Last week at the FERC meeting, there were two significant announcements made. First, Commissioner Cheryl Lafleur announced her departure from the Commission after serving for 9 years. During her tenure, in our observations, she was reliability-minded, looked for pragmatic solutions, and guided the Commission accordingly. With her departure, this will leave the Commission barely meeting quorum requirements, so we will see what happens next. Second, the Commission approved the proposed modifications to NERC Reliability Standard CIP-008. These modifications broaden the reporting obligations to require “reporting of cyber security incidents that either compromise or attempt to compromise” certain electronic systems. As a reminder, CIP-008 only applies to those entities with High and Medium identified systems. We expect that compliance will become enforceable in 2020.
In another development affecting a different NERC CIP Standard, Utility Services wants to pass along information about the importance of checking out your computer software vendors under the NERC Reliability Standard, CIP-013 for Supply Chain requirements. Recently, we’ve heard about some software vendors having connections, or potential connections, to foreign or nation states that aren’t not friendly to our business interests. Their involvement could potentially adversely create threats and vulnerabilities that may impact your or the grid’s integrity. Utility Services wants you to consider looking into who your computer software providers are and their corporate financial interests are. This represents a new examination that you may have not considered in the past, but we are finding that software companies or their parent companies may not always have your best interests at heart.
If you have questions, please do not hesitate to talk with us about this situation. Thank you.