
[Federal Register Volume 81, Number 1 (Monday, January 4, 2016)]
[Notices]
[Pages 87-88]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-33035]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. RM15-14-000]


Revised Critical Infrastructure Protection Reliability Standards; 
Supplemental Notice of Agenda and Discussion Topics for Staff Technical 
Conference

    This notice establishes the agenda and topics for discussion at the 
technical conference to be held on January 28, 2016, to discuss issues 
related to supply chain risk management. The technical conference will 
start at 9:30 a.m. and end at approximately 4:30 p.m. (Eastern Time) in 
the Commission Meeting Room at the Commission's Headquarters, 888 First 
Street NE., Washington, DC. The technical conference will be led by 
Commission staff, and FERC Commissioners may be in attendance. All 
interested parties are invited to attend, and registration is not 
required.
    The topics and related questions to be discussed during this 
conference are provided as an attachment to this Notice. The purpose of 
the technical conference is to facilitate a structured dialogue on 
supply chain risk management issues identified by the Commission in the 
Revised Critical Infrastructure Protection Standards Notice of Proposed 
Rulemaking (NOPR) issued in this proceeding and raised in public 
comments to the NOPR. Prepared remarks will be presented by invited 
panelists.
    This event will be webcast and transcribed. The free webcast allows 
listening only. Anyone with internet access who desires to listen to 
this event can do so by navigating to the ``FERC Calendar'' at 
www.ferc.gov, and locating the technical conference in the Calendar of 
Events. Opening the technical conference in the Calendar of Events will 
reveal a link to its webcast. The Capitol Connection provides technical 
support for the webcast and offers the option of listening to the 
meeting via phone-bridge for a fee. If you have any questions, visit 
www.CapitolConnection.org or call 703-993-3100. The webcast will be 
available on the Calendar of Events at www.ferc.gov for three months 
after the conference. Transcripts of the conference will be immediately 
available for a fee from Ace-Federal Reporters, Inc. (202-347-3700).
    FERC conferences are accessible under section 508 of the 
Rehabilitation Act of 1973. For accessibility accommodations, please 
send an email to accessibility@ferc.gov or call toll free (866) 208-
3372 (voice) or (202) 502-8659 (TTY), or send a fax to (202) 208-2106 
with the requested accommodations.
    There is no fee for attendance. However, members of the public are 
encouraged to preregister online at: https://www.ferc.gov/whats-new/registration/01-28-16-form.asp.
    For more information about the technical conference, please 
contact: Sarah McKinley, Office of External Affairs, 202-502-8368, 
sarah.mckinley@ferc.gov.

Critical Infrastructure Protection Supply Chain Risk Management RM15-
14-000

January 28, 2016

Agenda
Welcome and Opening Remarks by Commission Staff
9:30-9:45 a.m.
Introduction
    In a July 16, 2015 Notice of Proposed Rulemaking (NOPR) in the 
above-captioned docket, the Commission proposed to direct the North 
American Electric Reliability Corporation (NERC) to develop new or 
modified Critical Infrastructure Protection (CIP) Reliability Standards 
to provide security controls relating to supply chain risk management 
for industrial control system hardware, software, and services. The 
Commission sought and received comments on this proposal, including: 
(1) The NOPR proposal to direct that NERC develop a Reliability 
Standard to address supply chain risk management; (2) the anticipated 
features of, and requirements that should be included in, such a 
standard; and (3) a reasonable timeframe for development of a standard. 
The purpose of this conference is to clarify issues, share information, 
and determine the proper response to address security control and 
supply chain risk management concerns.
Staff Presentation: Supply Chain Efforts by Certain Other Federal 
Agencies
9:45 a.m.-10:05 a.m.

[[Page 88]]

Break
10:05 p.m.-10:15 p.m.
Panel 1: Need for a New or Modified Reliability Standard
10:15 a.m.-11:45 a.m.
    The Commission staff seeks information about the need for a new or 
modified Reliability Standard to manage supply chain risks for 
industrial control system hardware, software, and computing and 
networking services associated with bulk electric system operations. 
Panelists are encouraged to address:
     Identify challenges faced in managing supply chain risk.
     Describe how the current CIP Standards provide supply 
chain risk management controls.
     Describe how the current CIP Standards incentivize or 
inhibit the introduction of more secure technology.
     Identify possible other approaches that the Commission can 
take to mitigate supply chain risks.
Panelists:
    1. Nadya Bartol, Vice President, Industry Affairs and Cybersecurity 
Strategist, UTC
    2. Jon Boyens, Project Manager, Information Communication 
Technology (ICT) Supply Chain Risk Management, National Institute of 
Standards & Technology (NIST)
    3. John Galloway, Director, Cyber Security, ISO New England
    4. John Goode, Chief Information Officer/Senior Vice President, 
Midcontinent Independent System Operator (MISO)
    5. Barry Lawson, Associate Director, Power Delivery & Reliability, 
National Rural Electric Cooperative Association (NRECA)
    6. Helen Nalley, Compliance Director, Southern Company
    7. Jacob Olcott, Vice President of Business Development, Bitsight 
Tech
    8. Marcus Sachs, Senior Vice President and Chief Security Officer, 
North American Electric Reliability Corporation (NERC)
Lunch
11:45 a.m.-1:00 p.m.
Panel 2: Scope and Implementation of a New or Modified Standard
1:00 p.m.-2:30 p.m.
    The Commission staff seeks information about the scope and 
implementation of a new or modified Standard to manage supply chain 
risks for industrial control system hardware, software, and computing 
and networking services associated with bulk electric system 
operations. Panelists are encouraged to address:
     Identify types of assets that could be better protected 
with a new or modified Standard.
     Identify supply chain processes that could be better 
protected by a Standard.
     Identify controls or modifications that could be included 
in the Standard.
     Identify existing mandatory or voluntary standards or 
security guidelines that could form the basis of the Standard.
     Address how the verification of supply chain risk 
mitigation could be measured, benchmarked and/or audited.
     Present and justify a reasonable timeframe for development 
and implementation of a Standard.
     Discuss whether a Standard could be a catalyst for 
technical innovation and market competition.
Panelists:
    1. Michael Kuberski, Manager, Grid Protection and Automation, Pepco 
Holdings Inc. (PHI)
    2. Jonathan Appelbaum, Director, NERC Compliance, The United 
Illuminating Company
    3. Brent Castegnetto, Manager, Cyber Security Audits & 
Investigations, WECC
    4. Art Conklin, Ph.D., Associate Professor and Director of the 
Center for Information Security Research and Education, University of 
Houston
    5. Edna Conway, Chief Security Officer, Value Chain Security, Cisco
    6. Bryan Owen, Principal Cyber Security Manager, OSIsoft
    7. Albert Ruocco, Vice President and Chief Technology Officer, 
American Electric Power (AEP)
    8. Doug Thomas, Vice President and Chief Information Officer, 
Ontario Independent Electricity System Operation (IESO)
Break
2:30 p.m.-2:45 p.m.
Panel 3: Current Supply Chain Risk Management Practices and 
Collaborative Efforts
2:45 p.m.-4:15 p.m.
    The Commission staff seeks information about existing supply chain 
risk management efforts for information and communications technology 
and industrial control system hardware, software, and services in other 
critical infrastructure sectors and the government. Panelists are 
encouraged to address:
     Generally describe how registered entities and other 
organizations currently manage supply chain issues.
     Identify standards or guidelines that are used to 
establish supply chain risk management practices. Specifically, discuss 
experience under those standards or guidelines.
     Identify organizational roles involved in the development 
and implementation of supply chain risk management practices.
     Generally describe approaches for identifying, evaluating, 
mitigating, and monitoring supply chain risk.
     Generally discuss how supply chain risk is addressed in 
the contracting process with vendors and suppliers.
     Generally describe the capabilities that registered 
entities currently have to inspect third party information security 
practices.
     Generally describe the capabilities that registered 
entities currently have to negotiate for additional security in their 
hardware, software, and service contracts. Describe how this may vary 
based on the potential vendor or supplier and the type of service to be 
provided.
     Generally describe how vendors and suppliers are managing 
risk in their supply chain.
Panelists:
    1. Douglas Bauder, Vice President, Operational Services, and Chief 
Procurement Officer, Southern California Edison
    2. Andrew Bochman, Senior Cyber & Energy Security Strategist, INL/
DOE
    3. Dave Whitehead, Vice President of Research and Development, 
Schweitzer Engineering
    4. Andrew Ginter, Vice President, Industrial Security, Waterfall 
Security Solutions
    5. Steve Griffith, Industry Director, National Electrical 
Manufacturers Association (NEMA)
    6. Maria Jenks, Vice President, Supply Chain, Kansas City Power & 
Light (KCP&L)
    7. Robert McClanahan, Vice President/Chief Information Officer, 
Arkansas Electric Cooperative Corporation (AECC)
    8. Thomas O'Brien, Chief Information Officer, PJM Interconnection, 
LLC
4:15 p.m.-4:30 p.m. Closing Remarks

    Dated: December 28, 2015.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2015-33035 Filed 12-31-15; 8:45 am]
 BILLING CODE 6717-01-P


