Docket No. RD23-3-000
FERC today approved a new cybersecurity standard that will expand supply chain risk management practices for low-impact bulk electric system cyber systems.
The new standard, proposed by the North American Electric Reliability Corporation (NERC) in December 2022, requires entities with bulk electric system facilities whose assets are designated low-impact to have methods for determining and disabling vendor remote access. Generally, low-impact assets are generation or transmission facilities that pose a lower risk to the bulk electric system if they are compromised.
This standard improves the reliability of the grid by expanding existing security controls to provide greater visibility into electronic communication between low-impact bulk electric system cyber systems and vendors. These security controls will allow detection and the ability to disable vendor remote access in the event of a known or suspected malicious communication.
“The vast majority of BES assets today are considered low-impact and that number is only expected to grow,” Chairman Phillips said. “To not protect these BES assets against one of the most frequent attack scenarios – supply chain – would be a big mistake.”
R23-23