FERC Proposal Means a Reassessment of Your Risk Management Framework

The Federal Energy Regulatory Commission (FERC) is proposing new requirements for new or modified critical infrastructure (CIP) standards to address the growing risks of compromising the bulk-power system.

From ISSSource.com:

The proposal would direct the North American Electric Reliability Corporation (NERC) to require entities to identify their current supply chain risks to their grid-related cybersecurity systems at specified intervals; assess and take steps to validate the accuracy of the information received from vendors during the procurement process; and document, track and respond to these risks to their systems.

FERC would also direct NERC to extend the applicability of the supply chain standards to include a category of products known as protected cyber assets (PCAs).

Phosphorus’s John Vecchi tells ISS Source of the mission-critical nature of these IoT, OT, and IoMT Cyber-Physical Systems.

“Protecting them is less about improving the grid and more about maintaining their availability while preventing some kind of cyber-physical attack. Devices like mission-critical PLCs, HMIs, environmental sensors, robotics, and industrial gateways lack the most basic security hygiene yet are generally unknown, unmonitored, and unmanaged in these environments. And many of these assets have already been compromised by threat actors and nation-states.”

Meeting these requirements will require a full reassessment of organizations’ current risk management methods. Most of them, Vecchi says to Manufacturing.net, don’t even include basic visibility of what OT/IoT assets they have, where they are located, and what critical vulnerabilities exist on them. OT and IoT security with remediation requires full visibility with 100% accuracy.

“One of the biggest challenges critical infrastructure organizations will face with these kinds of new standards will be achieving even the most basic visibility of their mission-critical OT, IoT, and ICS cyber-physical systems,” Vecchi said. “Today, most of these organizations would be hard-pressed to demonstrate visibility and inventory of these assets, let alone comprehensive risk assessment of their estates to know what is most vulnerable and what to prioritize for patching and remediation. Current state security tools do not provide the ability to safely and efficiently find, assess, fix, and monitor these critical systems. And given that these organizations simply cannot protect what they cannot see, this will be one of the most monumental challenges for most of them.”

For Manufacturing.net, Vecchi says

“There will need to be somewhat of a shift to view these critical yet vulnerable assets in the same way they view traditional IT assets and endpoints. This will require not only new technologies, but new policies and skill sets as well.”

Read the full articles over at ISSSource.com and Manufacturing.net for plans for the CIP standard, proposed time frames, and more.

September 26, 2024: Updated with additional information from Manufacturing.net.