FERC And NERC Publish Whitepaper On SolarWinds And Related Supply Chain Compromise

• Published date: 09 July 2021
• Subject Matter: Energy and Natural Resources, Technology, Energy Law, Oil, Gas & Electricity, Security
• Law Firm: Akin Gump Strauss Hauer & Feld LLP
• Author: Mr Scott Johnson

On July 6, 2021, the staff of the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) issued a whitepaper entitled "SolarWinds and Related Supply Chain Compromise - Lessons for the North American Electricity Industry." The whitepaper "describes these major supply chain-related cyber security events and the key actions to take to secure systems"¹ and is "intended for electric industry stakeholders and vendors as they consider their next steps in continued response to the SolarWinds cyberattack"² and "other recently identified cybersecurity vulnerabilities [that] have the potential to compromise electric industry cybersecurity."³ The whitepaper:

• "primarily focuses on the significant and ongoing cyber event related to the SolarWinds Orion platform and the related Microsoft 365/Azure Cloud compromise, [and] also addresses vulnerabilities in products such as Pulse Connect Secure Microsoft's on-premise Exchange servers, and F5's BIG-IP;"⁴
• "offers key actions to take and key questions to ask to ensure the electricity industry is taking all necessary steps to mitigate compromises related to these incidents and vulnerabilities;"⁵ and
• "highlights the need for continued vigilance by the electricity industry related to supply chain compromises and incidents, identifies key elements of adversary tradecraft highlights specific malwares and tools to remediate, and recommends actions to ensure the reliability and security of the [bulk-power system]."⁶

With regard to the SolarWinds attack specifically, "[c]onsidering the sophistication, breadth, and persistence" of that attack,⁷ the whitepaper recommends "electric industry stakeholders fully consider the available diagnostics and mitigation measures to [e]ffectively address the software compromise," including considering the recommendations in the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 21-01 (directed toward federal agencies) and CISA Alert AA20-352A (directed toward the private sector).⁸ Such recommendations include "disconnecting affected systems, conducting deep forensics, performing risk analyses, and consulting with CISA before reconnecting [or rebuilding] affected systems."⁹ The whitepaper also includes its own specific recommended industry actions, which are extensive and...