Murphy discusses role on NERC supply chain cybersecurity standards team

Intense but rewarding.

That’s how JoAnn Murphy, PJM manager – Procurement, described her recent role as the vice chair of the North American Electric Reliability Corporation team that developed new mandatory reliability standards to enhance supply chain cybersecurity risk management protections (see box).

The standards augment current critical infrastructure protection standards to alleviate cybersecurity risks associated with the supply chain for grid-related cyber systems. This covers control system hardware, software, and computing and networking services. It protects information technology systems, software and networks from risks such as malware or data theft.

The Federal Energy Regulatory Commission recently approved the standards.

Murphy and her 11 colleagues on the drafting team worked in response to the FERC’s Order No. 829, which directed NERC to develop standards to address supply chain cybersecurity risk management.

The team spent countless hours over 15 months navigating an aggressive timeline to bring forth the proposed standards.

“As we developed the draft and subsequent revisions, there was a lot of industry outreach and webinars,” she said, “as well as presentations to various regional entities and compliance organizations. That outreach was critical to the success.

“Our goal was to draft a standard that would move the industry forward, but was not too prescriptive. It had to be flexible enough to allow for conti

nuous improvement in an evolving industry.”

When NERC announced the nomination period for the drafting team, Murphy said she was interested in participating – but as an observer, not necessarily as a team member.

Tom O’Brien, PJM senior vice president and chief information officer, recommended that Murphy apply. She was selected for the drafting team in September 2016 and appointed vice chair.

Murphy brought the ISO/RTO perspective. Committee members’ work experience took in a number of functions – compliance, information technology, procurement – which gave the team the scope it needed.

“We had a really good mix of expertise and perspectives,” said Murphy, “representing various companies and sectors.”

Murphy’s work complemented that of Tom Foster, PJM manager – CIP Compliance, who is part of the ongoing NERC Modifications to CIP Standards drafting team. One aspect that made this different was the scope of the standard.

“This one is a little different from the other NERC CIP standards, which tend to be more prescriptive,” said Murphy. “It is intended to be forward-looking and risk-based. Each responsible entity needs to develop a plan to address the issues and then implement its own plan.”

Andy Ott, PJM president and CEO, said Murphy’s work was “a great example of PJM demonstrating its leadership in the industry and ongoing commitment to PJM’s culture of compliance, security and reliability.”

He also noted that there is still work to do, but this is a significant step forward for the electric industry.

 More information on the process is available at the NERC project page.

TEAM MEMBERS

The 12 team members came from throughout the industry and have expertise in information technology, supply chain/procurement and compliance.

  • Mark Olson, NERC Senior Standards Developer
  • Corey Sellers, Southern Company (chair)
  • JoAnn Murphy, PJM Interconnection (vice chair)
  • Christina Alston, Georgia Transmission Corp.
  • James Chuber, Duke Energy
  • Norm Dang, IESO of Ontario – tech
  • Chris Evans, Southwest Power Pool – tech
  • Brian Gatus, Southern California Edison Company
  • Brian Gayle, Dominion
  • Rusty Griffin, CPS Energy
  • Skip Peeples, Salt River Project
  • Jason Witt, East Kentucky Power Cooperative