[Federal Register Volume 87, Number 229 (Wednesday, November 30, 2022)]
[Notices]
[Pages 73545-73547]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-26092]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. AD22-12-000]


Joint FERC-DOE Supply Chain Risk Management, Technical 
Conference; Second Supplemental Notice of Technical Conference

    Take notice that the Federal Energy Regulatory Commission 
(Commission) will convene a Joint Technical Conference with the U.S. 
Department of Energy in the above-referenced proceeding on December 7, 
2022, from approximately 8:30 a.m. to 5:00 p.m. Eastern Time. The 
conference will be held in-person at the Commission's headquarters at 
888 First Street NE, Washington, DC 20426 in the Commission Meeting 
Room.
    The purpose of this conference is to discuss supply chain security 
challenges related to the Bulk-Power System, ongoing supply chain-
related activities, and potential measures to secure the supply chain 
for the grid's hardware, software, computer, and networking equipment. 
FERC Commissioners and DOE's Office of Cybersecurity, Energy Security, 
and Emergency Response (CESER) Director will be in attendance, and 
panels will involve multiple DOE program offices, the North American 
Electric Reliability Corporation (NERC), trade associations, leading 
vendors and manufacturers, and utilities.
    The conference will be open for the public to attend, and there is 
no fee for attendance. Information on this technical conference will 
also be posted on the Calendar of Events on the Commission's website, 
www.ferc.gov, prior to the event.
    The conference will also be transcribed. Transcripts will be 
available for a fee from Ace Reporting, (202) 347-3700.
    Commission conferences are accessible under section 508 of the 
Rehabilitation Act of 1973. For accessibility accommodations, please 
send an email to [email protected], call toll-free (866) 208-3372 
(voice) or (202) 208-8659 (TTY), or send a fax to (202) 208-2106 with 
the required accommodations.
    For more information about this technical conference, please 
contact Simon Slobodnik at [email protected] or (202) 502-6707. 
For information related to logistics, please contact Lodie White at 
[email protected] or (202) 502-8453.

    Dated: November 23, 2022.
Kimberly D. Bose,
Secretary.
[GRAPHIC] [TIFF OMITTED] TN30NO22.004

Supply Chain Risk Management Technical Conference; Docket No. AD22-12-
000 December 7, 2022; 8:30 a.m.-5:00 p.m.

8:30 a.m. Opening Remarks and Introductions
8:45 a.m. Panel I: Supply Chain Risks Facing the Bulk-Power System
    The U.S. energy sector procures products and services from a 
globally distributed, highly complex, and increasingly interconnected 
set of supply chains. Information Technology (IT) and Operational 
Technology (OT) systems enable increased interconnectivity, process 
automation, and remote control. As a result, supply chain risks will 
continue to evolve and likely increase.\1\ This panel will discuss the 
state of supply chain risks from a national and geopolitical 
perspective. Specifically, the panel will explore current supply chain 
risks to the security of grid's hardware, software, computer, and 
networking equipment and how well-resourced campaigns perpetrated by 
nation states, such as the SolarWinds incident, affect supply chain 
risk for the electric sector. Panelists will discuss the origins of 
these risks, their pervasiveness, the possible impacts they could have 
on Bulk-Power System reliability, and approaches to mitigating them. 
The panelists will also discuss challenges associated with supply chain 
visibility and covert embedded spyware or other compromising software 
or hardware in suppliers' products, parts, or services.
---------------------------------------------------------------------------

    \1\ See U.S. Dep't. of Energy, America's Strategy to Secure the 
Supply Chain for a Robust Clean Energy Transition: Response to 
Executive Order 14017, America's Supply Chains, 42, (Feb. 24, 2022), 
https://www.energy.gov/sites/default/files/2022-02/America's%20Strategy%20to%20Secure%20the%20Supply%20Chain%20for%20a%2
0Robust%20Clean%20Energy%20Transition%20FINAL.docx_0.pdf.
---------------------------------------------------------------------------

    This panel may include a discussion of the following topics and 
questions:
    1. Describe the types of challenges and risks associated with 
globally distributed, highly complex, and increasingly interconnected 
supply chains.
    2. Describe the difficulties associated with supply chain 
visibility and how origins of products or components may be obscured.
    3. How are foreign-supplied Bulk-Power System components being 
manipulated and is there a particular phase in the product lifecycle 
where the product is manipulated for nefarious intent?
    4. How are these supply chain challenges and risks currently being 
managed?
    5. How has the current geopolitical landscape impacted the energy 
sector's ability to manage supply chain challenges and risks?
    6. How can Sector Risk Management Agencies and Regulators promote 
and/or incentivize supply chain transparency at the earlier stages of 
product development and manufacturing?
    7. Discuss the pathways (e.g., voluntary best practices and 
guidelines, mandatory standards) that together could address the 
current supply chain challenges and risks?
    8. What actions can government take, both formal regulatory actions 
and coordination, to help identify and mitigate risks from the global 
supply chain for the energy sector?

[[Page 73546]]

Panelists
 Eric Goldstein, Executive Assistant Director for 
Cybersecurity, Department of Homeland Security Cybersecurity & 
Infrastructure Security Agency (DHS CISA)
 Mara Winn, Deputy Director, Preparedness, Policy, and Risk 
Analysis, DOE CESER
 Jeanette McMillian, Assistant Director, Supply Chain and Cyber 
Directorate, National Counterintelligence and Security Center
 Manny Cancel, Senior Vice President, NERC and CEO, Electricity 
Information Sharing and Analysis Center
 Marty Edwards, Deputy Chief Technical Officer--OT/IoT, Tenable
 Bonnie Titone, Senior Vice President and Chief Information 
Officer, Duke Energy
 Representative of the U.S. Department of Commerce, Bureau of 
Industry and Security (invited)
10:30 a.m. Break
10:45 a.m. Panel II: Current Supply Chain Risk Management (SCRM) 
Reliability Standards, Implementation Challenges, Gaps, and 
Opportunities for Improvement
    It has now been more than six years since the Commission directed 
the development of mandatory standards to address supply chain risks, 
and more than two years since the first set of those standards became 
effective. As discussed in Panel 1, supply chain risks have continued 
to grow in that time. In light of that evolving threat, panelists will 
discuss the existing SCRM Reliability Standards, including: (1) their 
effectiveness in securing the Bulk-Power System; (2) lessons learned 
from implementation of the current SCRM Reliability Standards; and (3) 
possible gaps in the currently effective SCRM Reliability Standards. 
This panel will also provide an opportunity to discuss any Reliability 
Standards in development, and how these new standards will help enhance 
security and help address some of the emerging supply chain threats.
    This panel may include a discussion of the following topics and 
questions:
    1. Are the currently effective SCRM Reliability Standards 
sufficient to successfully ensure Bulk-Power System reliability and 
security in light of existing and emerging risks?
    2. What requirements in the SCRM Reliability Standards present 
implementation challenges for registered entities and for vendors?
    3. How are implementation challenges being addressed for utilities 
and for vendors?
    4. Are there alternative methods for implementing the SCRM 
Reliability Standards that could eliminate challenges or enhance 
effectiveness moving forward?
    5. Based on the current and evolving threat landscape, would the 
currently effective SCRM Reliability Standards benefit from additional 
mandatory security control requirements and how would these additional 
controls improve the security of the Bulk-Power System?
    6. Are there currently effective SCRM criteria or standards that 
manufacturers must adhere to in foreign countries that may be prudent 
to adopt in the U.S.?
Panelists
 Howard Gugel, Vice President, Engineering and Standards, NERC
 Adrienne Lotto, Senior Vice President of Grid Security, 
Technical & Operations Services, American Public Power Association
 Jeffrey Sweet, Director of Security Assessments, American 
Electric Power
 Shari Gribbin, Managing Partner, CNK Solutions
 Scott Aaronson, Senior Vice President of Security and 
Preparedness, Edison Electric Institute
12:15 p.m. Lunch
1:15 p.m. Panel III: The U.S. Department of Energy's Energy Cyber Sense 
Program
    Through the Energy Cyber Sense Program, DOE will provide a 
comprehensive approach to securing the nation's critical energy 
infrastructure and supply chains from cyber threats with this voluntary 
program. The Energy Cyber Sense Program will build upon direction in 
Section 40122 of the Bipartisan Infrastructure Law, as well as multiple 
requests from industry, leveraging existing programs and technologies, 
while also initiating new efforts. Through Energy Cyber Sense, DOE aims 
to work with manufacturers and asset owners to discover, mitigate, and 
engineer out cyber vulnerabilities in digital components in the Energy 
Sector Industrial Base critical supply chains. This program will 
provide a better understanding of the impacts and dependencies of 
software and systems used in the energy sector; illuminate the digital 
provenance of subcomponents in energy systems, hardware, and software; 
apply best-in-class testing to discover and address common mode 
vulnerabilities; and provide education and awareness, across the sector 
and the broader supply chain community to optimize management of supply 
chain risks. This panel will discuss specific supply chain risks that 
Energy Cyber Sense will address as well as some of the programs and 
technologies DOE will bring to bear under the program to address the 
risks.
    This panel may include a discussion of the following topics and 
questions:
    1. How are emerging orders, standards, and process guidance, such 
as Executive Order 14017, Executive Order 14028, NIST Special 
Publication 800-161r1, ISA 62443, CIP-013-1, and others, changing how 
we assess our digital supply chain?
    2. Given the dependence of OT on application-specific hardware, how 
could the inclusion and linkage of Hardware Bill of Materials (HBOMs) 
with Software Bill of Materials (SBOMs) increase our ability to 
accurately and effectively assess and mitigate supply chain risk? To 
what degree is this inclusion and linkage of HBOMs with SBOMs taking 
place today and what steps should be taken to fill any remaining gaps?
    3. Given that much of the critical technology used in the energy 
sector is considered legacy technology, how can manufacturers, vendors, 
asset owners and operators, aided by the federal government, national 
laboratories, and other organizations, manage the supply chain risk 
from legacy technology? How can this risk management be coordinated 
with newer technologies that are more likely to receive SBOMs, HBOMs, 
and attestations?
    4. Where does testing, for example Cyber Testing for Resilient 
Industrial Control Systems (CyTRICS) and third-party testing, fit in 
the universe of ``rigorous and predictable mechanisms for ensuring that 
products function securely, and as intended? '' \2\
---------------------------------------------------------------------------

    \2\ See Exec. Order No. 14028, 86 FR 26,633, 26,646 (May 12, 
2021) (The Executive Order declared that the security of software 
used by the Federal Government is ``vital to the Federal 
Government's ability to perform its critical functions.'' The 
Executive Order further cited a ``pressing need to implement more 
rigorous and predictable mechanisms for ensuring that products 
function securely, and as intended.'')
---------------------------------------------------------------------------

    5. More than ever, developers are building applications on open-
source software libraries. How can developers address the risks 
inherent with open-source software and how can asset owners work with 
vendors to validate that appropriate open-source risk management 
measures have been taken?
    6. U.S. energy systems have significant dependencies on hardware 
components, including integrated

[[Page 73547]]

circuits and semiconductors, most of which are manufactured outside of 
the U.S. What tools and technologies are needed to understand the 
provenance of hardware components used in U.S. energy systems and the 
risks from foreign manufacture? How will the newly passed CHIPS and 
Science Act change the risk landscape? What is needed in terms of 
regulation, standards, and other guidance to strengthen the security of 
the hardware component supply chain from cyber and other risks?
Panelists
 Steven Kunsman, Director Product Management and Applications, 
Hitachi Energy
 Ron Brash, Vice President Technical Research & Integrations, 
aDolus
 Zachary Tudor, Associate Laboratory Director, National and 
Homeland Security
 Allan Friedman, Senior Advisor and Strategist, DHS CISA
 Brian Barrios, Vice President, Cybersecurity & IT Compliance, 
Southern California, Edison
 Representative of Amazon Web Services (invited)
2:45 p.m. Break
3:00 p.m. Panel IV: Enhancing the Supply Chain Security Posture of the 
Bulk-Power System
    This panel will discuss forward-looking initiatives that can be 
used to improve the supply chain security posture of the Bulk-Power 
System. These initiatives could include vendor accreditation programs, 
product and service verification, improved internal supply chain 
security capability, third party services, and private and public 
partnerships.
    Vendor accreditation can be established in various ways. One of the 
more prominent ways is currently being explored by the North American 
Transmission Forum through its Supply Chain Security Assessment model 
and the associated questionnaire.\3\ The panel will also explore 
certain programs and practices used by utilities to verify the 
authenticity and effectiveness of products and services. Internal 
supply chain security capabilities include hiring people with the 
appropriate background and knowledge, while also developing relevant 
skills internally, through training on broad supply chain topics and 
applying them to the specific needs of the organization. Finally, this 
panel will address private and public partnerships on supply chain 
security and how they can facilitate timely access to information that 
will help better identify current and future supply chain threats to 
the Bulk-Power System and best practices to address those risks.
---------------------------------------------------------------------------

    \3\ https://www.natf.net/industry-initiatives/supply-chain-industry-coordination.
---------------------------------------------------------------------------

    This panel may include a discussion of the following topics and 
questions:
    1. What vendor accreditation programs currently exist or are in 
development? How can entities vet a vendor in the absence of a vendor 
accreditation program?
    2. What are the challenges, benefits, and risks associated with 
utilizing third-party services for maintaining a supply chain risk 
management program?
    3. What are the best practices and other guidance for security 
evaluation of vendors?
    4. What programs and practices are currently in use to ensure 
product and service integrity?
    5. What processes are used to test products prior to 
implementation?
    6. What is the right balance between vendor and product security 
and cost? Is there a point of diminishing returns?
    7. What are effective strategies for recruiting personnel with the 
appropriate background and SCRM skills to strengthen internal security 
practices? How do you provide the training necessary to further develop 
the skills specific to your unique organizational challenges?
    8. What are the best ways to meaningfully assimilate SBOM 
information and what subsequent analyses can be done to strengthen 
internal security practices?
    9. How can the industry keep informed of the latest supply chain 
compromises? How do entities currently respond to these compromises to 
keep their systems secure? Are there ways to improve these responses? 
What actions can government take, both formal regulatory actions and 
coordination, to help keep industry informed of supply chain 
compromises and to facilitate effective responses?
    10. What key risk factors do entities need to consider prior to 
leveraging third party services and how should those risk factors be 
balanced with an entity's organizational policy? What SCRM controls do 
you have in place to ensure your systems and products have a reduced 
risk of compromise? Please discuss any challenges that you have 
experienced as well as successes.
    11. How should government and industry prioritize and coordinate 
federal cross-agency and private sector collaboration and activities 
regarding SCRM?
Panelists
 Tobias Whitney, Vice President of Strategy and Policy, 
Fortress Information Security
 Valerie Agnew, General Counsel, North American Transmission 
Forum
 David Schleicher, President and CEO, Northern Virginia 
Electric Cooperative
 Ron Schoff, Director, Research & Development, Electric Power 
Research Institute
 Representative of the National Risk Management Center, DHS 
CISA (invited)
 Representative of the Office of National Cyber Director 
(invited)
 Representative of the National Association of Regulatory 
Utility Commissioners (invited)
4:45 p.m. Closing Remarks
5:00 p.m. Adjourn
[FR Doc. 2022-26092 Filed 11-29-22; 8:45 am]
BILLING CODE 6717-01-P