FERC and NERC Publish Whitepaper on SolarWinds and Related Supply Chain Compromise

Jul 7, 2021

Reading Time : 3 min

On July 6, 2021, the staff of the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) issued a whitepaper entitled “SolarWinds and Related Supply Chain Compromise – Lessons for the North American Electricity Industry.” The whitepaper “describes these major supply chain-related cyber security events and the key actions to take to secure systems”1 and is “intended for electric industry stakeholders and vendors as they consider their next steps in continued response to the SolarWinds cyberattack”2 and “other recently identified cybersecurity vulnerabilities [that] have the potential to compromise electric industry cybersecurity.”3 The whitepaper:

  • “primarily focuses on the significant and ongoing cyber event related to the SolarWinds Orion platform and the related Microsoft 365/Azure Cloud compromise, [and] also addresses vulnerabilities in products such as Pulse Connect Secure, Microsoft’s on-premise Exchange servers, and F5’s BIG-IP;”4
  • “offers key actions to take and key questions to ask to ensure the electricity industry is taking all necessary steps to mitigate compromises related to these incidents and vulnerabilities;”5 and
  • “highlights the need for continued vigilance by the electricity industry related to supply chain compromises and incidents, identifies key elements of adversary tradecraft, highlights specific malwares and tools to remediate, and recommends actions to ensure the reliability and security of the [bulk-power system].”6

With regard to the SolarWinds attack specifically, “[c]onsidering the sophistication, breadth, and persistence” of that attack,7 the whitepaper recommends “electric industry stakeholders fully consider the available diagnostics and mitigation measures to [e]ffectively address the software compromise,” including considering the recommendations in the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 21-01 (directed toward federal agencies) and CISA Alert AA20-352A (directed toward the private sector).8 Such recommendations include “disconnecting affected systems, conducting deep forensics, performing risk analyses, and consulting with CISA before reconnecting [or rebuilding] affected systems.”9 The whitepaper also includes its own specific recommended industry actions, which are extensive and detailed.10

Of particular note, the whitepaper states that “[b]ecause of SolarWinds’ wide use and the adversarial tactics used, even entities that did not install SolarWinds on their networks could still be impacted. For example, the indicators of compromise (IOCs) have been found on networks without SolarWinds. In addition, although SolarWinds may not have been used by entities, their key suppliers may use the product. Should the suppliers be compromised, the supplier in turn could compromise their customers, including those without SolarWinds. In fact, there is evidence technology firms were targeted for this reason.”11 Accordingly, electricity industry participants should carefully review the recommended actions in the whitepaper and the alerts it references and consider implementing those that apply to them.

The whitepaper also notes that “[t]he E-ISAC is working closely with its members, FERC, and other partners in the Canadian and United States governments to produce timely, actionable, and useful defense information for all segments of the electric industry.”12 Going forward, the E-ISAC “anticipates supplementing its current information sharing with new [Cybersecurity Risk Information Sharing Program] capabilities, enhanced cross-border sharing, and collaboration with the U.S. Department of Energy’s office of Cybersecurity, Energy Security and Emergency Response,” and FERC staff “stands ready to assist in the dissemination of actionable information that supports the electric industry in proactively responding to cyber attacks and other cyber vulnerabilities.” The whitepaper is available here. Stay tuned.


1 Whitepaper at 17.

2 Id. at 6.

3 Id. at 13.

4 Id. at 6.

5 Id.

6 Id.

7 Id. at 4.

8 Id. at 4-5.

9 Id. at 5, 9.

10 Id. at 5, 10-18.

11 Id. at 4 (emphasis added).

12 Id. at 17.

Share This Insight

Previous Entries

Speaking Energy

March 10, 2025

On March 5, 2025, the United States Department of Energy (DOE) approved Golden Pass LNG Terminal LLC’s (GPLNG) request to extend a deadline to begin exporting liquefied natural gas (LNG) from its terminal facility currently under construction in Sabine Pass, Texas for 18 months, from September 30, 2025, to March 31, 2027 (the Order). The Order amends GPLNG’s two existing long-term orders authorizing the export of domestically produced LNG to countries with which the United States does and does not have free trade agreements (FTA).1  The Order does not amend the authorizations’ end date, which remains December 31, 2050. Under section 3 of the Natural Gas Act (NGA), the DOE may authorize exports to non-FTA countries following completion of a “public interest” review, whereas exports to FTA countries are deemed to be in the public interest and the DOE is directed to issue authorizations without modification or delay.

...

Read More

Speaking Energy

March 4, 2025

Join projects & energy transition partner Shariff Barakat at Infocast’s Solar & Wind, where he will moderate the “Tax Equity Market Dynamics” panel.

...

Read More

Speaking Energy

February 13, 2025

Oil & gas companies continue to identify and capitalize on opportunities related to the deployment of new energy technologies, with their approaches broadly maturing and coalescing around maximizing synergies, leveraging available subsidies and responding to regulatory drivers.

...

Read More

Speaking Energy

February 11, 2025

On January 30, 2025, the Federal Energy Regulatory Commission (FERC or the Commission) approved a Stipulation and Consent Agreement (Agreement) between the Office of Enforcement (OE) and Stronghold Digital Mining Inc. (Stronghold) resolving an investigation into whether Stronghold had violated the PJM Interconnection, L.L.C. (PJM) tariff and Commission regulations by limiting the quantity of energy made available to the market to serve a co-located Bitcoin mining operation.1 This order appears to be the first instance of a public enforcement action involving co-located load and generation and comes at a time when both FERC and market operators2 are scrutinizing the treatment of co-located load due to the rapid increase in demand associated with data center development.

...

Read More

Speaking Energy

February 5, 2025

2024 was about post-consolidation deal flow and a steady uptick in activity across the oil & gas market. This year, mergers & acquisitions (M&A) activity looks set to take on a different tone as major consolidation plays bed down.

...

Read More

Speaking Energy

January 30, 2025

The oil & gas industry is experiencing a capital resurgence, driven by stabilizing interest rates and renewed attention from institutional investors. Private equity is leading the charge with private credit filling the void in traditional energy finance and hybrid capital instruments gaining in popularity. Family offices are also playing a crucial role, providing long-term, flexible investments.

...

Read More

Speaking Energy

January 23, 2025

Under a second Trump presidency, the U.S. is expected to consider reversal of many of the Biden administration’s climate and environmental policies, in addition to a markedly different approach to trade policy and oil & gas regulation. This includes expanding oil & gas development on public lands and offshore, lifting the pause on liquified natural gas (LNG) exports to non-Free Trade Agreement countries and repealing the methane fee.

...

Read More

Speaking Energy

January 15, 2025

We are pleased to share a recording of Akin’s recently presented webinar, “Drilling Down: What Oil & Gas Companies Can Expect from Federal Agencies During Trump’s Second Administration.”

...

Read More

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.