Joint FERC-DOE Supply Chain Risk Management Technical Conference; Fourth Supplemental Notice of Technical Conference, 76032-76035 [2022-26916]
Download as PDF
76032
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
lotter on DSK11XQN23PROD with NOTICES1
Signing Authority
This document of the Department of
Energy was signed on December 1, 2022,
by Todd N. Lapointe, Acting Director,
Office of Environment, Health, Safety
and Security, pursuant to delegated
authority from the Secretary of Energy.
That document with the original
signature and date is maintained by
DOE. For administrative purposes only,
and in compliance with requirements of
the Office of the Federal Register, the
undersigned DOE Federal Register
Liaison Officer has been authorized to
sign and submit the document in
electronic format for publication, as an
official document of the Department of
Energy. This administrative process in
no way alters the legal effect of this
document upon publication in the
Federal Register.
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
Signed in Washington, DC, on December 7,
2022.
Treena V. Garrett,
Federal Register Liaison Officer, U.S.
Department of Energy.
[FR Doc. 2022–26882 Filed 12–9–22; 8:45 am]
BILLING CODE 6450–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket No. AD22–12–000]
Joint FERC–DOE Supply Chain Risk
Management Technical Conference;
Fourth Supplemental Notice of
Technical Conference
Take notice that the Federal Energy
Regulatory Commission (Commission)
will convene a Joint Technical
Conference with the U.S. Department of
Energy in the above-referenced
proceeding on December 7, 2022, from
approximately 8:30 a.m. to 5:00 p.m.
Eastern Time. The conference will be
held in-person at the Commission’s
headquarters at 888 First Street NE,
Washington, DC 20426 in the
Commission Meeting Room.
The purpose of this conference is to
discuss supply chain security
challenges related to the Bulk-Power
System, ongoing supply chain-related
activities, and potential measures to
secure the supply chain for the grid’s
hardware, software, computer, and
networking equipment. FERC
Commissioners and DOE’s Office of
Cybersecurity, Energy Security, and
Emergency Response (CESER) Director
will be in attendance, and panels will
involve multiple DOE program offices,
the North American Electric Reliability
Corporation (NERC), trade associations,
leading vendors and manufacturers, and
utilities.
The conference will be open for the
public to attend, and there is no fee for
attendance. Information on this
technical conference will also be posted
on the Calendar of Events on the
Commission’s website, www.ferc.gov,
prior to the event.
Attached to this Supplemental Notice
is an agenda for the technical
conference, which includes the
technical conference program and
expected panelists.
The conference will also be
transcribed. Transcripts will be
available for a fee from Ace Reporting,
(202) 347–3700.
Commission conferences are
accessible under section 508 of the
Rehabilitation Act of 1973. For
accessibility accommodations, please
PO 00000
Frm 00009
Fmt 4703
Sfmt 4703
send an email to accessibility@ferc.gov,
call toll-free (866) 208–3372 (voice) or
(202) 208–8659 (TTY), or send a fax to
(202) 208–2106 with the required
accommodations.
For more information about this
technical conference, please contact
Simon Slobodnik at Simon.Slobodnik@
ferc.gov or (202) 502–6707. For
information related to logistics, please
contact Lodie White at Lodie.White@
ferc.gov or (202) 502–8453.
Dated: December 6, 2022.
Kimberly D. Bose,
Secretary.
Supply Chain Risk Management
Technical Conference; Docket No.
AD22–12–000; December 7, 2022, 8:30
a.m.–5:00 p.m.
8:30 a.m. Opening Remarks and
Introductions
8:45 a.m. Panel I: Supply Chain Risks
Facing the Bulk-Power System
The U.S. energy sector procures
products and services from a globally
distributed, highly complex, and
increasingly interconnected set of
supply chains. Information Technology
(IT) and Operational Technology (OT)
systems enable increased
interconnectivity, process automation,
and remote control. As a result, supply
chain risks will continue to evolve and
likely increase.1 This panel will discuss
the state of supply chain risks from a
national and geopolitical perspective.
Specifically, the panel will explore
current supply chain risks to the
security of grid’s hardware, software,
computer, and networking equipment
and how well-resourced campaigns
perpetrated by nation states, such as the
SolarWinds incident, affect supply
chain risk for the electric sector.
Panelists will discuss the origins of
1 See U.S. Dep’t. of Energy, America’s Strategy to
Secure the Supply Chain for a Robust Clean Energy
Transition: Response to Executive Order 14017,
America’s Supply Chains, 42, (Feb. 24, 2022),
https://www.energy.gov/sites/default/files/2022-02/
America’s%20Strategy%20to%20Secure%20the
%20Supply%20Chain%20for%20a%20Robust
%20Clean%20Energy%20Transition%20FINAL.
docx_0.pdf.
E:\FR\FM\12DEN1.SGM
12DEN1
EN12DE22.000
DOE Form 5631.20, Request for
Visitor Access Approval: Section 145(b)
of the Atomic Energy Act of 1954, as
amended, codified at 42 U.S.C. 2165.
DOE Form 5631.18, Security
Acknowledgement: Section 145(b) of the
Atomic Energy Act of 1954, as amended,
codified at 42 U.S.C. 2165; Executive
Order 13526 (December 29, 2009);
Executive Order 10865 (Feb. 20, 1960);
Executive Order 10450 (April 27, 1953);
DOE Order 5631.2C (February 17, 1994).
DOE Form 5631.29, Security
Termination Statement: Section 145(b)
of the Atomic Energy Act of 1954, as
amended, codified at 42 U.S.C. 2165;
Executive Order 13526 (December 29,
2009); Executive Order 10865 (Feb. 20,
1960); Executive Order 10450 (Apr. 27,
1953); 32 CFR part 2001; DOE O 472.2
(July 21, 2011).
DOE Form 5631.5, The Conduct of
Personnel Security Interviews: 10 CFR
part 710; Executive Order 12968 (Aug.
2, 1995); Executive Order 10450 (April
27, 1953); DOE Order 472.2 (July 21,
2011).
DOE Form 473.3, U.S. Department of
Energy Clearance Access Request; DOE
Form 471.1, Security Incident
Notification Report; DOE Form 472.3
Foreign Citizenship Acknowledgement;
and DOE Form 473.2, Security Badge
Request; the Atomic Energy Act of 1954,
as amended, and by Executive Orders
13764, 10865, and 13526.
Electronic Foreign Ownership,
Control or Influence (e-FOCI) System:
Executive Order 12829 (January 6,
1993); DOE Order 470.4B (July 21,
2011).
Foreign Access Central Tracking
System (FACTS): Presidential Decision
Directive 61 (February 1999); DOE
Order 142.3A (October 14, 2010).
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
lotter on DSK11XQN23PROD with NOTICES1
these risks, their pervasiveness, the
possible impacts they could have on
Bulk-Power System reliability, and
approaches to mitigating them. The
panelists will also discuss challenges
associated with supply chain visibility
and covert embedded spyware or other
compromising software or hardware in
suppliers’ products, parts, or services.
This panel may include a discussion
of the following topics and questions:
1. Describe the types of challenges
and risks associated with globally
distributed, highly complex, and
increasingly interconnected supply
chains.
2. Describe the difficulties associated
with supply chain visibility and how
origins of products or components may
be obscured.
3. How are foreign-supplied BulkPower System components being
manipulated and is there a particular
phase in the product lifecycle where the
product is manipulated for nefarious
intent?
4. How are these supply chain
challenges and risks currently being
managed?
5. How has the current geopolitical
landscape impacted the energy sector’s
ability to manage supply chain
challenges and risks?
6. How can Sector Risk Management
Agencies and Regulators promote and/
or incentivize supply chain
transparency at the earlier stages of
product development and
manufacturing?
7. Discuss the pathways (e.g.,
voluntary best practices and guidelines,
mandatory standards) that together
could address the current supply chain
challenges and risks?
8. What actions can government take,
both formal regulatory actions and
coordination, to help identify and
mitigate risks from the global supply
chain for the energy sector?
Panelists
• Mara Winn, Deputy Director,
Preparedness, Policy, and Risk
Analysis, DOE CESER
• Jeanette McMillian, Assistant
Director, Supply Chain and Cyber
Directorate, National
Counterintelligence and Security
Center
• Manny Cancel, Senior Vice President,
NERC and CEO, Electricity
Information Sharing and Analysis
Center
• Marty Edwards, Deputy Chief
Technical Officer—OT/IoT, Tenable
• Jon Amis, Principal, Supply Chain
Solutions, LMI
• Emily Frye, Director for Cyber
Integration at the Homeland Security
Center, MITRE Corporation
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
10:30 a.m.
Break
10:45 a.m. Panel II: Current Supply
Chain Risk Management (SCRM)
Reliability Standards, Implementation
Challenges, Gaps, and Opportunities for
Improvement
It has now been more than six years
since the Commission directed the
development of mandatory standards to
address supply chain risks, and more
than two years since the first set of those
standards became effective. As
discussed in Panel 1, supply chain risks
have continued to grow in that time. In
light of that evolving threat, panelists
will discuss the existing SCRM
Reliability Standards, including: (1)
their effectiveness in securing the BulkPower System; (2) lessons learned from
implementation of the current SCRM
Reliability Standards; and (3) possible
gaps in the currently effective SCRM
Reliability Standards. This panel will
also provide an opportunity to discuss
any Reliability Standards in
development, and how these new
standards will help enhance security
and help address some of the emerging
supply chain threats.
This panel may include a discussion
of the following topics and questions:
1. Are the currently effective SCRM
Reliability Standards sufficient to
successfully ensure Bulk-Power System
reliability and security in light of
existing and emerging risks?
2. What requirements in the SCRM
Reliability Standards present
implementation challenges for
registered entities and for vendors?
3. How are implementation challenges
being addressed for utilities and for
vendors?
4. Are there alternative methods for
implementing the SCRM Reliability
Standards that could eliminate
challenges or enhance effectiveness
moving forward?
5. Based on the current and evolving
threat landscape, would the currently
effective SCRM Reliability Standards
benefit from additional mandatory
security control requirements and how
would these additional controls
improve the security of the Bulk-Power
System?
6. Are there currently effective SCRM
criteria or standards that manufacturers
must adhere to in foreign countries that
may be prudent to adopt in the U.S.?
Panelists
• Lonnie Ratliff, Director of Compliance
Assurance and Certification, NERC
• Adrienne Lotto, Senior Vice President
of Grid Security, Technical &
Operations Services, American Public
Power Association
PO 00000
Frm 00010
Fmt 4703
Sfmt 4703
76033
• Jeffrey Sweet, Director of Security
Assessments, American Electric
Power
• Shari Gribbin, Managing Partner, CNK
Solutions
• Scott Aaronson, Senior Vice President
of Security and Preparedness, Edison
Electric Institute
12:15 p.m.
Lunch
1:15 p.m. Panel III: The U.S.
Department of Energy’s Energy Cyber
Sense Program
Through the Energy Cyber Sense
Program, DOE will provide a
comprehensive approach to securing the
nation’s critical energy infrastructure
and supply chains from cyber threats
with this voluntary program. The
Energy Cyber Sense Program will build
upon direction in Section 40122 of the
Bipartisan Infrastructure Law, as well as
multiple requests from industry,
leveraging existing programs and
technologies, while also initiating new
efforts. Through Energy Cyber Sense,
DOE aims to work with manufacturers
and asset owners to discover, mitigate,
and engineer out cyber vulnerabilities in
digital components in the Energy Sector
Industrial Base critical supply chains.
This program will provide a better
understanding of the impacts and
dependencies of software and systems
used in the energy sector; illuminate the
digital provenance of subcomponents in
energy systems, hardware, and software;
apply best-in-class testing to discover
and address common mode
vulnerabilities; and provide education
and awareness, across the sector and the
broader supply chain community to
optimize management of supply chain
risks. This panel will discuss specific
supply chain risks that Energy Cyber
Sense will address as well as some of
the programs and technologies DOE will
bring to bear under the program to
address the risks.
This panel may include a discussion
of the following topics and questions:
1. How are emerging orders,
standards, and process guidance, such
as Executive Order 14017, Executive
Order 14028, NIST Special Publication
800–161r1, ISA 62443, CIP–013–1, and
others, changing how we assess our
digital supply chain?
2. Given the dependence of OT on
application-specific hardware, how
could the inclusion and linkage of
Hardware Bill of Materials (HBOMs)
with Software Bill of Materials (SBOMs)
increase our ability to accurately and
effectively assess and mitigate supply
chain risk? To what degree is this
inclusion and linkage of HBOMs with
SBOMs taking place today and what
E:\FR\FM\12DEN1.SGM
12DEN1
76034
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
steps should be taken to fill any
remaining gaps?
3. Given that much of the critical
technology used in the energy sector is
considered legacy technology, how can
manufacturers, vendors, asset owners
and operators, aided by the federal
government, national laboratories, and
other organizations, manage the supply
chain risk from legacy technology? How
can this risk management be
coordinated with newer technologies
that are more likely to receive SBOMs,
HBOMs, and attestations?
4. Where does testing, for example
Cyber Testing for Resilient Industrial
Control Systems (CyTRICS) and thirdparty testing, fit in the universe of
‘‘rigorous and predictable mechanisms
for ensuring that products function
securely, and as intended?’’ 2
5. More than ever, developers are
building applications on open-source
software libraries. How can developers
address the risks inherent with opensource software and how can asset
owners work with vendors to validate
that appropriate open-source risk
management measures have been taken?
6. U.S. energy systems have
significant dependencies on hardware
components, including integrated
circuits and semiconductors, most of
which are manufactured outside of the
US. What tools and technologies are
needed to understand the provenance of
hardware components used in U.S.
energy systems and the risks from
foreign manufacture? How will the
newly passed CHIPS and Science Act
change the risk landscape? What is
needed in terms of regulation,
standards, and other guidance to
strengthen the security of the hardware
component supply chain from cyber and
other risks?
lotter on DSK11XQN23PROD with NOTICES1
Panelists
• Steven Kunsman, Director Product
Management and Applications,
Hitachi Energy
• Ron Brash, Vice President Technical
Research & Integrations, aDolus
• Zachary Tudor, Associate Laboratory
Director, National and Homeland
Security
• Allan Friedman, Senior Advisor and
Strategist, DHS CISA
• Brian Barrios, Vice President,
Cybersecurity & IT Compliance,
Southern California, Edison
2 See Exec. Order No. 14028, 86 FR 26633, 26646
(May 12, 2021) (The Executive Order declared that
the security of software used by the Federal
Government is ‘‘vital to the Federal Government’s
ability to perform its critical functions.’’ The
Executive Order further cited a ‘‘pressing need to
implement more rigorous and predictable
mechanisms for ensuring that products function
securely, and as intended.’’)
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
• Dick Brooks, Co-Founder & Lead
Software Engineer, Reliable Energy
Analytics
2:45 p.m.
Break
3:00 p.m. Panel IV: Enhancing the
Supply Chain Security Posture of the
Bulk-Power System
This panel will discuss forwardlooking initiatives that can be used to
improve the supply chain security
posture of the Bulk-Power System.
These initiatives could include vendor
accreditation programs, product and
service verification, improved internal
supply chain security capability, third
party services, and private and public
partnerships.
Vendor accreditation can be
established in various ways. One of the
more prominent ways is currently being
explored by the North American
Transmission Forum through its Supply
Chain Security Assessment model and
the associated questionnaire.3 The panel
will also explore certain programs and
practices used by utilities to verify the
authenticity and effectiveness of
products and services. Internal supply
chain security capabilities include
hiring people with the appropriate
background and knowledge, while also
developing relevant skills internally,
through training on broad supply chain
topics and applying them to the specific
needs of the organization. Finally, this
panel will address private and public
partnerships on supply chain security
and how they can facilitate timely
access to information that will help
better identify current and future supply
chain threats to the Bulk-Power System
and best practices to address those risks.
This panel may include a discussion
of the following topics and questions:
1. What vendor accreditation
programs currently exist or are in
development? How can entities vet a
vendor in the absence of a vendor
accreditation program?
2. What are the challenges, benefits,
and risks associated with utilizing thirdparty services for maintaining a supply
chain risk management program?
3. What are the best practices and
other guidance for security evaluation of
vendors?
4. What programs and practices are
currently in use to ensure product and
service integrity?
5. What processes are used to test
products prior to implementation?
6. What is the right balance between
vendor and product security and cost?
Is there a point of diminishing returns?
3 https://www.natf.net/industry-initiatives/
supply-chain-industry-coordination.
PO 00000
Frm 00011
Fmt 4703
Sfmt 4703
7. What are effective strategies for
recruiting personnel with the
appropriate background and SCRM
skills to strengthen internal security
practices? How do you provide the
training necessary to further develop the
skills specific to your unique
organizational challenges?
8. What are the best ways to
meaningfully assimilate SBOM
information and what subsequent
analyses can be done to strengthen
internal security practices?
9. How can the industry keep
informed of the latest supply chain
compromises? How do entities currently
respond to these compromises to keep
their systems secure? Are there ways to
improve these responses? What actions
can government take, both formal
regulatory actions and coordination, to
help keep industry informed of supply
chain compromises and to facilitate
effective responses?
10. What key risk factors do entities
need to consider prior to leveraging
third party services and how should
those risk factors be balanced with an
entity’s organizational policy? What
SCRM controls do you have in place to
ensure your systems and products have
a reduced risk of compromise? Please
discuss any challenges that you have
experienced as well as successes.
11. How should government and
industry prioritize and coordinate
federal cross-agency and private sector
collaboration and activities regarding
SCRM?
Panelists
• Tobias Whitney, Vice President of
Strategy and Policy, Fortress
Information Security
• Valerie Agnew, General Counsel,
North American Transmission Forum
• David Schleicher, President and CEO,
Northern Virginia Electric
Cooperative
• Ron Schoff, Director, Research &
Development, Electric Power
Research Institute
• Matt Dale, Cybersecurity Program
Manager, Virginia State Corporation
Commission
• Robert R. Scott, Commissioner, New
Hampshire Department of
Environmental Services. Governor’s
Advisor for Utility Critical
Infrastructure Cybersecurity.
Managing Director, New England
Utility Cybersecurity Integration
Collaborative
• Joyce Corell, Senior Technology
Advisor to the NCD, Office of the
National Cyber Director, Executive
Office of the President
E:\FR\FM\12DEN1.SGM
12DEN1
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
4:45 p.m.
Closing Remarks
5:00 p.m.
Adjourn
[FR Doc. 2022–26916 Filed 12–9–22; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket No. ER23–562–000]
lotter on DSK11XQN23PROD with NOTICES1
TGP Energy Management II, LLC;
Supplemental Notice That Initial
Market-Based Rate Filing Includes
Request for Blanket Section 204
Authorization
This is a supplemental notice in the
above-referenced proceeding of TGP
Energy Management II, LLC’s
application for market-based rate
authority, with an accompanying rate
tariff, noting that such application
includes a request for blanket
authorization, under 18 CFR part 34, of
future issuances of securities and
assumptions of liability.
Any person desiring to intervene or to
protest should file with the Federal
Energy Regulatory Commission, 888
First Street NE, Washington, DC 20426,
in accordance with Rules 211 and 214
of the Commission’s Rules of Practice
and Procedure (18 CFR 385.211 and
385.214). Anyone filing a motion to
intervene or protest must serve a copy
of that document on the Applicant.
Notice is hereby given that the
deadline for filing protests with regard
to the applicant’s request for blanket
authorization, under 18 CFR part 34, of
future issuances of securities and
assumptions of liability, is December 26,
2022.
The Commission encourages
electronic submission of protests and
interventions in lieu of paper, using the
FERC Online links at https://
www.ferc.gov. To facilitate electronic
service, persons with internet access
who will eFile a document and/or be
listed as a contact for an intervenor
must create and validate an
eRegistration account using the
eRegistration link. Select the eFiling
link to log on and submit the
intervention or protests.
Persons unable to file electronically
may mail similar pleadings to the
Federal Energy Regulatory Commission,
888 First Street NE, Washington, DC
20426. Hand delivered submissions in
docketed proceedings should be
delivered to Health and Human
Services, 12225 Wilkins Avenue,
Rockville, Maryland 20852.
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
In addition to publishing the full text
of this document in the Federal
Register, the Commission provides all
interested persons an opportunity to
view and/or print the contents of this
document via the internet through the
Commission’s Home Page (https://
www.ferc.gov) using the ‘‘eLibrary’’ link.
Enter the docket number excluding the
last three digits in the docket number
field to access the document. At this
time, the Commission has suspended
access to the Commission’s Public
Reference Room, due to the
proclamation declaring a National
Emergency concerning the Novel
Coronavirus Disease (COVID–19), issued
by the President on March 13, 2020. For
assistance, contact the Federal Energy
Regulatory Commission at
FERCOnlineSupport@ferc.gov or call
toll-free, (886) 208–3676 or TYY, (202)
502–8659.
Dated: December 6, 2022.
Kimberly D. Bose,
Secretary.
[FR Doc. 2022–26917 Filed 12–9–22; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
Combined Notice of Filings
Take notice that the Commission has
received the following Natural Gas
Pipeline Rate and Refund Report filings:
Filings Instituting Proceedings
Docket Numbers: RP23–266–000.
Applicants: Rockies Express Pipeline
LLC.
Description: § 4(d) Rate Filing: REX
2022–12–05 Negotiated Rate Agreement
to be effective 12/6/2022.
Filed Date: 12/5/22.
Accession Number: 20221205–5131.
Comment Date: 5 p.m. ET 12/19/22.
Docket Numbers: RP23–267–000.
Applicants: Rover Pipeline LLC.
Description: § 4(d) Rate Filing: GT&C
Section 25 Reservation Charge Credit to
be effective 1/6/2023.
Filed Date: 12/6/22.
Accession Number: 20221206–5006.
Comment Date: 5 p.m. ET 12/19/22.
Docket Numbers: RP23–268–000.
Applicants: Columbia Gas
Transmission, LLC.
Description: § 4(d) Rate Filing: Vitol
OPT30 & OPT60 Rev Share Negotiated
Rate Agmts to be effective 12/1/2022.
Filed Date: 12/6/22.
Accession Number: 20221206–5058.
Comment Date: 5 p.m. ET 12/19/22.
Any person desiring to intervene or
protest in any of the above proceedings
PO 00000
Frm 00012
Fmt 4703
Sfmt 4703
76035
must file in accordance with Rules 211
and 214 of the Commission’s
Regulations (18 CFR 385.211 and
385.214) on or before 5:00 p.m. Eastern
time on the specified comment date.
Protests may be considered, but
intervention is necessary to become a
party to the proceeding.
Filings in Existing Proceedings
Docket Numbers: RP22–501–003.
Applicants: ANR Pipeline Company.
Description: Filing Withdrawal:
Withdrawal of Motion to Place Interime
Settlement Rates Into Effect to be
effective N/A.
Filed Date: 12/5/22.
Accession Number: 20221205–5116.
Comment Date: 5 p.m. ET 12/19/22.
Any person desiring to protest in any
the above proceedings must file in
accordance with Rule 211 of the
Commission’s Regulations (18 CFR
385.211) on or before 5:00 p.m. Eastern
time on the specified comment date.
The filings are accessible in the
Commission’s eLibrary system (https://
elibrary.ferc.gov/idmws/search/
fercgensearch.asp) by querying the
docket number.
eFiling is encouraged. More detailed
information relating to filing
requirements, interventions, protests,
service, and qualifying facilities filings
can be found at:https://www.ferc.gov/
docs-filing/efiling/filing-req.pdf. For
other information, call (866) 208–3676
(toll free). For TTY, call (202) 502–8659.
Dated: December 6, 2022.
Kimberly D. Bose,
Secretary.
[FR Doc. 2022–26914 Filed 12–9–22; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
Combined Notice of Filings #1
Take notice that the Commission
received the following electric corporate
filings:
Docket Numbers: EC22–74–000.
Applicants: Wisconsin Power and
Light Company, Wisconsin Public
Service Corporation, Madison Gas and
Electric Company.
Description: Wisconsin Public Service
Corporation submits Supplement to
Response to September 8, 2022,
Deficiency Letter.
Filed Date: 10/11/22.
Accession Number: 20221011–5357.
Comment Date: 5 p.m. ET 12/8/22.
E:\FR\FM\12DEN1.SGM
12DEN1
Agencies
[Federal Register Volume 87, Number 237 (Monday, December 12, 2022)]
[Notices]
[Pages 76032-76035]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-26916]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. AD22-12-000]
Joint FERC-DOE Supply Chain Risk Management Technical Conference;
Fourth Supplemental Notice of Technical Conference
Take notice that the Federal Energy Regulatory Commission
(Commission) will convene a Joint Technical Conference with the U.S.
Department of Energy in the above-referenced proceeding on December 7,
2022, from approximately 8:30 a.m. to 5:00 p.m. Eastern Time. The
conference will be held in-person at the Commission's headquarters at
888 First Street NE, Washington, DC 20426 in the Commission Meeting
Room.
The purpose of this conference is to discuss supply chain security
challenges related to the Bulk-Power System, ongoing supply chain-
related activities, and potential measures to secure the supply chain
for the grid's hardware, software, computer, and networking equipment.
FERC Commissioners and DOE's Office of Cybersecurity, Energy Security,
and Emergency Response (CESER) Director will be in attendance, and
panels will involve multiple DOE program offices, the North American
Electric Reliability Corporation (NERC), trade associations, leading
vendors and manufacturers, and utilities.
The conference will be open for the public to attend, and there is
no fee for attendance. Information on this technical conference will
also be posted on the Calendar of Events on the Commission's website,
www.ferc.gov, prior to the event.
Attached to this Supplemental Notice is an agenda for the technical
conference, which includes the technical conference program and
expected panelists.
The conference will also be transcribed. Transcripts will be
available for a fee from Ace Reporting, (202) 347-3700.
Commission conferences are accessible under section 508 of the
Rehabilitation Act of 1973. For accessibility accommodations, please
send an email to [email protected], call toll-free (866) 208-3372
(voice) or (202) 208-8659 (TTY), or send a fax to (202) 208-2106 with
the required accommodations.
For more information about this technical conference, please
contact Simon Slobodnik at [email protected] or (202) 502-6707.
For information related to logistics, please contact Lodie White at
[email protected] or (202) 502-8453.
Dated: December 6, 2022.
Kimberly D. Bose,
Secretary.
[GRAPHIC] [TIFF OMITTED] TN12DE22.000
Supply Chain Risk Management Technical Conference; Docket No. AD22-12-
000; December 7, 2022, 8:30 a.m.-5:00 p.m.
8:30 a.m. Opening Remarks and Introductions
8:45 a.m. Panel I: Supply Chain Risks Facing the Bulk-Power System
The U.S. energy sector procures products and services from a
globally distributed, highly complex, and increasingly interconnected
set of supply chains. Information Technology (IT) and Operational
Technology (OT) systems enable increased interconnectivity, process
automation, and remote control. As a result, supply chain risks will
continue to evolve and likely increase.\1\ This panel will discuss the
state of supply chain risks from a national and geopolitical
perspective. Specifically, the panel will explore current supply chain
risks to the security of grid's hardware, software, computer, and
networking equipment and how well-resourced campaigns perpetrated by
nation states, such as the SolarWinds incident, affect supply chain
risk for the electric sector. Panelists will discuss the origins of
[[Page 76033]]
these risks, their pervasiveness, the possible impacts they could have
on Bulk-Power System reliability, and approaches to mitigating them.
The panelists will also discuss challenges associated with supply chain
visibility and covert embedded spyware or other compromising software
or hardware in suppliers' products, parts, or services.
---------------------------------------------------------------------------
\1\ See U.S. Dep't. of Energy, America's Strategy to Secure the
Supply Chain for a Robust Clean Energy Transition: Response to
Executive Order 14017, America's Supply Chains, 42, (Feb. 24, 2022),
https://www.energy.gov/sites/default/files/2022-02/America's%20Strategy%20to%20Secure%20the%20Supply%20Chain%20for%20a%2
0Robust%20Clean%20Energy%20Transition%20FINAL.docx_0.pdf.
---------------------------------------------------------------------------
This panel may include a discussion of the following topics and
questions:
1. Describe the types of challenges and risks associated with
globally distributed, highly complex, and increasingly interconnected
supply chains.
2. Describe the difficulties associated with supply chain
visibility and how origins of products or components may be obscured.
3. How are foreign-supplied Bulk-Power System components being
manipulated and is there a particular phase in the product lifecycle
where the product is manipulated for nefarious intent?
4. How are these supply chain challenges and risks currently being
managed?
5. How has the current geopolitical landscape impacted the energy
sector's ability to manage supply chain challenges and risks?
6. How can Sector Risk Management Agencies and Regulators promote
and/or incentivize supply chain transparency at the earlier stages of
product development and manufacturing?
7. Discuss the pathways (e.g., voluntary best practices and
guidelines, mandatory standards) that together could address the
current supply chain challenges and risks?
8. What actions can government take, both formal regulatory actions
and coordination, to help identify and mitigate risks from the global
supply chain for the energy sector?
Panelists
Mara Winn, Deputy Director, Preparedness, Policy, and Risk
Analysis, DOE CESER
Jeanette McMillian, Assistant Director, Supply Chain and Cyber
Directorate, National Counterintelligence and Security Center
Manny Cancel, Senior Vice President, NERC and CEO, Electricity
Information Sharing and Analysis Center
Marty Edwards, Deputy Chief Technical Officer--OT/IoT, Tenable
Jon Amis, Principal, Supply Chain Solutions, LMI
Emily Frye, Director for Cyber Integration at the Homeland
Security Center, MITRE Corporation
10:30 a.m. Break
10:45 a.m. Panel II: Current Supply Chain Risk Management (SCRM)
Reliability Standards, Implementation Challenges, Gaps, and
Opportunities for Improvement
It has now been more than six years since the Commission directed
the development of mandatory standards to address supply chain risks,
and more than two years since the first set of those standards became
effective. As discussed in Panel 1, supply chain risks have continued
to grow in that time. In light of that evolving threat, panelists will
discuss the existing SCRM Reliability Standards, including: (1) their
effectiveness in securing the Bulk-Power System; (2) lessons learned
from implementation of the current SCRM Reliability Standards; and (3)
possible gaps in the currently effective SCRM Reliability Standards.
This panel will also provide an opportunity to discuss any Reliability
Standards in development, and how these new standards will help enhance
security and help address some of the emerging supply chain threats.
This panel may include a discussion of the following topics and
questions:
1. Are the currently effective SCRM Reliability Standards
sufficient to successfully ensure Bulk-Power System reliability and
security in light of existing and emerging risks?
2. What requirements in the SCRM Reliability Standards present
implementation challenges for registered entities and for vendors?
3. How are implementation challenges being addressed for utilities
and for vendors?
4. Are there alternative methods for implementing the SCRM
Reliability Standards that could eliminate challenges or enhance
effectiveness moving forward?
5. Based on the current and evolving threat landscape, would the
currently effective SCRM Reliability Standards benefit from additional
mandatory security control requirements and how would these additional
controls improve the security of the Bulk-Power System?
6. Are there currently effective SCRM criteria or standards that
manufacturers must adhere to in foreign countries that may be prudent
to adopt in the U.S.?
Panelists
Lonnie Ratliff, Director of Compliance Assurance and
Certification, NERC
Adrienne Lotto, Senior Vice President of Grid Security,
Technical & Operations Services, American Public Power Association
Jeffrey Sweet, Director of Security Assessments, American
Electric Power
Shari Gribbin, Managing Partner, CNK Solutions
Scott Aaronson, Senior Vice President of Security and
Preparedness, Edison Electric Institute
12:15 p.m. Lunch
1:15 p.m. Panel III: The U.S. Department of Energy's Energy Cyber Sense
Program
Through the Energy Cyber Sense Program, DOE will provide a
comprehensive approach to securing the nation's critical energy
infrastructure and supply chains from cyber threats with this voluntary
program. The Energy Cyber Sense Program will build upon direction in
Section 40122 of the Bipartisan Infrastructure Law, as well as multiple
requests from industry, leveraging existing programs and technologies,
while also initiating new efforts. Through Energy Cyber Sense, DOE aims
to work with manufacturers and asset owners to discover, mitigate, and
engineer out cyber vulnerabilities in digital components in the Energy
Sector Industrial Base critical supply chains. This program will
provide a better understanding of the impacts and dependencies of
software and systems used in the energy sector; illuminate the digital
provenance of subcomponents in energy systems, hardware, and software;
apply best-in-class testing to discover and address common mode
vulnerabilities; and provide education and awareness, across the sector
and the broader supply chain community to optimize management of supply
chain risks. This panel will discuss specific supply chain risks that
Energy Cyber Sense will address as well as some of the programs and
technologies DOE will bring to bear under the program to address the
risks.
This panel may include a discussion of the following topics and
questions:
1. How are emerging orders, standards, and process guidance, such
as Executive Order 14017, Executive Order 14028, NIST Special
Publication 800-161r1, ISA 62443, CIP-013-1, and others, changing how
we assess our digital supply chain?
2. Given the dependence of OT on application-specific hardware, how
could the inclusion and linkage of Hardware Bill of Materials (HBOMs)
with Software Bill of Materials (SBOMs) increase our ability to
accurately and effectively assess and mitigate supply chain risk? To
what degree is this inclusion and linkage of HBOMs with SBOMs taking
place today and what
[[Page 76034]]
steps should be taken to fill any remaining gaps?
3. Given that much of the critical technology used in the energy
sector is considered legacy technology, how can manufacturers, vendors,
asset owners and operators, aided by the federal government, national
laboratories, and other organizations, manage the supply chain risk
from legacy technology? How can this risk management be coordinated
with newer technologies that are more likely to receive SBOMs, HBOMs,
and attestations?
4. Where does testing, for example Cyber Testing for Resilient
Industrial Control Systems (CyTRICS) and third-party testing, fit in
the universe of ``rigorous and predictable mechanisms for ensuring that
products function securely, and as intended?'' \2\
---------------------------------------------------------------------------
\2\ See Exec. Order No. 14028, 86 FR 26633, 26646 (May 12, 2021)
(The Executive Order declared that the security of software used by
the Federal Government is ``vital to the Federal Government's
ability to perform its critical functions.'' The Executive Order
further cited a ``pressing need to implement more rigorous and
predictable mechanisms for ensuring that products function securely,
and as intended.'')
---------------------------------------------------------------------------
5. More than ever, developers are building applications on open-
source software libraries. How can developers address the risks
inherent with open-source software and how can asset owners work with
vendors to validate that appropriate open-source risk management
measures have been taken?
6. U.S. energy systems have significant dependencies on hardware
components, including integrated circuits and semiconductors, most of
which are manufactured outside of the US. What tools and technologies
are needed to understand the provenance of hardware components used in
U.S. energy systems and the risks from foreign manufacture? How will
the newly passed CHIPS and Science Act change the risk landscape? What
is needed in terms of regulation, standards, and other guidance to
strengthen the security of the hardware component supply chain from
cyber and other risks?
Panelists
Steven Kunsman, Director Product Management and Applications,
Hitachi Energy
Ron Brash, Vice President Technical Research & Integrations,
aDolus
Zachary Tudor, Associate Laboratory Director, National and
Homeland Security
Allan Friedman, Senior Advisor and Strategist, DHS CISA
Brian Barrios, Vice President, Cybersecurity & IT Compliance,
Southern California, Edison
Dick Brooks, Co-Founder & Lead Software Engineer, Reliable
Energy Analytics
2:45 p.m. Break
3:00 p.m. Panel IV: Enhancing the Supply Chain Security Posture of the
Bulk-Power System
This panel will discuss forward-looking initiatives that can be
used to improve the supply chain security posture of the Bulk-Power
System. These initiatives could include vendor accreditation programs,
product and service verification, improved internal supply chain
security capability, third party services, and private and public
partnerships.
Vendor accreditation can be established in various ways. One of the
more prominent ways is currently being explored by the North American
Transmission Forum through its Supply Chain Security Assessment model
and the associated questionnaire.\3\ The panel will also explore
certain programs and practices used by utilities to verify the
authenticity and effectiveness of products and services. Internal
supply chain security capabilities include hiring people with the
appropriate background and knowledge, while also developing relevant
skills internally, through training on broad supply chain topics and
applying them to the specific needs of the organization. Finally, this
panel will address private and public partnerships on supply chain
security and how they can facilitate timely access to information that
will help better identify current and future supply chain threats to
the Bulk-Power System and best practices to address those risks.
---------------------------------------------------------------------------
\3\ https://www.natf.net/industry-initiatives/supply-chain-industry-coordination.
---------------------------------------------------------------------------
This panel may include a discussion of the following topics and
questions:
1. What vendor accreditation programs currently exist or are in
development? How can entities vet a vendor in the absence of a vendor
accreditation program?
2. What are the challenges, benefits, and risks associated with
utilizing third-party services for maintaining a supply chain risk
management program?
3. What are the best practices and other guidance for security
evaluation of vendors?
4. What programs and practices are currently in use to ensure
product and service integrity?
5. What processes are used to test products prior to
implementation?
6. What is the right balance between vendor and product security
and cost? Is there a point of diminishing returns?
7. What are effective strategies for recruiting personnel with the
appropriate background and SCRM skills to strengthen internal security
practices? How do you provide the training necessary to further develop
the skills specific to your unique organizational challenges?
8. What are the best ways to meaningfully assimilate SBOM
information and what subsequent analyses can be done to strengthen
internal security practices?
9. How can the industry keep informed of the latest supply chain
compromises? How do entities currently respond to these compromises to
keep their systems secure? Are there ways to improve these responses?
What actions can government take, both formal regulatory actions and
coordination, to help keep industry informed of supply chain
compromises and to facilitate effective responses?
10. What key risk factors do entities need to consider prior to
leveraging third party services and how should those risk factors be
balanced with an entity's organizational policy? What SCRM controls do
you have in place to ensure your systems and products have a reduced
risk of compromise? Please discuss any challenges that you have
experienced as well as successes.
11. How should government and industry prioritize and coordinate
federal cross-agency and private sector collaboration and activities
regarding SCRM?
Panelists
Tobias Whitney, Vice President of Strategy and Policy,
Fortress Information Security
Valerie Agnew, General Counsel, North American Transmission
Forum
David Schleicher, President and CEO, Northern Virginia
Electric Cooperative
Ron Schoff, Director, Research & Development, Electric Power
Research Institute
Matt Dale, Cybersecurity Program Manager, Virginia State
Corporation Commission
Robert R. Scott, Commissioner, New Hampshire Department of
Environmental Services. Governor's Advisor for Utility Critical
Infrastructure Cybersecurity. Managing Director, New England Utility
Cybersecurity Integration Collaborative
Joyce Corell, Senior Technology Advisor to the NCD, Office of
the National Cyber Director, Executive Office of the President
[[Page 76035]]
4:45 p.m. Closing Remarks
5:00 p.m. Adjourn
[FR Doc. 2022-26916 Filed 12-9-22; 8:45 am]
BILLING CODE 6717-01-P