[UPDATE February 25, 2025] FERC has announced a meeting for March 20, 2025 to discuss Cyber Supply Chain Risk Management (SCRM) practices focusing on "risk assessment". Several US Government organizations are already well into the application of SCRM best practices (NIST Guidance) to identify trustworthy software products such as NASA's procurement process and the US Coast Guard SCRM process, which includes a "Trust Registry" (approved products list) of products that have passed a risk assessment, constraining the set of products that are allowed to be installed within USCG systems and equipment, both IT and OT on land and sea. Looking forward to seeing friends and colleagues at the FERC March 20 SCRM meeting - flights are booked and I'm ready to go.
Joanne and I attended the North American Energy Standards Board (NAESB) Advisory Committee meeting in Washington DC on February 22, 2025 where strategic discussions and decisions are made that will guide NAESB’s activities for the next year. I’m not authorized to share any information about the decisions that were made but I remain committed to assisting with Cybersecurity standards and matters affecting the Energy industry in the US for at least the next two years.
First, I’ll provide a brief introduction to NAESB then I’ll offer information pertaining to my own personal contributions to the meeting. I’ve worked with NAESB since 1995, when it started as GISB, the Gas Industry Standards Board and continue to work with the organization, serving on the Wholesale Electric Quadrant (WEQ) Executive Committee (EC) as a member of the Technology and Services segment; my term expires in December 2025.
Officially, “The North American Energy Standards Board (NAESB) serves as an industry forum for the development and promotion of standards which will lead to a seamless marketplace for wholesale and retail natural gas and electricity, as recognized by its customers, business community, participants, and regulatory entities. “
The North American Energy Standards Board (NAESB), established in January 2002, is the successor to the Gas Industry Standards Board. NAESB supports all markets of the gas and electric industries – wholesale gas, wholesale electricity, and retail markets – and recognizes the ongoing convergence of the gas and electric businesses by ensuring that its Standards receive the input of all industry Quadrants when appropriate. NAESB is governed by its Board of Directors (Board) and officers. While government agencies often provide guidance to NAESB by requesting that Standards be adopted, it is the industry itself that develops the Standards the industry will implement. This relationship between NAESB and government agencies constitutes an effective public-private partnership that benefits both government and industry.
ANSI Accreditation; NAESB is an accredited American National Standards Institute Standards Development Organization.
NAESB is organized by Quadrants and, within Quadrants, by Segments. Each NAESB member belongs to one or more of the three Quadrants: wholesale electric (WEQ), wholesale gas (WGQ), and retail markets (RMQ). Each Quadrant determines the number and composition of its Segments and how many representatives it will have on the Board and Executive Committee.
NAESB standards are submitted to the Federal Energy Regulatory Commission (FERC) where they are frequently adopted into the US Code as regulations for both Electric and Natural Gas industries. NAESB’s standards development process is very efficient; many NAESB standards are developed under a consensus approach and adopted by the NAESB membership within 18 months of inception.
The Advisory Committee meeting began promptly at 2:30 and adjourned shortly after 5:30. During that time I was asked to provide insights on cybersecurity monitoring activities internationally. I described my participation in the EU Cyber Resilience Act (EU CRA) that was adopted as an EU regulation effective in December 2024 with deadline implementation dates through 2027. I provided a high-level overview of the EU CRA as a set of cybersecurity requirements covering software supply chain practices for products offered in the EU marketplace, which includes specific requirements on software manufacturers to provide transparency into their software development practices including Software Bill of Materials (SBOM) and Vulnerability Disclosure Reporting and Management. I explained my participation in two US based organizations that are part of the EU CRA Digital Experts group, the Eclipse Foundation and OpenSSF. Both organizations are contributing to the development of technical standards for application under the EU CRA. In my view, the EU CRA represents a harmonized set of software supply chain cybersecurity practices that will be applied to software products used throughout EU critical infrastructure sectors and other consumer uses and is ahead of the US in the quest for harmonized cybersecurity practices.
The National Petroleum Council also provided meeting attendees with a newly published report on controlling CO2 emissions across the Natural Gas industry.
It was great to see so many familiar faces that I’ve worked with over the years and some new faces as well. I was surprised by the level of participation from FERC in the audience. NAESB has frequently worked closely with FERC on industry matters, for example FERC and NAESB collaborated to create the eTariff standard, which I worked on as an ISO New England employee and co-chaired the committee that developed the eTariff standard along with colleague and Co-Chair, Christopher Burden representing the Gas industry.
I’m looking forward to working with the new US administration on the harmonization of effective and efficient cybersecurity practices and standards for the Energy Industry through collaborative efforts with industry representatives and regulators at Federal and State levels and colleagues across the EU working on EU CRA technical cybersecurity standards.Â
We did get to do a little sign seeing, which Joanne shares here.