UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Revised Critical Infrastructure Prtectin Reliability Standards Dcket N. RM15-14-000 Statement f Thmas F. O Brien Vice President & Chief Infrmatin Officer PJM Intercnnectin, L.L.C. January 28, 2016 1
PJM Intercnnectin is pleased t prvide these initial cmments in respnse t the Cmmissin s inquiry n the Cyber Security Supply Chain Best Practices. My cmments will address sme f the unique challenges, current PJM actins, and a set f recmmendatins t further advance the supply chain cybersecurity issues. I serve as the Vice President and Chief Infrmatin Officer fr PJM. In this rle, I versee all aspects f PJM s infrmatin technlgy and enterprise infrmatin security. My rle has been t ensure we are implementing technlgy t meet ur respnsibilities as an RTO in a secure and reliable manner. I appreciate the Cmmissin s fcus n the imprtance f supply chain cybersecurity issues. Supply chain risk is a genuine threat that needs t be carefully cnsidered and managed. The cmplexity and breadth f supply chain cybersecurity risk includes end-t-end management f the supply and distributin f hardware, firmware, system sftware, applicatin sftware and services. Effectively identifying and managing the cybersecurity risks within the supply chain is imprtant. There are clear and dcumented examples acrss several supply chains and distributin channels f embedded attacks in hardware, system sftware, applicatin sftware, and services. A risk-based apprach will drive the greatest value by ensuring that we address the highest risks first. Managing the supply chain frm a cybersecurity perspective des create sme unique challenges: The supply chain is highly distributed and des nt fall under any single regulatry jurisdictin, which ptentially culd subject hardware, sftware, and service vendrs t diverse standards frm multiple critical infrastructures and regulatry agencies: The supply chain des nt lend itself t creating the necessary cllabratin and accuntability t ensure issues are managed by thse best able t manage the risk; An ineffective regulatry prgram can create a false sense f security and divert resurces frm fcusing n activities which are mst within the custmer s cntrl; and Ineffective management f the supply chain fr addressing cybersecurity issues culd lead t increased utility csts withut a crrespnding significant benefit t the end user. Thus, it is critically imprtant that we address supply chain cybersecurity risks in an efficient and cst-effective manner PJM is addressing the cybersecurity supply chain issues that the Cmmissin has identified within the cntext f ur verall security prgram. Our prgram has advanced significantly and has demnstrated tangible benefits in terms f advancing the cybersecurity f ur systems thrugh the PJM prcurement prcess. Nevertheless, PJM recgnizes the need fr further enhancements as we manage the threats. Our cllabratin with sftware, hardware, and services vendrs has shwn that 2
as ne mves up the supply chain, cybersecurity supply chain practices are incnsistent and therefre must cntinue t evlve and imprve. By way f example, sme f PJM s current activities that are fcused n enhancing cybersecurity f ur systems thrugh ur prcurement prcess and ther internal prcesses include: Our participatin in DHS classified briefings t better understand the cybersecurity threats including supply chain threats; Mdificatins t ur vendr review prcess as part f ur prcurement prcesses t ensure that risk and cybersecurity best practices are carefully cnsidered prir t cntract apprval; Analysis f cyber and physical security cntrls fr majr vendrs f high risk systems t ensure that their internal security practices are sufficient t reduce unintentinal defects as well as intentinal infiltratin f malware and backdrs; Develpment f cmmn security requirements that will be part f ur request fr prpsal prcess and technlgy implementatins; PJM buying nly frm authrized resellers, aviding used prducts t reduce the risk f cunterfeit and tainted prducts; PJM requiring cntractrs and vendrs t underg PJM s backgrund screening prcess irrespective f the criticality f that access; Engaging third parties fr advanced security penetratin testing n an annual basis and when majr systems are released int prductin envirnments; Advanced 24x7 security event mnitring tls and cntrls t detect ptentially malicius netwrk activity that wuld result frm tainted prducts; File system mnitring fr high-risk systems t ensure that changes n file systems crrespnd t authrized changes; Establishment f a sftware management gvernance team t ensure that all sftware is authrized prir t installatin and has gne thrugh a security review; Participatin in the Cyber Risk Infrmatin Sharing Prgram (CRISP), which prvides detectin f ptentially malicius traffic that may result frm natin state infiltratin f supply chains. In light f the cmplexity, the existing disparate industry standards, the immaturity f supply chain cybersecurity practices amng vendrs, and the absence f well-established practices in supply chain cybersecurity, PJM prpses that, at this time, a directive t NERC t develp a standard in this area may nt be the best use f time and resurces t address this issue. Standard drafting is 3
smething f a cttage industry with its wn set f challenges fcused n chice f specific wrds, actin required and issues surrunding enfrcement and penalties. Getting embriled in these issues prematurely may take away frm the kind f develpment f best practices guidance and crssindustry cmmunicatin that is needed at this stage f the prcess. Accrdingly, we wuld urge the Cmmissin t cnsider ther vehicles which culd range frm use f NERC s prcess fr the develpment f Guidance Papers (a prcess which has been used by the Critical Infrastructure Prtectin Cmmittee (CIPC) which is tasked t develp, peridically review, and revise security guidelines) t mre rganized Cmmissin-spnsred cmmunicatins bth within the electric industry as well as acrss industries. 1 A similar effrt fr cmmunicatin amng regulatrs f different sectrs especially impacted by cybersecurity, such as the financial and cmmunicatin sectrs in additin t the utility sectr, wuld als help t advance supply chain cybersecurity capabilities and ensure the sharing f best practices. As a result, ur recmmended path frward is t encurage crss sectr crdinatin and cllabratin with the prviders in the technlgy industry as ppsed t diverting fcus t the drafting f a technical standard at this pint in time. On the ther hand, we d believe there is a key FERC and NERC rle at this pint in time. Presently, there are a hst f standards and publicatins that need t be better crdinated and harmnized. These include: NIST SP 800-161 - Supply Chain Risk Management Practices fr Federal Infrmatin Systems and Organizatins. ISO 20243 - Open Trusted Technlgy Prvider Standard (O-TTPS) - A standard f the Open Grup Vendrs that prvides a set f guidelines, recmmendatins and requirements that help assure against maliciusly tainted and cunterfeit prducts. Department f Energy s Cybersecurity Prcurement Language fr Energy Delivery Systems - This publicatin is a guidance dcument that prvides baseline cybersecurity prcurement language fr use by asset wners, peratrs, integratrs, and suppliers during the prcurement prcess. NIST Cyber Security Framewrk - Prvides guidance t help the energy sectr establish r align existing cybersecurity risk management prgrams t meet the bjectives f the Cybersecurity Framewrk released by the Natinal Institutes f Standards and Technlgy (NIST) in February 2014. ISO 27000 Standards Infrmatin Security Management Family f Standards. 1 The develpment f guidance dcuments in lieu f standards is specifically cntemplated in the charters f certain NERC Cmmittees including the CIPC. The full set f CIPC guidelines are available at: http://www.nerc.cm/cmm/cipc/pages/security-guidelines.aspx. 4
We wuld suggest that FERC direct NERC t develp a guidance dcument (using the existing CIPC guidance dcument prcess utlined abve) as well as gather and synthesize key data n best practices in cybersecurity prcurement as well as wrk with NIST and ther agencies t ratinalize the abve standards and publicatins int a guidance dcument that wrks fr the electric industry in light f its rle as a buyer rather than manufacturer f these prducts. This shuld include cllabratin with IT vendrs and service prviders t understand the current state and t develp a radmap fr imprving vendr cybersecurity supply chain practices. The scpe f this effrt shuld include specific recmmendatins assciated with best practices in implementatin f the abve standards in the cntext f prcurement f sftware and hardware. Fr example, the guidance culd include: cncepts n the ability t validate the authenticity f sftware and patches that are being dwnladed; review f best practices assciated with the prcurement f hardware thrugh specialized supply chains; best practices in applicatin vulnerability management; and ther specific recmmendatins based n the risk analysis. Nevertheless, althugh PJM feels this guidance prcess fcused n detailing best practices as utlined abve is a mre apprpriate first step at this pint, shuld the Cmmissin decide that it desires t mve frward with a directive t NERC t develp a binding standard at this pint, we believe that the fcus and assignment shuld be n strengthening the current CIP standards. Under this scenari, the existing standards wuld be reviewed in light f best practices that have been identified t address the supply chain risk in the areas that registered entities cntrl with respect t preventin, detectin, and resilience. Finally, we nte the passage f recent legislatin that authrizes increased cmmunicatin and cllabratin between the industry and the relevant federal agencies. We believe the passage f this lng-verdue legislatin prvides the legal authrity fr FERC, wrking with DHS and NIST, t ensure greater reprting n cyber threats t the E-ISAC and imprved tw-way cmmunicatins. These effrts shuld be fcused n : Prviding transparency t cybersecurity risks embedded in cmmnly-used critical sftware applicatins and hardware; and Engaging with ther critical infrastructures and gvernment agencies (including ther federal and state regulatrs) t ensure unity f apprach. 5
In shrt, we see this entire exercise, including this NOPR, as part f a cntinued evlutin f best practices and cllabratin acrss critical infrastructures and technlgy service prviders. At the same time, we recgnize that prtectin acrss all critical infrastructure sectrs is beynd FERC jurisdictin. As a result, it will be imperative t cntinue the brader engagement with the Department f Hmeland Security, NIST, ther critical infrastructure sectrs, technlgy prviders, and ther gvernment agencies t enhance ur management f the supply chain against cybersecurity threats. PJM stands ready t wrk with the Cmmissin, stakehlders, NERC, and thers in that prcess. 6