it. We are talking about a huge (or “yuge”) undertaking here – a standard that is not only brand new, but may well have no precedent anywhere in the world. And yet FERC is essentially telling NERC to gather input and develop the standard entirely from scratch in six months!

Of course, the problem with this isn’t that NERC won’t deliver the standard to FERC by their deadline of one year. Rather, the problem is that they may deliver something that isn’t very good.  And then FERC faces a tough choice:

1. They can hold their nose and approve the standard outright.
2. They can approve the standard but order changes to make it better (which has happened with every NERC CIP version except v3 and v4). In this case, the standards development process starts all over again, and it will probably be another year or more before FERC has the revised standard on their desk.
3. They can remand the standard. This will also send NERC back to the standards drawing board. It will also mean that there will be no supply chain standard in effect while the new version is being drafted.

Commissioner LaFleur issued a strong dissent to FERC’s decision (her comments were included in the PDF of the Order itself, as well as a separate PDF now on the main page of FERC’s web site). Her main points were:

1. In July 2015, FERC issued a “NOPR” for a supply chain standard within their larger NOPR which said they were going to approve CIP v6. Commissioner LaFleur points out that this was very perfunctory, and it would have been more appropriate to devote a separate NOPR just to this issue.[ii] Her main concern is that the NOPR didn’t make any suggestions about what the ultimate standard would look like, so the comments that were received (and also the presentations in the Technical Conference, in my opinion) were much more on the question of whether or not there should be a standard at all, not on what it should contain.
2. Given that there has been no discussion about the form of the standard, she found it surprising that FERC was proceeding to issue a Final Rule that requires the new standard to address four specific objectives: software integrity and authenticity, vendor remote access, information system planning, and vendor risk management and procurement controls. The Commissioner points out that there was no mention of these objectives in the NOPR.[iii] Therefore, “no party has yet had an opportunity to comment on those objectives or consider how they could be translated into an effective and enforceable standard.”
3. Commissioner LaFleur continues “NERC, industry, and other stakeholders will have no meaningful opportunity before initiating their work to provide feedback on the contents of the rule, to seek clarification from the Commission, or to propose revisions to the rule.” In other words, she is saying there is a big outreach step that is necessary before standards can be drafted; this would normally occur as part of the NOPR comment period, but FERC precluded that by publishing a NOPR that lacked any suggestion of what the new standard might look like. And FERC’s one-year deadline doesn’t allow NERC to do this outreach on their own.
4. The Final Rule frequently mentions flexibility; the writers were obviously proud that they had not prescribed any particular content for the new standard, other than that it has to at least address the four objectives FERC listed. However, Commissioner LaFleur isn’t impressed with this. She says “I believe that the Commission is essentially giving the standards development team a homework assignment without adequately explaining what it expects them to hand in.”
5. She continues “...given the inadequate process to date, I fear that the flexibility is in fact a lack of guidance and will therefore be a double-edged sword. The Commission is issuing a general directive in the Final Rule, in the hope that the standards team will do what the Commission clearly could not do: translate general supply chain concerns into a clear, auditable, and enforceable standard…” She goes on to say “While the Commission need not be prescriptive in its standards directives, the Commission’s order assumes that the standards development team will be able to take the ‘objectives’ of the Final Rule and translate them into a standard that the Commission will ultimately find acceptable.”
6. This all might not be terrible if, in the event FERC found NERC’s initial take on the standard unacceptable, it had the option of simply revising it. However, as the Commissioner points out, the only option open to FERC under Section 215 of the Federal Power Act of 2005 (the statue that governs FERC’s relationship with the ERO) is to order NERC to re-start the standards development process and address whatever concerns FERC expresses. As I mentioned above, this will most likely add six months to a year to the process of developing the new standard.

In her conclusion, Commissioner LaFleur says “Ultimately, an effective, auditable, and enforceable standard on supply chain management will require thoughtful consideration of the complex challenges of addressing cybersecurity threats posed through the supply chain within the structure of the FERC/NERC reliability process.” She wanted the Commission to delay the Final Rule and perhaps issue a Supplemental NOPR; however, it is clearly too late for this. I think it is up to NERC to push back and now request 18 months to two years[iv] to develop the standard, with the first 3-6 months being devoted to gathering feedback from the NERC membership on how this standard might be structured.

I was going to discuss the content of FERC’s Order, but I will leave that for a subsequent post. It’s been a long day.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

---

[i] I didn't have the link when I put this post up originally. It is now there.

[ii] In my post on the NOPR, I noted “I believe a separate NOPR would have been better, given that this issue is so divorced from the others discussed in this document.”

[iii] In fact, she states that FERC should have issued a Notice of Inquiry before the NOPR, so they could gather comments on what a supply chain standard might look like.

[iv] Commissioner LaFleur noted that NERC, in their comments on the NOPR, requested two years for the standards development process, if FERC decided a mandatory standard was necessary.