Media Statements & Speeches
Commissioner Cheryl A. LaFleur Statement
January 18, 2018
Docket No. RM17-13-000
Item No. E-2
Supply Chain Risk Management Reliability Standards
“In today’s order, the Commission proposes to approve the supply chain risk management standards filed by the North American Electric Reliability Corporation (NERC), and direct certain modifications to those standards. I write separately to explain my vote in support of today’s order, given my dissent on the Commission order that directed the development of these standards.1
“As I stated in my dissent, I shared the Commission’s concern about supply chain threats and supported continued Commission attention to those threats. Indeed, I remain concerned that the supply chain is a significant cyber vulnerability for the bulk power system. However, I believed that the Commission was proceeding too quickly to require a supply chain standard, without having sufficiently worked with NERC, industry, and other stakeholders on how to design an effective, auditable, and enforceable standard. In my view, the directive that resulted was insufficiently developed and created a risk that needed protections against supply threats would be delayed, due in large part to the nature of the NERC standards process.
“Given the limited guidance and timeline provided by the Commission in Order No. 829, the proposed standards are, unsurprisingly, quite general, focusing primarily “on the processes Responsible Entities implement to consider and address cyber security risks from vendor products or services during BES Cyber System planning and procurement, not on the outcome of those processes….”2 The proposed standards would provide significant flexibility to registered entities to determine how best to comply with their requirements. In my view, that flexibility presents both potential risks and benefits. It could allow effective, adaptable approaches to flourish, or allow compliance plans that meet the letter of the standards but do not effectively address supply chain threats. I hope that we will see more of the former, but I believe the Commission, NERC, and the Regional Entities should closely monitor implementation if the standards are ultimately approved.
“In voting for today’s order, I recognize that the choice before the Commission today is not the same as it was in July 2016. I acknowledge that a significant amount of time and effort have been committed to the development of these standards in response to a duly voted Commission order. Most importantly, I agree that they are an improvement over the status quo. I do not believe that remanding these standards or the larger supply chain issue to the NERC standards process would be a prudent step at this point. Rather, I believe the better course of action at this time is to move forward with these standards and, assuming the Commission ultimately proceeds to Final Rule, improve them over time as needed.
“In that regard, I believe the Commission is appropriately proposing to direct a modification to the proposed standards to address an identified reliability gap regarding Electronic Access Control and Monitoring Systems. I also support the proposal to require NERC to include Physical Access Controls and Protected Cyber Assets within its ongoing assessment of the supply chain risks posed by low-impact Bulk Electric System Cyber Systems, which will help the Commission and NERC determine whether further revisions to the standards are needed.
“More so than with most standards, I believe that whether these standards are effective will only reveal itself over time as we gain additional experience with them. I am therefore particularly interested in feedback from commenters on how the Commission, NERC, and industry should assess these standards, including any reporting obligations that might be appropriate.3 In addition, given the very general process-oriented nature of the standard, I also support the proposal to shorten the implementation date for the new standards. If ultimately adopted, the revised deadline will allow industry, NERC, and the Commission to put the standards in place sooner while continuing to evaluate how best to protect the bulk power system against supply chain threats.
“For these reasons, I respectfully concur.”
- 1 Revised Critical Infrastructure Protection Reliability Standards, Order No. 829, 156 FERC ¶ 61,050 (2016) (LaFleur, Comm’r, dissenting).
- 2 NERC Petition at 27.
- 3 I note that NERC has also developed draft implementation guidance that provides additional detail regarding possible compliance approaches. As NERC and the Regional Entities gain additional experience with assessing compliance under these standards, updating this implementation guidance could be an effective approach for quickly disseminating best practices and lessons learned.
|View Printable PDF Version|