On October 18, the Federal Energy Regulatory Commission (FERC or Commission) issued Order No. 850, adopting a suite of reliability standards proposed by the North American Electric Reliability Corporation (NERC) to address the cybersecurity risks posed by supply chains for industrial control system assets and services in critical electric utility environments. The final rule largely adopts the proposals from the Commission’s Notice of Proposed Rulemaking (NOPR). But the Commission also directs NERC to expand the scope of the new requirements to include Electronic Access or Control Monitoring Systems (EACMS) and to evaluate the need to further expand the scope of the requirements to include Physical Access Control Systems (PACS) and Protected Cyber Assets (PCAs).
Despite fears that the Commission would shorten the implementation period for the new requirements, the Commission adopted the 18-month implementation period that was originally proposed by NERC.
Background
Once effective, the new standards will require electric utilities to develop a plan to mitigate supply chain cybersecurity risks posed by vendor products and services, particularly during the vendor procurement…