Joint FERC-DOE Supply Chain Risk Management, Technical Conference; Supplemental Notice of Technical Conference, 68147-68150 [2022-24710]

Download as PDF Federal Register / Vol. 87, No. 218 / Monday, November 14, 2022 / Notices Signed in Washington, DC, on November 8, 2022. Treena V. Garrett, Federal Register Liaison Officer, U.S. Department of Energy. [FR Doc. 2022–24667 Filed 11–10–22; 8:45 am] BILLING CODE 6450–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. ER23–375–000] khammond on DSKJM1Z7X2PROD with NOTICES Colice Hall Solar, LLC; Supplemental Notice That Initial Market-Based Rate Filing Includes Request for Blanket Section 204 Authorization This is a supplemental notice in the above-referenced proceeding of Colice Hall Solar, LLC’s application for marketbased rate authority, with an accompanying rate tariff, noting that such application includes a request for blanket authorization, under 18 CFR part 34, of future issuances of securities and assumptions of liability. Any person desiring to intervene or to protest should file with the Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, in accordance with Rules 211 and 214 of the Commission’s Rules of Practice and Procedure (18 CFR 385.211 and 385.214). Anyone filing a motion to intervene or protest must serve a copy of that document on the Applicant. Notice is hereby given that the deadline for filing protests with regard to the applicant’s request for blanket authorization, under 18 CFR part 34, of future issuances of securities and assumptions of liability, is November 28, 2022. The Commission encourages electronic submission of protests and interventions in lieu of paper, using the FERC Online links at https:// www.ferc.gov. To facilitate electronic service, persons with internet access who will eFile a document and/or be listed as a contact for an intervenor must create and validate an eRegistration account using the eRegistration link. Select the eFiling link to log on and submit the intervention or protests. Persons unable to file electronically may mail similar pleadings to the Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426. Hand delivered submissions in docketed proceedings should be delivered to Health and Human Services, 12225 Wilkins Avenue, Rockville, Maryland 20852. VerDate Sep<11>2014 17:30 Nov 10, 2022 Jkt 259001 In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission’s Home Page (https:// www.ferc.gov) using the ‘‘eLibrary’’ link. Enter the docket number excluding the last three digits in the docket number field to access the document. At this time, the Commission has suspended access to the Commission’s Public Reference Room, due to the proclamation declaring a National Emergency concerning the Novel Coronavirus Disease (COVID–19), issued by the President on March 13, 2020. For assistance, contact the Federal Energy Regulatory Commission at FERCOnlineSupport@ferc.gov or call toll-free, (886) 208–3676 or TYY, (202) 502–8659. Dated: November 7, 2022. Debbie-Anne A. Reese, Deputy Secretary. [FR Doc. 2022–24696 Filed 11–10–22; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission Combined Notice of Filings Take notice that the Commission has received the following Natural Gas Pipeline Rate and Refund Report filings: Filings in Existing Proceedings Docket Numbers: RP23–77–001. Applicants: ANR Pipeline Company. Description: Tariff Amendment: Jackson Generation Amended NCNR Agmt No. 132120_2 to be effective 11/ 1/2022. Filed Date: 11/4/22. Accession Number: 20221104–5121. Comment Date: 5 p.m. ET 11/16/22. Any person desiring to protest in any the above proceedings must file in accordance with Rule 211 of the Commission’s Regulations (18 CFR 385.211) on or before 5:00 p.m. Eastern time on the specified comment date. Filings Instituting Proceedings Docket Numbers: RP23–170–000. Applicants: Wyoming Interstate Company, L.L.C. Description: § 4(d) Rate Filing: Firm Daily Balancing Service Update to be effective 12/1/2022. Filed Date: 11/4/22. Accession Number: 20221104–5101. Comment Date: 5 p.m. ET 11/16/22. Docket Numbers: RP23–171–000. PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 68147 Applicants: Columbia Gas Transmission, LLC. Description: § 4(d) Rate Filing: Capacity Release Agreements—Vitol, Direct Energy and Constellation Energy to be effective 11/1/2022. Filed Date: 11/4/22. Accession Number: 20221104–5118. Comment Date: 5 p.m. ET 11/16/22. Docket Numbers: RP23–172–000. Applicants: Nautilus Pipeline Company, L.L.C. Description: § 4(d) Rate Filing: Negotiated Rates—Walter OG 630249 eff 11–7–22 to be effective 11/7/2022. Filed Date: 11/7/22. Accession Number: 20221107–5072. Comment Date: 5 p.m. ET 11/21/22. Any person desiring to intervene or protest in any of the above proceedings must file in accordance with Rules 211 and 214 of the Commission’s Regulations (18 CFR 385.211 and 385.214) on or before 5:00 p.m. Eastern time on the specified comment date. Protests may be considered, but intervention is necessary to become a party to the proceeding. The filings are accessible in the Commission’s eLibrary system (https:// elibrary.ferc.gov/idmws/search/ fercgensearch.asp) by querying the docket number. eFiling is encouraged. More detailed information relating to filing requirements, interventions, protests, service, and qualifying facilities filings can be found at: https://www.ferc.gov/ docs-filing/efiling/filing-req.pdf. For other information, call (866) 208–3676 (toll free). For TTY, call (202) 502–8659. Dated: November 7, 2022. Debbie-Anne A. Reese, Deputy Secretary. [FR Doc. 2022–24697 Filed 11–10–22; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. AD22–12–000] Joint FERC–DOE Supply Chain Risk Management, Technical Conference; Supplemental Notice of Technical Conference Take notice that the Federal Energy Regulatory Commission (Commission) will convene a Joint Technical Conference with the U.S. Department of Energy in the above-referenced proceeding on December 7, 2022, from approximately 8:30 a.m. to 5:00 p.m. Eastern Time. The conference will be held in-person at the Commission’s E:\FR\FM\14NON1.SGM 14NON1 Federal Register / Vol. 87, No. 218 / Monday, November 14, 2022 / Notices headquarters at 888 First Street NE, Washington, DC 20426 in the Commission Meeting Room. The purpose of this conference is to discuss supply chain security challenges related to the Bulk-Power System, ongoing supply chain-related activities, and potential measures to secure the supply chain for the grid’s hardware, software, computer, and networking equipment. FERC Commissioners and DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) Director will be in attendance, and panels will involve multiple DOE program offices, the North American Electric Reliability Corporation (NERC), trade associations, leading vendors and manufacturers, and utilities. The conference will be open for the public to attend, and there is no fee for attendance. This notice provides additional information regarding each panel and seeks nominations for interested panelists. The Commission will issue a further supplemental notice with a full agenda and the list of panelists. Information on this technical conference will also be posted on the Calendar of Events on the Commission’s website, www.ferc.gov, prior to the event. The conference will also be transcribed. Transcripts will be available for a fee from Ace Reporting, (202) 347–3700. Those who wish to nominate their names for consideration as a panel participant should submit their name, title, company (or organization they are representing), telephone, email, a oneparagraph biography, picture, and topic they wish to address to: 2022SupplyChainTechConference@ ferc.gov by close of business on Friday, November 18, 2022. Commission conferences are accessible under section 508 of the Rehabilitation Act of 1973. For accessibility accommodations, please send an email to accessibility@ferc.gov, call toll-free (866) 208–3372 (voice) or (202) 208–8659 (TTY), or send a fax to (202) 208–2106 with the required accommodations. For more information about this technical conference, please contact Simon Slobodnik at Simon.Slobodnik@ ferc.gov or (202) 502–6707. For information related to logistics, please contact Lodie White at Lodie.White@ ferc.gov or (202) 502–8453. VerDate Sep<11>2014 17:30 Nov 10, 2022 Jkt 259001 Dated: November 7, 2022. Kimberly D. Bose, Secretary. Supply Chain Risk Management Technical Conference Docket No. AD22–12–000 December 7, 2022, 8:30 a.m.–5:00 p.m. 8:30 a.m.—Opening Remarks and Introductions 9:00 a.m.—Panel I: Supply Chain Risks Facing the Bulk-Power System The U.S. energy sector procures products and services from a globally distributed, highly complex, and increasingly interconnected set of supply chains. Information Technology (IT) and Operational Technology (OT) systems enable increased interconnectivity, process automation, and remote control. As a result, supply chain risks will continue to evolve and likely increase.1 This panel will discuss the state of supply chain risks from a national and geopolitical perspective. Specifically, the panel will explore current supply chain risks to the security of grid’s hardware, software, computer, and networking equipment and how well-resourced campaigns perpetrated by nation states, such as the SolarWinds incident, affect supply chain risk for the electric sector. Panelists will discuss the origins of these risks, their pervasiveness, the possible impacts they could have on Bulk-Power System reliability, and approaches to mitigating them. The panelists will also discuss challenges associated with supply chain visibility and covert embedded spyware or other compromising software or hardware in suppliers’ products, parts, or services. This panel may include a discussion of the following topics and questions: 1. Describe the types of challenges and risks associated with globally 1 See U.S. Dep’t. of Energy, America’s Strategy to Secure the Supply Chain for a Robust Clean Energy Transition: Response to Executive Order 14017, America’s Supply Chains, 42, (Feb. 24, 2022), https://www.energy.gov/sites/default/files/2022-02/ America’s%20Strategy%20to%20Secure%20the %20Supply%20Chain%20for%20a%20Robust%20 Clean%20Energy%20Transition%20FINAL.docx_ 0.pdf. PO 00000 Frm 00029 Fmt 4703 Sfmt 4703 distributed, highly complex, and increasingly interconnected supply chains. 2. Describe the difficulties associated with supply chain visibility and how origins of products or components may be obscured. 3. How are foreign-supplied BulkPower System components being manipulated and is there a particular phase in the product lifecycle where the product is manipulated for nefarious intent? 4. How are these supply chain challenges and risks currently being managed? 5. How has the current geopolitical landscape impacted the energy sector’s ability to manage supply chain challenges and risks? 6. How can Sector Risk Management Agencies and Regulators promote and/ or incentivize supply chain transparency at the earlier stages of product development and manufacturing? 7. Discuss the pathways (e.g., voluntary best practices and guidelines, mandatory standards) that together could address the current supply chain challenges and risks? 8. What actions can government take, both formal regulatory actions and coordination, to help identify and mitigate risks from the global supply chain for the energy sector? 10:30 a.m.—Break 10:45 a.m.—Panel II: Current Supply Chain Risk Management (SCRM) Reliability Standards, Implementation Challenges, Gaps, and Opportunities for Improvement It has now been more than six years since the Commission directed the development of mandatory standards to address supply chain risks, and more than two years since the first set of those standards became effective. As discussed in Panel 1, supply chain risks have continued to grow in that time. In light of that evolving threat, panelists will discuss the existing SCRM Reliability Standards, including: (1) their effectiveness in securing the BulkPower System; (2) lessons learned from implementation of the current SCRM Reliability Standards; and (3) possible gaps in the currently effective SCRM Reliability Standards. This panel will also provide an opportunity to discuss any Reliability Standards in development, and how these new standards will help enhance security and help address some of the emerging supply chain threats. This panel may include a discussion of the following topics and questions: 1. Are the currently effective SCRM Reliability Standards sufficient to E:\FR\FM\14NON1.SGM 14NON1 EN14NO22.014</GPH> khammond on DSKJM1Z7X2PROD with NOTICES 68148 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 87, No. 218 / Monday, November 14, 2022 / Notices successfully ensure Bulk-Power System reliability and security in light of existing and emerging risks? 2. What requirements in the SCRM Reliability Standards present implementation challenges for registered entities and for vendors? 3. How are implementation challenges being addressed for utilities and for vendors? 4. Are there alternative methods for implementing the SCRM Reliability Standards that could eliminate challenges or enhance effectiveness moving forward? 5. Based on the current and evolving threat landscape, would the currently effective SCRM Reliability Standards benefit from additional mandatory security control requirements and how would these additional controls improve the security of the Bulk-Power System? 6. Are there currently effective SCRM criteria or standards that manufacturers must adhere to in foreign countries that may be prudent to adopt in the U.S.? 12:15 p.m.—Lunch 1:15 p.m.—Panel III: The U.S. Department of Energy’s Energy Cyber Sense Program Through the Energy Cyber Sense Program, DOE will provide a comprehensive approach to securing the nation’s critical energy infrastructure and supply chains from cyber threats with this voluntary program. The Energy Cyber Sense Program will build upon direction in Section 40122 of the Bipartisan Infrastructure Law, as well as multiple requests from industry, leveraging existing programs and technologies, while also initiating new efforts. Through Energy Cyber Sense, DOE aims to work with manufacturers and asset owners to discover, mitigate, and engineer out cyber vulnerabilities in digital components in the Energy Sector Industrial Base critical supply chains. This program will provide a better understanding of the impacts and dependencies of software and systems used in the energy sector; illuminate the digital provenance of subcomponents in energy systems, hardware, and software; apply best-in-class testing to discover and address common mode vulnerabilities; and provide education and awareness, across the sector and the broader supply chain community to optimize management of supply chain risks. This panel will discuss specific supply chain risks that Energy Cyber Sense will address as well as some of the programs and technologies DOE will bring to bear under the program to address the risks. This panel may include a discussion of the following topics and questions: VerDate Sep<11>2014 17:30 Nov 10, 2022 Jkt 259001 1. How are emerging orders, standards, and process guidance, such as Executive Order 14017, Executive Order 14028, NIST Special Publication 800–161r1, ISA 62443, CIP–013–1, and others, changing how we assess our digital supply chain? 2. Given the dependence of OT on application-specific hardware, how could the inclusion and linkage of Hardware Bill of Materials (HBOMs) with Software Bill of Materials (SBOMs) increase our ability to accurately and effectively assess and mitigate supply chain risk? To what degree is this inclusion and linkage of HBOMs with SBOMs taking place today and what steps should be taken to fill any remaining gaps? 3. Given that much of the critical technology used in the energy sector is considered legacy technology, how can manufacturers, vendors, asset owners and operators, aided by the federal government, national laboratories, and other organizations, manage the supply chain risk from legacy technology? How can this risk management be coordinated with newer technologies that are more likely to receive SBOMs, HBOMs, and attestations? 4. Where does testing, for example Cyber Testing for Resilient Industrial Control Systems (CyTRICS) and thirdparty testing, fit in the universe of ‘‘rigorous and predictable mechanisms for ensuring that products function securely, and as intended?’’ 2 5. More than ever, developers are building applications on open-source software libraries. How can developers address the risks inherent with opensource software and how can asset owners work with vendors to validate that appropriate open-source risk management measures have been taken? 6. U.S. energy systems have significant dependencies on hardware components, including integrated circuits and semiconductors, most of which are manufactured outside of the US. What tools and technologies are needed to understand the provenance of hardware components used in U.S. energy systems and the risks from foreign manufacture? How will the newly passed CHIPS and Science Act change the risk landscape? What is needed in terms of regulation, standards, and other guidance to 2 See Exec. Order No. 14028, 86 FR 26,633, 26,646 (May 12, 2021) (The Executive Order declared that the security of software used by the Federal Government is ‘‘vital to the Federal Government’s ability to perform its critical functions.’’ The Executive Order further cited a ‘‘pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.’’) PO 00000 Frm 00030 Fmt 4703 Sfmt 4703 68149 strengthen the security of the hardware component supply chain from cyber and other risks? 2:45 p.m.—Break 3:00 p.m. Panel IV: Enhancing the Supply Chain Security Posture of the Bulk-Power System This panel will discuss forwardlooking initiatives that can be used to improve the supply chain security posture of the Bulk-Power System. These initiatives could include vendor accreditation programs, product and service verification, improved internal supply chain security capability, third party services, and private and public partnerships. Vendor accreditation can be established in various ways. One of the more prominent ways is currently being explored by the North American Transmission Forum through its Supply Chain Security Assessment model and the associated questionnaire.3 The panel will also explore certain programs and practices used by utilities to verify the authenticity and effectiveness of products and services. Internal supply chain security capabilities include hiring people with the appropriate background and knowledge, while also developing relevant skills internally, through training on broad supply chain topics and applying them to the specific needs of the organization. Finally, this panel will address private and public partnerships on supply chain security and how they can facilitate timely access to information that will help better identify current and future supply chain threats to the Bulk-Power System and best practices to address those risks. This panel may include a discussion of the following topics and questions: 1. What vendor accreditation programs currently exist or are in development? How can entities vet a vendor in the absence of a vendor accreditation program? 2. What are the challenges, benefits, and risks associated with utilizing thirdparty services for maintaining a supply chain risk management program? 3. What are the best practices and other guidance for security evaluation of vendors? 4. What programs and practices are currently in use to ensure product and service integrity? 5. What processes are used to test products prior to implementation? 6. What is the right balance between vendor and product security and cost? Is there a point of diminishing returns? 7. What are effective strategies for recruiting personnel with the 3 https://www.natf.net/industry-initiatives/ supply-chain-industry-coordination. E:\FR\FM\14NON1.SGM 14NON1 68150 Federal Register / Vol. 87, No. 218 / Monday, November 14, 2022 / Notices appropriate background and SCRM skills to strengthen internal security practices? How do you provide the training necessary to further develop the skills specific to your unique organizational challenges? 8. What are the best ways to meaningfully assimilate SBOM information and what subsequent analyses can be done to strengthen internal security practices? 9. How can the industry keep informed of the latest supply chain compromises? How do entities currently respond to these compromises to keep their systems secure? Are there ways to improve these responses? What actions can government take, both formal regulatory actions and coordination, to help keep industry informed of supply chain compromises and to facilitate effective responses? 10. What key risk factors do entities need to consider prior to leveraging third party services and how should those risk factors be balanced with an entity’s organizational policy? What SCRM controls do you have in place to ensure your systems and products have a reduced risk of compromise? Please discuss any challenges that you have experienced as well as successes. 11. How should government and industry prioritize and coordinate federal cross-agency and private sector collaboration and activities regarding SCRM? 4:45 p.m.—Closing Remarks 5:00 p.m.—Adjourn [FR Doc. 2022–24710 Filed 11–10–22; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Project No. 298–000] khammond on DSKJM1Z7X2PROD with NOTICES Southern California Edison Company; Notice of Authorization for Continued Project Operation The license for the Kaweah Hydroelectric Project No. 298 was issued for a period ending December 31, 2021. Section 15(a)(1) of the FPA, 16 U.S.C. 808(a)(1), requires the Commission, at the expiration of a license term, to issue from year-to-year an annual license to the then licensee(s) under the terms and conditions of the prior license until a new license is issued, or the project is otherwise disposed of as provided in section 15 or any other applicable section of the FPA. If the project’s prior license waived the applicability of section 15 of the FPA, then, based on VerDate Sep<11>2014 17:30 Nov 10, 2022 Jkt 259001 section 9(b) of the Administrative Procedure Act, 5 U.S.C. 558(c), and as set forth at 18 CFR 16.21(a), if the licensee of such project has filed an application for a subsequent license, the licensee may continue to operate the project in accordance with the terms and conditions of the license after the minor or minor part license expires, until the Commission acts on its application. If the licensee of such a project has not filed an application for a subsequent license, then it may be required, pursuant to 18 CFR 16.21(b), to continue project operations until the Commission issues someone else a license for the project or otherwise orders disposition of the project. If the project is subject to section 15 of the FPA, notice is hereby given that an annual license for Project No. 298 is issued to the Southern California Edison Company for a period effective January 1, 2022, through December 31, 2022, or until the issuance of a new license for the project or other disposition under the FPA, whichever comes first. If issuance of a new license (or other disposition) does not take place on or before December 31, 2022, notice is hereby given that, pursuant to 18 CFR 16.18(c), an annual license under section 15(a)(1) of the FPA is renewed automatically without further order or notice by the Commission, unless the Commission orders otherwise. If the project is not subject to section 15 of the FPA, notice is hereby given that the Southern California Edison Company is authorized to continue operation of the Kaweah Hydroelectric Project under the terms and conditions of the prior license until the issuance of a new license for the project or other disposition under the FPA, whichever comes first. Dated: November 7, 2022. Kimberly D. Bose, Secretary. [FR Doc. 2022–24711 Filed 11–10–22; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission Combined Notice of Filings #1 Take notice that the Commission received the following electric corporate filings: Docket Numbers: EC22–121–000; EC22–127–000. Applicants: Desert Harvest II LLC, Desert Harvest, LLC, Milligan 1 Wind LLC, BigBeau Solar LLC, BigBeau Solar, LLC. PO 00000 Frm 00031 Fmt 4703 Sfmt 4703 Description: Response to October 27, 2022 Deficiency Letter of BigBeau Solar, LLC et al. Filed Date: 11/3/22. Accession Number: 20221103–5184. Comment Date: 5 p.m. ET 11/14/22. Docket Numbers: EC23–23–000. Applicants: ENBALA Power Networks (USA), Inc. Description: Application for Authorization Under Section 203 of the Federal Power Act of ENBALA Power Networks (USA) Inc. Filed Date: 11/3/22. Accession Number: 20221103–5186. Comment Date: 5 p.m. ET 11/25/22. Take notice that the Commission received the following electric rate filings: Docket Numbers: ER23–376–000. Applicants: Oak Solar, LLC. Description: Baseline eTariff Filing: Co-Tenancy and Shared Facilities Agreement to be effective 12/31/2022. Filed Date: 11/4/22. Accession Number: 20221104–5133. Comment Date: 5 p.m. ET 11/25/22. Docket Numbers: ER23–377–000. Applicants: PJM Interconnection, L.L.C. Description: § 205(d) Rate Filing: Original NSA, Service Agreement No. 6691; Queue No. AD2–115 to be effective 10/6/2022. Filed Date: 11/7/22. Accession Number: 20221107–5023. Comment Date: 5 p.m. ET 11/28/22. Docket Numbers: ER23–378–000. Applicants: PJM Interconnection, L.L.C. Description: § 205(d) Rate Filing: ISA, Original SA No. 6667; Queue No. AE1– 157 to be effective 10/7/2022. Filed Date: 11/7/22. Accession Number: 20221107–5043. Comment Date: 5 p.m. ET 11/28/22. Docket Numbers: ER23–379–000. Applicants: EWO Marketing, LLC. Description: § 205(d) Rate Filing: SRPSA Capacity Rate Adjustment to be effective 1/1/2023. Filed Date: 11/7/22. Accession Number: 20221107–5057. Comment Date: 5 p.m. ET 11/28/22. Docket Numbers: ER23–380–000. Applicants: PacifiCorp. Description: § 205(d) Rate Filing: TriState—Heward Interconnection Agrmt to be effective 1/7/2023. Filed Date: 11/7/22. Accession Number: 20221107–5067. Comment Date: 5 p.m. ET 11/28/22. Docket Numbers: ER23–381–000. Applicants: Midcontinent Independent System Operator, Inc. Description: § 205(d) Rate Filing: 2022–11–07_SA 3393 Ameren IL- E:\FR\FM\14NON1.SGM 14NON1

Agencies

[Federal Register Volume 87, Number 218 (Monday, November 14, 2022)]
[Notices]
[Pages 68147-68150]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-24710]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. AD22-12-000]


Joint FERC-DOE Supply Chain Risk Management, Technical 
Conference; Supplemental Notice of Technical Conference

    Take notice that the Federal Energy Regulatory Commission 
(Commission) will convene a Joint Technical Conference with the U.S. 
Department of Energy in the above-referenced proceeding on December 7, 
2022, from approximately 8:30 a.m. to 5:00 p.m. Eastern Time. The 
conference will be held in-person at the Commission's

[[Page 68148]]

headquarters at 888 First Street NE, Washington, DC 20426 in the 
Commission Meeting Room.
    The purpose of this conference is to discuss supply chain security 
challenges related to the Bulk-Power System, ongoing supply chain-
related activities, and potential measures to secure the supply chain 
for the grid's hardware, software, computer, and networking equipment. 
FERC Commissioners and DOE's Office of Cybersecurity, Energy Security, 
and Emergency Response (CESER) Director will be in attendance, and 
panels will involve multiple DOE program offices, the North American 
Electric Reliability Corporation (NERC), trade associations, leading 
vendors and manufacturers, and utilities.
    The conference will be open for the public to attend, and there is 
no fee for attendance. This notice provides additional information 
regarding each panel and seeks nominations for interested panelists. 
The Commission will issue a further supplemental notice with a full 
agenda and the list of panelists. Information on this technical 
conference will also be posted on the Calendar of Events on the 
Commission's website, www.ferc.gov, prior to the event.
    The conference will also be transcribed. Transcripts will be 
available for a fee from Ace Reporting, (202) 347-3700.
    Those who wish to nominate their names for consideration as a panel 
participant should submit their name, title, company (or organization 
they are representing), telephone, email, a one-paragraph biography, 
picture, and topic they wish to address to: 
[email protected] by close of business on Friday, 
November 18, 2022.
    Commission conferences are accessible under section 508 of the 
Rehabilitation Act of 1973. For accessibility accommodations, please 
send an email to [email protected], call toll-free (866) 208-3372 
(voice) or (202) 208-8659 (TTY), or send a fax to (202) 208-2106 with 
the required accommodations.
    For more information about this technical conference, please 
contact Simon Slobodnik at [email protected] or (202) 502-6707. 
For information related to logistics, please contact Lodie White at 
[email protected] or (202) 502-8453.

    Dated: November 7, 2022.
Kimberly D. Bose,
Secretary.
[GRAPHIC] [TIFF OMITTED] TN14NO22.014

Supply Chain Risk Management Technical Conference

Docket No. AD22-12-000

December 7, 2022, 8:30 a.m.-5:00 p.m.

8:30 a.m.--Opening Remarks and Introductions
9:00 a.m.--Panel I: Supply Chain Risks Facing the Bulk-Power System

    The U.S. energy sector procures products and services from a 
globally distributed, highly complex, and increasingly interconnected 
set of supply chains. Information Technology (IT) and Operational 
Technology (OT) systems enable increased interconnectivity, process 
automation, and remote control. As a result, supply chain risks will 
continue to evolve and likely increase.\1\ This panel will discuss the 
state of supply chain risks from a national and geopolitical 
perspective. Specifically, the panel will explore current supply chain 
risks to the security of grid's hardware, software, computer, and 
networking equipment and how well-resourced campaigns perpetrated by 
nation states, such as the SolarWinds incident, affect supply chain 
risk for the electric sector. Panelists will discuss the origins of 
these risks, their pervasiveness, the possible impacts they could have 
on Bulk-Power System reliability, and approaches to mitigating them. 
The panelists will also discuss challenges associated with supply chain 
visibility and covert embedded spyware or other compromising software 
or hardware in suppliers' products, parts, or services.
---------------------------------------------------------------------------

    \1\ See U.S. Dep't. of Energy, America's Strategy to Secure the 
Supply Chain for a Robust Clean Energy Transition: Response to 
Executive Order 14017, America's Supply Chains, 42, (Feb. 24, 2022), 
https://www.energy.gov/sites/default/files/2022-02/America's%20Strategy%20to%20Secure%20the%20Supply%20Chain%20for%20a%2
0Robust%20Clean%20Energy%20Transition%20FINAL.docx_0.pdf.
---------------------------------------------------------------------------

    This panel may include a discussion of the following topics and 
questions:
    1. Describe the types of challenges and risks associated with 
globally distributed, highly complex, and increasingly interconnected 
supply chains.
    2. Describe the difficulties associated with supply chain 
visibility and how origins of products or components may be obscured.
    3. How are foreign-supplied Bulk-Power System components being 
manipulated and is there a particular phase in the product lifecycle 
where the product is manipulated for nefarious intent?
    4. How are these supply chain challenges and risks currently being 
managed?
    5. How has the current geopolitical landscape impacted the energy 
sector's ability to manage supply chain challenges and risks?
    6. How can Sector Risk Management Agencies and Regulators promote 
and/or incentivize supply chain transparency at the earlier stages of 
product development and manufacturing?
    7. Discuss the pathways (e.g., voluntary best practices and 
guidelines, mandatory standards) that together could address the 
current supply chain challenges and risks?
    8. What actions can government take, both formal regulatory actions 
and coordination, to help identify and mitigate risks from the global 
supply chain for the energy sector?

10:30 a.m.--Break
10:45 a.m.--Panel II: Current Supply Chain Risk Management (SCRM) 
Reliability Standards, Implementation Challenges, Gaps, and 
Opportunities for Improvement

    It has now been more than six years since the Commission directed 
the development of mandatory standards to address supply chain risks, 
and more than two years since the first set of those standards became 
effective. As discussed in Panel 1, supply chain risks have continued 
to grow in that time. In light of that evolving threat, panelists will 
discuss the existing SCRM Reliability Standards, including: (1) their 
effectiveness in securing the Bulk-Power System; (2) lessons learned 
from implementation of the current SCRM Reliability Standards; and (3) 
possible gaps in the currently effective SCRM Reliability Standards. 
This panel will also provide an opportunity to discuss any Reliability 
Standards in development, and how these new standards will help enhance 
security and help address some of the emerging supply chain threats.
    This panel may include a discussion of the following topics and 
questions:
    1. Are the currently effective SCRM Reliability Standards 
sufficient to

[[Page 68149]]

successfully ensure Bulk-Power System reliability and security in light 
of existing and emerging risks?
    2. What requirements in the SCRM Reliability Standards present 
implementation challenges for registered entities and for vendors?
    3. How are implementation challenges being addressed for utilities 
and for vendors?
    4. Are there alternative methods for implementing the SCRM 
Reliability Standards that could eliminate challenges or enhance 
effectiveness moving forward?
    5. Based on the current and evolving threat landscape, would the 
currently effective SCRM Reliability Standards benefit from additional 
mandatory security control requirements and how would these additional 
controls improve the security of the Bulk-Power System?
    6. Are there currently effective SCRM criteria or standards that 
manufacturers must adhere to in foreign countries that may be prudent 
to adopt in the U.S.?

12:15 p.m.--Lunch
1:15 p.m.--Panel III: The U.S. Department of Energy's Energy Cyber 
Sense Program

    Through the Energy Cyber Sense Program, DOE will provide a 
comprehensive approach to securing the nation's critical energy 
infrastructure and supply chains from cyber threats with this voluntary 
program. The Energy Cyber Sense Program will build upon direction in 
Section 40122 of the Bipartisan Infrastructure Law, as well as multiple 
requests from industry, leveraging existing programs and technologies, 
while also initiating new efforts. Through Energy Cyber Sense, DOE aims 
to work with manufacturers and asset owners to discover, mitigate, and 
engineer out cyber vulnerabilities in digital components in the Energy 
Sector Industrial Base critical supply chains. This program will 
provide a better understanding of the impacts and dependencies of 
software and systems used in the energy sector; illuminate the digital 
provenance of subcomponents in energy systems, hardware, and software; 
apply best-in-class testing to discover and address common mode 
vulnerabilities; and provide education and awareness, across the sector 
and the broader supply chain community to optimize management of supply 
chain risks. This panel will discuss specific supply chain risks that 
Energy Cyber Sense will address as well as some of the programs and 
technologies DOE will bring to bear under the program to address the 
risks.
    This panel may include a discussion of the following topics and 
questions:
    1. How are emerging orders, standards, and process guidance, such 
as Executive Order 14017, Executive Order 14028, NIST Special 
Publication 800-161r1, ISA 62443, CIP-013-1, and others, changing how 
we assess our digital supply chain?
    2. Given the dependence of OT on application-specific hardware, how 
could the inclusion and linkage of Hardware Bill of Materials (HBOMs) 
with Software Bill of Materials (SBOMs) increase our ability to 
accurately and effectively assess and mitigate supply chain risk? To 
what degree is this inclusion and linkage of HBOMs with SBOMs taking 
place today and what steps should be taken to fill any remaining gaps?
    3. Given that much of the critical technology used in the energy 
sector is considered legacy technology, how can manufacturers, vendors, 
asset owners and operators, aided by the federal government, national 
laboratories, and other organizations, manage the supply chain risk 
from legacy technology? How can this risk management be coordinated 
with newer technologies that are more likely to receive SBOMs, HBOMs, 
and attestations?
    4. Where does testing, for example Cyber Testing for Resilient 
Industrial Control Systems (CyTRICS) and third-party testing, fit in 
the universe of ``rigorous and predictable mechanisms for ensuring that 
products function securely, and as intended?'' \2\
---------------------------------------------------------------------------

    \2\ See Exec. Order No. 14028, 86 FR 26,633, 26,646 (May 12, 
2021) (The Executive Order declared that the security of software 
used by the Federal Government is ``vital to the Federal 
Government's ability to perform its critical functions.'' The 
Executive Order further cited a ``pressing need to implement more 
rigorous and predictable mechanisms for ensuring that products 
function securely, and as intended.'')
---------------------------------------------------------------------------

    5. More than ever, developers are building applications on open-
source software libraries. How can developers address the risks 
inherent with open-source software and how can asset owners work with 
vendors to validate that appropriate open-source risk management 
measures have been taken?
    6. U.S. energy systems have significant dependencies on hardware 
components, including integrated circuits and semiconductors, most of 
which are manufactured outside of the US. What tools and technologies 
are needed to understand the provenance of hardware components used in 
U.S. energy systems and the risks from foreign manufacture? How will 
the newly passed CHIPS and Science Act change the risk landscape? What 
is needed in terms of regulation, standards, and other guidance to 
strengthen the security of the hardware component supply chain from 
cyber and other risks?

2:45 p.m.--Break
3:00 p.m. Panel IV: Enhancing the Supply Chain Security Posture of the 
Bulk-Power System

    This panel will discuss forward-looking initiatives that can be 
used to improve the supply chain security posture of the Bulk-Power 
System. These initiatives could include vendor accreditation programs, 
product and service verification, improved internal supply chain 
security capability, third party services, and private and public 
partnerships.
    Vendor accreditation can be established in various ways. One of the 
more prominent ways is currently being explored by the North American 
Transmission Forum through its Supply Chain Security Assessment model 
and the associated questionnaire.\3\ The panel will also explore 
certain programs and practices used by utilities to verify the 
authenticity and effectiveness of products and services. Internal 
supply chain security capabilities include hiring people with the 
appropriate background and knowledge, while also developing relevant 
skills internally, through training on broad supply chain topics and 
applying them to the specific needs of the organization. Finally, this 
panel will address private and public partnerships on supply chain 
security and how they can facilitate timely access to information that 
will help better identify current and future supply chain threats to 
the Bulk-Power System and best practices to address those risks.
---------------------------------------------------------------------------

    \3\ https://www.natf.net/industry-initiatives/supply-chain-industry-coordination.
---------------------------------------------------------------------------

    This panel may include a discussion of the following topics and 
questions:
    1. What vendor accreditation programs currently exist or are in 
development? How can entities vet a vendor in the absence of a vendor 
accreditation program?
    2. What are the challenges, benefits, and risks associated with 
utilizing third-party services for maintaining a supply chain risk 
management program?
    3. What are the best practices and other guidance for security 
evaluation of vendors?
    4. What programs and practices are currently in use to ensure 
product and service integrity?
    5. What processes are used to test products prior to 
implementation?
    6. What is the right balance between vendor and product security 
and cost? Is there a point of diminishing returns?
    7. What are effective strategies for recruiting personnel with the

[[Page 68150]]

appropriate background and SCRM skills to strengthen internal security 
practices? How do you provide the training necessary to further develop 
the skills specific to your unique organizational challenges?
    8. What are the best ways to meaningfully assimilate SBOM 
information and what subsequent analyses can be done to strengthen 
internal security practices?
    9. How can the industry keep informed of the latest supply chain 
compromises? How do entities currently respond to these compromises to 
keep their systems secure? Are there ways to improve these responses? 
What actions can government take, both formal regulatory actions and 
coordination, to help keep industry informed of supply chain 
compromises and to facilitate effective responses?
    10. What key risk factors do entities need to consider prior to 
leveraging third party services and how should those risk factors be 
balanced with an entity's organizational policy? What SCRM controls do 
you have in place to ensure your systems and products have a reduced 
risk of compromise? Please discuss any challenges that you have 
experienced as well as successes.
    11. How should government and industry prioritize and coordinate 
federal cross-agency and private sector collaboration and activities 
regarding SCRM?

4:45 p.m.--Closing Remarks
5:00 p.m.--Adjourn

[FR Doc. 2022-24710 Filed 11-10-22; 8:45 am]
BILLING CODE 6717-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.