This comment form is no longer interactive because the comment period is closed.

2016-03 Cyber Security Supply Chain Management | SAR October 2016

Description:

Start Date: 10/20/2016
End Date: 11/18/2016

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End

Filter:

Hot Answers

PJM agrees with the language within the Project 2016-03 Cyber Security Supply Chain Management SAR and asks the SDT to consider the following comments when developing the standard.  As stated within paragraph 42 of the order, PJM agrees with the APPA that the standard should be risk based as opposed to impact based.  PJM also asks the SDT to consider addressing the additional threats outlined within the order in paragraphs 25 (e.g. counterfeits, tampering, etc.) and 50 (e.g. hardware integrity) either within addressing the four objectives outlined in the order or by adding an additional objective.

Preston Walker, On Behalf of: PJM Interconnection, L.L.C., SERC, RF, Segments 2

- 0 - 0

The project “2016-03 Cyber Security Supply Chain Management “–  The four objectives listed under this new CIP standard can be better served by providing some updates in the current CIP Standards. Specifically, Objective 2 below, is already included in the current standard for CIP-005-5 R2 Interactive Remote Access Management for High Impact BES Cyber Systems and Medium Impact BES Cyber Systems with External Routable Connectivity. This objective can be better served by providing updates to the CIP-005-5 Requirement R2.

 

Objective 3 is already provided at LADWP by its best practices processes of requiring any IT related purchases to go through a review and approval process by our Information Technology Systems Division. This objective can be better served through an update to the current CIP-003-6 Standard.

 

In summary, the Objectives of the Cyber Security Supply Chain Management can be efficiently and effectively implemented through updates on the current Version 5 and Version 6 CIP Standards.

 

Cyber Security Supply Chain Management Objectives:

  1. Software integrity and authenticity;

  2. Vendor remote access;

  3. Information system planning; and

  4. Vendor risk management and procurement controls.

faranak sarbaz, On Behalf of: Los Angeles Department of Water and Power, , Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Sophia Combs, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

Answer above should be No.  System not allowing me to change it.  Con Edison Company of New York supports NPCC RSC's comments on this SAR.

Con Edison, Segment(s) 1, 3, 5, 6, 6/24/2016

- 0 - 0

Duke Energy agrees with the scope of the project, in that the scope of the project appears to stem directly from FERC Order 829.

We agree with the SAR wherein the designation is made that there is a possibility that revisions to CIP standards may be a solution, and not just the creation of a new standard.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Seminole supports the work of this team and the proposed SAR.  Seminole further suggests that the SAR specifically address BES Cyber Security Information stored at vendor locations.  As cloud information storage is the predominate trend, clarity of requirements for vendors related to both storage of information provided to vendors and vendor responsibilities for information stored in the cloud should be addressed at least in the Guidelines and Technical Basis.

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

John Williams, On Behalf of: John Williams, , Segments 1, 3, 5

- 0 - 0

Objective 1- “Integrity of software and patches” Comment for Internal LCRA -There are  lot of whitepapers on Software Integrity Levels(SIL) . We might need to come up with Software Integrity levels for each control system  and develop contractual language with the respective vendor to accept that Level and the associated responsibilities/SLAs.  We will need to work with Purchasing to develop the new language

Objective 3 – Comment for SAR- on Information system planning- What is Information system planning?. Not well understood. The SAR information does not adequately that describe beyond entities  needing to document the risks we take into consideration. Would like to see additional description on Information System Planning

LCRA Compliance, Segment(s) 1, 5, 6, 5/6/2015

- 0 - 0

Stephanie Little, On Behalf of: Stephanie Little - - Segments 1, 3, 5, 6

- 0 - 0

Yes, we agree with the scope.  However, we would like consideration given to the following:
Idaho Power believes that tightening purchasing controls too tightly could also pose a risk because there are limited vendors that service its needs. The vendors that derive a large portion of their business from the electric industry would likely be willing to adapt to such new requirements. Providers that have a larger customer base may not be as willing to adjust to practices to meet any new requirements. Due to this concern, Idaho Power believes that the supply chain standard should be laid out in terms of requirements built around controls that are developed by the regulated entity rather than perspective requirements like many other CIP standards.  Such flexibility would provide a foundation for the standard to evolve.
Idaho Power believes that such a significant undertaking will take years to develop and implement. Idaho Power believes that such a proposal will need to clearly define the requirements of what materials should be impacted. It would also need to set forth the types of documentation that could be used to verify that requirements are met. Idaho Power and other entities would then need time to add language to its contracts to ensure compliance by its suppliers and any sub-suppliers. Idaho Power believes that such a process would require significant time, money, and resources and would result in higher costs for materials, which would impact Idaho Power's customers. Idaho Power believes it would be valuable for NERC to look into whether other regulatory agencies or industries have addressed such a requirement as a starting point for such reliability standards.

Johnny Anderson, On Behalf of: Johnny Anderson, , Segments 1

- 0 - 0

AEP has two comments to offer. First, AEP suggests a broader approach to the drafting team’s efforts to achieve the directive set forth by FERC. The specificity of the SAR leaves little room for debate and interpretation, as evidenced by the first draft of the standard. Specifically, AEP encourages the drafting team to allow for flexibility based on size of entity and size of vendor as well as the impact category and other attributes of the affected BES Cyber System(s). The SAR could include a statement that there are specific security vulnerabilities or controls to be addressed in a procurement or supply chain process. This may better focus the drafting team on implementing the most effective standard possible.  

Second, AEP recognizes the need to move quickly, but holding a technical conference on the first draft of the standard seems premature when the SAR is not yet agreed upon.

Thomas Foltz, On Behalf of: AEP, , Segments 3, 5

- 0 - 0

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

Title of Proposed Standard(s):  Cyber Security – Supply Chain Risk Management

Oncor recommends changing the title to more closely reflect the FERC directive.  The intent is to manage risk associated with the supply chain.  Calling out controls in the title could be interpreted as adding specific controls to the process and not fully evaluating the risks associated with the supply chain process.  This is also called out in paragraph 1 of the order “… develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware…”. 

In addressing Objective 3 (Information system planning), the SDT shall develop requirement(s) that address the applicable entities' CIP Senior Manager (or delegate) identification and documentation of security risks for consideration by the applicable entity in proposed information system planning. (Order No. 829 at P 56)

Oncor recommends adding the word “security” to this statement.  If taken out of context, the standard could be seen as opening it up to all risks associated with information system planning.  This interpretation could be expanded greatly beyond the original intent of improving reliability through a secure Information Technology system.  Examples of risks that should be considered ‘out of scope’ would include product delivery timing and special packaging requirements.  While paragraph 56 doesn’t specifically call out security, the intent of Order 829 clearly focuses on ensuring the security of key BES cyber systems and components.

In addressing Objective 4 (Vendor risk management and procurement controls), the SDT shall develop requirement(s) for applicable entities to address the provision and verification of the following security concepts, at a minimum, in future contracts for industrial control system hardware, software, and computing and networking services associated with BES operations. (Order No. 829 at P 59)

Oncor recommends removing the phrase “at a minimum” from this section.  The phrase could encourage an audit team to expect or request more evidence than intended by this objective.  This phrase is not mentioned in paragraph 59; “verification of relevant security concepts_in future contracts for industrial control system hardware,”. 

Linsey Ray , On Behalf of: Oncor Electric Delivery - Texas RE - Segments NA - Not Applicable

- 0 - 0

Allie Gavin, On Behalf of: International Transmission Company Holdings Corporation - MRO, SPP RE, RF - Segments 1

- 0 - 0

Occidental Chemical Corporation agrees with the proposed scope of Project 2016-03 as described in the SAR but offers the following suggestions:

  • Purpose section of SAR states that the project will cover “security controls for supply chain management” but should probably be revised to state that it will cover “security controls for supply chain risk management” to be consistent with FERC Order 829 and the Industry Need section of the SAR.

  • Purpose section of SAR states that the new or modified Reliability Standard(s) will require entities to “develop and implement a plan” – the SAR shouldn’t assume that the agreed upon approach will be a “plan” and should be revised to read “develop and implement measures”.  This will allow the SDT the most flexibility if it is later determined that a “plan” is not the best approach and will still allow for a “plan” if the entity determines that to be the best approach

 

Oxy, Segment(s) 7, 5, 9/6/2016

- 0 - 0

Thank you for this opportunity to provide comments on the Standards Authorization Request (SAR) written in response to Order No. 829 that will direct the development of a new or modified Reliability Standard for supply chain risk management to industrial control system hardware, software, and computing and networking services associated with Bulk Electric System (BES) operations. While FERC clearly wants to advance the state of supply chain security, we believe the inclusion of Low Impact Cyber Assets will delay the SDT’s ability to make the one year filing deadline.  We believe the SAR should narrow its focus to the ‘highest watermark’ first, to limit confusion, especially as entities prepare for implementing activities that address the Low Impact aspects of their programs.  Other SDTs continue to enhance related NERC CIP standards based on changes to the definitions for Low Impact External Routable Connectivity and Transient Cyber Assets.

 

All security advances and efficiencies designed for large-sized utilities, including their choice of software and hardware vendors, will eventually pass down to the Medium Impact Facilities, and ultimately to the Low Impact Facilities, through better IT security testing and best practices.  This natural progression takes time and maturity to nurture, something we feel should be allowed reflected within in the SAR.

ACES Standards Collaborators - CIP, Segment(s) 1, 3, 5, 6, 4, 11/18/2016

- 0 - 0

We have suggestions on

1) Purpose,

2) Industry Need,

3) Brief Description

4) Detailed Description to better define this project’s scope.

 

For Purpose, we have three recommendations

A)     change “supply chain management” to “supply chain risk management”;

B)     change “and implement a plan that includes security controls for supply chain management for” to “and implement measures for supply chain risk management for”;

C)      copy the final industry need sentence to the Purpose – “The new or modified Reliability Standard(s) is intended to reduce the risk of a cyber security incident affecting the reliable operation of the Bulk-Electric System.”

 

Supply chain management is the flow of goods, services and resources that involve the movement, storage and maintenance of material for work in progress. Supply chain risk management is a subset of supply chain management. For this SAR, supply chain risk management should focus on the risks associated with sourcing and servicing BES Cyber System Components from external entities.

 

For Industry Need, we have one recommendation – change “On July 21, 2016, FERC issued Order No. 829 directing NERC to develop a forward-looking, objective-driven new or modified Reliability Standard(s) that addresses” to “On July 21, 2016, FERC issued Order No. 829 directing NERC to develop a forward-looking, objective-driven, risk-based new or modified Reliability Standard(s) that addresses”

 

For Brief Description, we have one recommendation – update the Brief Description to be consistent with our proposed changes to the Purpose and Industry Need.

 

For Detailed Description, we have one recommendation – change “The plan may apply different controls based on the criticality of different assets (Order No. 829 at P44)” to “The plan may apply different measures based on the criticality of different assets (Order No. 829 at P44)”

RSC, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 11/18/2016

- 0 - 0

Michelle Coon, On Behalf of: Open Access Technology International, Inc., NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

The technical guidelines may imply stricter requirements versus providing guidance.

This has the potential to expand the scope for Low Impact BCS which impacts compliance resources. NRG strongly recommends to the SDT that they consider impact rating criteria first, and then factor in a risk based approach.  NRG recommends that the SAR states correctly that the draft is a Supply Chain Risk Management Standard.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Due to the possible complexity of creating a workable new standard, Reclamation recommends that a pilot program be developed to invite any entity to volunteer to test and implement a draft of the standard prior to it being finalized. During the pilot program, vendors are also invited to participate in order to work out any verification processes of the standard. Once the standard is finalized, the enforcement of the standard should apply to facilities that are rated as high impact facilities on the first year, facilities that are rated as medium impact on the second year, and facilities that are rated as low impact on the third year.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 5

- 0 - 0

IRC-SRC, Segment(s) 2, 11/18/2016

- 0 - 0

Objective 3 – Regarding Information System Planning - What is Information System Planning? It is not well understood. The SAR information does not adequately describe that beyond entities needing to document the risks we take into consideration. We would like to see additional description on Information System Planning.

 

LCRA Compliance, Segment(s) 6, 5, 1, 5/11/2015

- 0 - 0

Hot Answers

Preston Walker, On Behalf of: PJM Interconnection, L.L.C., SERC, RF, Segments 2

- 0 - 0

faranak sarbaz, On Behalf of: Los Angeles Department of Water and Power, , Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Sophia Combs, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

This SAR, if approved, allows the Standards Drafting Team (SDT) to develop new or modified Critical Infrastructure Protection (CIP) Standard(s) for supply chain management to address the Federal Energy Regulatory Commission (FERC) directives contained in Order No. 829. Texas RE supports developing new CIP Standard(s) to address supply chain management, which should be applicable to high, medium, and low impact BES Cyber Systems. Modifying existing CIP Standard(s) has caused confusion in the industry in regard to implementation dates. For example, CIP-003-6, added low impact Requirements, with multiple implementation dates.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

Con Edison, Segment(s) 1, 3, 5, 6, 6/24/2016

- 0 - 0

We would like to point out the potential need for future modifications on other CIP standards as a result of this project. Specifically, there may be some language conflicts that arise, or duplicative controls put in place. Also, some ability will need to be afforded to entities allowing for the capability of verifying with a vendor, the integrity and authenticity of its software.

Next, we feel like the language in the SAR should be revised to reflect a concentration on security controls for supply chain risk management, rather than just security controls for supply chain management. We feel the added emphasis on risk is appropriate in this context.

Lastly, we want to point out to the drafting team the importance of keeping separate the topics of operations versus supply chain. We can see where instances may occur wherein the language of a standard can be intended to focus on supply chain aspects, but to the reader, may bleed over into the operations space.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

John Williams, On Behalf of: John Williams, , Segments 1, 3, 5

- 0 - 0

None

LCRA Compliance, Segment(s) 1, 5, 6, 5/6/2015

- 0 - 0

Stephanie Little, On Behalf of: Stephanie Little - - Segments 1, 3, 5, 6

- 0 - 0

Johnny Anderson, On Behalf of: Johnny Anderson, , Segments 1

- 0 - 0

AEP suggests that any supply chain cyber security requirements applicable to low impact BES Cyber Systems be written in a revised CIP-003, Requirement R2, Attachment 1.

Thomas Foltz, On Behalf of: AEP, , Segments 3, 5

- 0 - 0

The IESO suggests the Standard Drafting Team (SDT) consider the following comments when developing the standard.  As stated within paragraph 42 of the order, the IESO agrees that the standard should be risk based as opposed to impact based.  The IESO also suggests the SDT consider addressing the additional threats outlined within the order in paragraphs 25 (e.g. counterfeits, tampering, etc.) and 50 (e.g. hardware integrity) either within the four objectives outlined in the order or by adding an additional objective.

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

Linsey Ray , On Behalf of: Oncor Electric Delivery - Texas RE - Segments NA - Not Applicable

- 0 - 0

ITC Holdings finds this new standard to be ovrely burdensome for smaller utilities that do not have the infrastructure or staffing to perform the activities.

Allie Gavin, On Behalf of: International Transmission Company Holdings Corporation - MRO, SPP RE, RF - Segments 1

- 0 - 0

Oxy, Segment(s) 7, 5, 9/6/2016

- 0 - 0

If the SDT proposes to modify Low Impact requirements, we recommend maintaining them in Attachment 1 of NERC Standard CIP-003-6. Additions to Section 3: Access Controls could be made for future patch management requirements. We believe Section 4: Cyber Security Incident Response could be modified to include vendor remote termination access within a specified timeframe. The new definition of Transient Cyber Device could also be used as the location for baseline configuration management.

We believe all Low Impact processes should be non-prescriptive and provide flexibility for registered entities to decide how to best defend against cyber security threats based on their risk analysis.  There may be significant advantages and protection for industry to adopt new supply chain requirements for those entities that have multiple vendors and large support staff.  We believe that BES risks and economies of scale for G&T cooperatives are minimal, based on their size and geographical location within the BES. 

Thank you for your time and attention regarding this SAR.

ACES Standards Collaborators - CIP, Segment(s) 1, 3, 5, 6, 4, 11/18/2016

- 0 - 0

We also recommend that the SDT seriously consider updating existing CIP Standards in order to avoid creating double jeopardy for

A)     remote access (CIP-005 R2);

B)     patch management (CIP-007 R2);

C)      authentication (CIP-007 R5);

D)     vendor termination of employees (CIP-004 R5);

We recommend that new Requirements do not jeopardize existing Requirements and their implementation timelines, and that new Requirements do not create additional paperwork with little value to the Reliable Operation of the Bulk Electric System.

RSC, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 11/18/2016

- 0 - 0

Open Access Technology international, Inc. (OATI) appreciates this opportunity to submit comments pertaining to the Cyber Security Supply Chain Management Standards Authorization Request (SAR). Tackling such a large and important issue is no easy feat. Yet, the standard drafting team has already demonstrated their commitment to this difficult and important task by creating a new draft standard for the most recent technical conference. Continued dedication to this effort will help ensure the new reliability standard is consistent and equally applicable to necessary areas of the bulk electric system.  

As a committed provider of software solutions and services to the electric utility sector, OATI plans to participate in the standard drafting process to the fullest extent possible. There are significant challenges ahead that can benefit from OATI’s perspective into all of the various aspects of the electric utility reliability. OATI has identified two significant challenges: consistency in application and manageability.

OATI observes a need to develop a consistent approach to applying this standard across the industry, large and small vendors, niche and cross-sector vendors. This will include taking into consideration the fact that some vendors which also focus heavily in other industries, may be less willing to accommodate a utility’s need to meet this new NERC reliability standard. Smaller utilities, especially, could be presented with a “take it or leave it” proposition from vendors such as Microsoft, CISCO, or Dell. Additionally, there is a special issue presented by the widespread use of open source software in many software solutions today. A standard should not apply only to one subset of vendors/software. Rather, to avoid a discriminatory impact, the standard should be equally applicable to all in-scope vendors/ software solutions. While this issue of consistency presents many challenges, OATI stands eager to share ideas for reaching a reasonable resolution.

Another related challenge is one of manageability. To facilitate a manageable approach, OATI observes a need for NERC to establish a common baseline standard applicable to all in scope vendors/software. This should help avoid issues on both sides of the supply chain. Absent a baseline, utilities may each develop a variety of inconsistent approaches to meeting the objectives of the standard. Such inconsistency is likely to create major problems for vendors as they verify compliance with the standard. The downstream impact of such inconsistent approaches is an increased burden on vendors who may each develop a unique way to meet the objectives passed onto them. Fortunately, much work has already been completed by the Department of Energy and the National Institute of Standards and Technology in this area of supply chain security that will be helpful in defining the baseline for this industry. These existing approaches should be considered and leveraged in the development of this new CIP supply chain management standard.

OATI looks forward to working closely with NERC, industry members, and other vendors in shaping this new reliability standard. A special thanks to NERC for its inclusion of the vendors in this important and necessary effort. Together we can successfully develop a consistent and manageable standard to mitigate this cybersecurity vulnerability in the bulk electric system.

Michelle Coon, On Behalf of: Open Access Technology International, Inc., NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

N/A

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Reclamation recommends that the CIP language be written to account for existing Government procurement constraints; or exempt the government entities that are legally bound by federal procurement regulations.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 5

- 0 - 0

The IRC members ask the Standard Drafting Team (SDT) to consider the following comments when developing the standard.  As stated within paragraph 42 of the order, the IRC members agree with the APPA that the standard should be risk based as opposed to impact based.  The IRC members also ask the SDT to consider addressing the additional threats outlined within the order in paragraphs 25 (e.g. counterfeits, tampering, etc.) and 50 (e.g. hardware integrity) either within the four objectives outlined in the order or by adding an additional objective.

IRC-SRC, Segment(s) 2, 11/18/2016

- 0 - 0

No additional comments

LCRA Compliance, Segment(s) 6, 5, 1, 5/11/2015

- 0 - 0