[Federal Register Volume 80, Number 250 (Wednesday, December 30, 2015)]
[Pages 81534-81536]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-32833]



Federal Energy Regulatory Commission

[Docket No. RM15-14-000]

Revised Critical Infrastructure Protection Reliability Standards; 
Supplemental Notice of Agenda and Discussion Topics for Staff Technical 

    This notice establishes the agenda and topics for discussion at the 
technical conference to be held on January 28, 2016, to discuss issues 
related to supply chain risk management. The technical conference will 
start at 10:00 a.m. and end at approximately 4:30 p.m. (Eastern Time) 
in the Commission Meeting Room at the Commission's Headquarters, 888 
First Street NE., Washington, DC. The technical conference will be led 
by Commission staff, and FERC Commissioners may be in attendance. All 
interested parties are invited to attend, and registration is not 
    The topics and related questions to be discussed during this 
conference are provided as an attachment to this Notice. The purpose of 
the technical conference is to facilitate a structured dialogue on 
supply chain risk management issues identified by the Commission in the 
Revised Critical Infrastructure Protection Standards Notice of Proposed 
Rulemaking (NOPR) issued in this proceeding and raised in public 
comments to the NOPR. Prepared remarks will be presented by invited 
    This event will be webcast and transcribed. The free webcast allows 
listening only. Anyone with Internet access who desires to listen to 
this event can do so by navigating to the ``FERC Calendar'' at 
www.ferc.gov, and locating the technical conference in the Calendar of 
Events. Opening the technical conference in the Calendar of Events will 
reveal a link to its webcast. The Capitol Connection provides technical 
support for the webcast and offers the option of listening to the 
meeting via phone-bridge for a fee. If you have any questions, visit 
www.CapitolConnection.org or call 703-993-3100. The webcast will be 
available on the Calendar of Events at www.ferc.gov for three months 
after the conference. Transcripts of the conference will be immediately 
available for a fee from Ace-Federal Reporters, Inc. (202-347-3700).
    FERC conferences are accessible under section 508 of the 
Rehabilitation Act of 1973. For accessibility accommodations, please 
send an email to [email protected] or call toll free (866) 208-
3372 (voice) or (202) 502-8659 (TTY), or send a fax to (202) 208-2106 
with the requested accommodations.
    There is no fee for attendance. However, members of the public are 
encouraged to preregister online at: https://www.ferc.gov/whats-new/registration/01-28-16-form.asp.
    For more information about the technical conference, please 
contact: Sarah McKinley, Office of External Affairs, 202-502-8368, 
[email protected].

    Dated: December 23, 2015.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

[[Page 81535]]


Critical Infrastructure Protection Supply Chain Risk Management RM15-
14-000 January 28, 2016


Welcome and Opening Remarks by Commission Staff

9:30-9:45 a.m.


    In a July 16, 2015 Notice of Proposed Rulemaking (NOPR) in the 
above-captioned docket, the Commission proposed to direct the North 
American Electric Reliability Corporation (NERC) to develop new or 
modified Critical Infrastructure Protection (CIP) Reliability Standards 
to provide security controls relating to supply chain risk management 
for industrial control system hardware, software, and services. The 
Commission sought and received comments on this proposal, including: 
(1) The NOPR proposal to direct that NERC develop a Reliability 
Standard to address supply chain risk management; (2) the anticipated 
features of, and requirements that should be included in, such a 
standard; and (3) a reasonable timeframe for development of a standard. 
The purpose of this conference is to clarify issues, share information, 
and determine the proper response to address security control and 
supply chain risk management concerns.

Staff Presentation: Supply Chain Efforts by Certain Other Federal 

9:45 a.m.-10:05 a.m.


10:05 p.m.-10:15 p.m.

Panel 1: Need for a New or Modified Reliability Standard

10:15 a.m.-11:45 a.m.

    The Commission staff seeks information about the need for a new or 
modified Reliability Standard to manage supply chain risks for 
industrial control system hardware, software, and computing and 
networking services associated with bulk electric system operations. 
Panelists are encouraged to address:
     Identify challenges faced in managing supply chain risk.
     Describe how the current CIP Standards provide supply 
chain risk management controls.
     Describe how the current CIP Standards incentivize or 
inhibit the introduction of more secure technology.
     Identify possible other approaches that the Commission can 
take to mitigate supply chain risks.
1. Nadya Bartol, Vice President, Industry Affairs and Cybersecurity 
Strategist, UTC
2. Jon Boyens, Project Manager, Information Communication Technology 
(ICT) Supply Chain Risk Management, National Institute of Standards & 
Technology (NIST)
3. John Galloway, Director, Cyber Security, ISO New England
4. John Goode, Chief Information Officer/Senior Vice President, 
Midcontinent Independent System Operator (MISO)
5. Barry Lawson, Associate Director, Power Delivery & Reliability, 
National Rural Electric Cooperative Association (NRECA)
6. Helen Nalley, Compliance Director, Southern Company
7. Jacob Olcott, Vice President of Business Development, Bitsight Tech
8. Marcus Sachs, Senior Vice President and Chief Security Officer, 
North American Electric Reliability Corporation (NERC)


11:45 a.m.-1:00 p.m.

Panel 2: Scope and Implementation of a New or Modified Standard

1:00 p.m.-2:30 p.m.

    The Commission staff seeks information about the scope and 
implementation of a new or modified Standard to manage supply chain 
risks for industrial control system hardware, software, and computing 
and networking services associated with bulk electric system 
operations. Panelists are encouraged to address:
     Identify types of assets that could be better protected 
with a new or modified Standard.
     Identify supply chain processes that could be better 
protected by a Standard.
     Identify controls or modifications that could be included 
in the Standard.
     Identify existing mandatory or voluntary standards or 
security guidelines that could form the basis of the Standard.
     Address how the verification of supply chain risk 
mitigation could be measured, benchmarked and/or audited.
     Present and justify a reasonable timeframe for development 
and implementation of a Standard.
     Discuss whether a Standard could be a catalyst for 
technical innovation and market competition.
1. Mike Ahmadi, Global Director--Critical Systems Security, Synopsys
2. Jonathan Appelbaum, Director, NERC Compliance, The United 
Illuminating Company
3. Brent Castegnetto, Manager, Cyber Security Audits & Investigations, 
4. Art Conklin, Ph.D., Associate Professor and Director of the Center 
for Information Security Research and Education, University of Houston
5. Edna Conway, Chief Security Officer, Value Chain Security, Cisco
6. Bryan Owen, Principal Cyber Security Manager, OSIsoft
7. Albert Ruocco, Vice President and Chief Technology Officer, American 
Electric Power (AEP)
8. Doug Thomas, Vice President and Chief Information Officer, Ontario 
Independent Electricity System Operation (IESO)


2:30 p.m.-2:45 p.m.

Panel 3: Current Supply Chain Risk Management Practices and 
Collaborative Efforts

2:45 p.m.-4:15 p.m.

    The Commission staff seeks information about existing supply chain 
risk management efforts for information and communications technology 
and industrial control system hardware, software, and services in other 
critical infrastructure sectors and the government. Panelists are 
encouraged to address:
     Generally describe how registered entities and other 
organizations currently manage supply chain issues.
     Identify standards or guidelines that are used to 
establish supply chain risk management practices. Specifically, discuss 
experience under those standards or guidelines.
     Identify organizational roles involved in the development 
and implementation of supply chain risk management practices.
     Generally describe approaches for identifying, evaluating, 
mitigating, and monitoring supply chain risk.
     Generally discuss how supply chain risk is addressed in 
the contracting process with vendors and suppliers.

[[Page 81536]]

     Generally describe the capabilities that registered 
entities currently have to inspect third party information security 
     Generally describe the capabilities that registered 
entities currently have to negotiate for additional security in their 
hardware, software, and service contracts. Describe how this may vary 
based on the potential vendor or supplier and the type of service to be 
     Generally describe how vendors and suppliers are managing 
risk in their supply chain.
1. Douglas Bauder, Vice President, Operational Services, and Chief 
Procurement Officer, Southern California Edison
2. Andrew Bochman, Senior Cyber & Energy Security Strategist, INL/DOE
3. Dennis Gammel, Director, Security Technology, Schweitzer Engineering
4. Andrew Ginter, Vice President, Industrial Security, Waterfall 
Security Solutions
5. Steve Griffith, Industry Director, National Electrical Manufacturers 
Association (NEMA)
6. Maria Jenks, Vice President, Supply Chain, Kansas City Power & Light 
7. Robert McClanahan, Vice President/Chief Information Officer, 
Arkansas Electric Cooperative Corporation (AECC)
8. Thomas O'Brien, Chief Information Officer, PJM Interconnection, LLC

4:15 p.m.-4:30 p.m. Closing Remarks

[FR Doc. 2015-32833 Filed 12-29-15; 8:45 am]