Dec 23 -- Joint FERC-DOE Supply Chain Risk Management Technical Conference; Notice Inviting Post-Technical Conference Comments
On Wednesday, December 7, 2022, the Federal Energy Regulatory Commission (Commission) and the U.S. Department of Energy (DOE) convened a Joint Supply Chain Risk Management Technical Conference to discuss supply chain security challenges related to the Bulk-Power System, ongoing supply chain-related activities, and potential measures to secure the supply chain for the grid's hardware, software, computer, and networking equipment.
All interested persons are invited to file post-technical conference comments to address issues raised during the technical conference identified in the Supplemental Notice of Technical Conference issued on December 6, 2022.
Post Technical Conference Questions
I. Supply Chain Risks Facing the Bulk-Power System
The U.S. energy sector procures products and services from a globally distributed, highly complex, and increasingly interconnected set of supply chains. Information Technology (IT) and Operational Technology (OT) systems enable increased interconnectivity, process automation, and remote control. As a result, supply chain risks will continue to evolve and likely increase. This panel discussed the state of supply chain risks from a national and geopolitical perspective. Specifically, the panel explored current supply chain risks to the security of grid's hardware, software, computer, and networking equipment and how well-resourced campaigns perpetrated by nation states, such as the SolarWinds incident, affect supply chain risk for the electric sector. Panelists discussed the origins of these risks, their pervasiveness, the possible impacts they could have on Bulk-Power System reliability, and approaches to mitigating them. The panelists also discussed challenges associated with supply chain visibility and covert embedded spyware or other compromising software or hardware in suppliers' products, parts, or services. [8 questions]
II. Current Supply Chain Risk Management (SCRM) Reliability Standards, Implementation Challenges, Gaps, and Opportunities for Improvement
It has now been more than six years since the Commission directed the development of mandatory Reliability Standards to address supply chain risks, and more than two years since the first set of those tandards became effective. As discussed in Panel 1, supply chain risks have continued to grow in that time. In light of that evolving threat, panelists discussed the existing SCRM Reliability Standards, including: (1) their effectiveness in securing the Bulk-Power System; (2) lessons learned from implementation of the current SCRM Reliability Standards; and (3) possible gaps in the currently effective SCRM Reliability Standards. This panel provided an opportunity to discuss any Reliability Standards in development, and how these new standards will help enhance security and help address some of the emerging supply chain threats. [6 questions]
III. The U.S. Department of Energy's Energy Cyber Sense Program
Through the Energy Cyber Sense Program, DOE will provide a comprehensive approach to securing the nation's critical energy infrastructure and supply chains from cyber threats with this voluntary program. The Energy Cyber Sense Program will build upon direction in Section 40122 of the Bipartisan Infrastructure Law, as well as multiple requests from industry, leveraging existing programs and technologies, while also initiating new efforts. Through Energy Cyber Sense, DOE aims to work with manufacturers and asset owners to discover, mitigate, and engineer out cyber vulnerabilities in digital components in the Energy Sector Industrial Base critical supply chains. This program will provide a better understanding of the impacts and dependencies of software and systems used in the energy sector; illuminate the digital provenance of subcomponents in energy systems, hardware, and software; apply best-in-class testing to discover and address common mode vulnerabilities; and provide education and awareness, across the sector and the broader supply chain community to optimize management of supply chain risks. This panel discussed specific supply chain risks that Energy Cyber Sense will address, as well as some of the programs and technologies DOE will bring to bear under the program to address the risks. [6 questions]
IV. Enhancing the Supply Chain Security Posture of the Bulk-Power System
This panel discussed forward-looking initiatives that can be used to improve the supply chain security posture of the Bulk-Power System. These initiatives could include vendor accreditation programs, product and service verification, improved internal supply chain security capability, third party services, and private and public partnerships.
Vendor accreditation can be established in various ways. One of the more prominent ways is currently being explored by the North American Transmission Forum through its Supply Chain Security Assessment model and the associated questionnaire. The panel also explored certain programs and practices used by utilities to verify the authenticity and effectiveness of products and services. Internal supply chain security capabilities include hiring people with the appropriate background and knowledge, while also developing relevant skills internally, through training on broad supply chain topics and applying them to the specific needs of the organization. Finally, this panel addressed private and public partnerships on supply chain security and how they can facilitate timely access to information that will help better identify current and future supply chain threats to the Bulk-Power System and best practices to address those risks. [11 questions]