The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) took a further step to protect the nation’s electric infrastructure today by publishing a joint white paper to help the electric sector identify vendors of components on their networks so that they can take any necessary action to mitigate potential risks to the bulk power system.
The electric sector relies on networking and telecommunications equipment to operate the Bulk Power System. This white paper identifies several noninvasive techniques that security professionals may use to identify vendors of a well-known and often-targeted component known as a network interface controller (NIC).
Multiple government sources – the House Permanent Select Committee on Intelligence, the Government Accountability Office, the Defense Innovation Board and the Federal Communications Commission – have repeatedly identified Huawei and ZTE as potential threats. Due to the pervasiveness of companies like Huawei and ZTE in the marketplace, the electric sector may unknowingly be using devices that have the potential to compromise the electric grid.
While the report highlights noninvasive methods, industry may have other methods to identify foreign vendor equipment or components, security professionals may have other ways of finding these components. Industry should consider developing and implementing processes to not only identify such vendor suppliers, but to implement further processes to protect their supply chain that could be periodically re-performed and assessed against previous results. FERC and NERC have long been focused on supply chain issues, including the development of standards, alerts and other efforts.
Supply chain risk management is critical to the reliable operation of the electric grid. FERC and NERC will continue to work together toward assuring the reliability and security of the North American Bulk Power System.