By Steve Griffith, PMP, Executive Director, Regulatory & Industry Affairs, Mobility, NEMA

According to the North American Electric Reliability Corporation (NERC), U.S. power grids are becoming increasingly vulnerable to cyber attacks, with the number of potential weak points in electrical networks increasing by about 60 per day.^[1] More startling numbers come from the Federal Communications Commission (FCC), which notes more than 1.5 billion attacks against Internet of Things (IoT) devices in the first six months of 2021. It is estimated that there will be more than 25 billion connected IoT devices in operation by 2030, expanding exponentially the vulnerable attack surfaces of networks.  

It’s clear that cyber threats are a real and significant risk to the safety, security, and operational integrity of our nation’s critical infrastructure. NEMA is committed to bolstering the readiness of our nation’s electromanufacturing space.

CISA Critical Manufacturing Sector Forum

NEMA is advancing technology and best practices for the electroindustry in partnership with several cyber and defense agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). Last month, as part of CISA’s April Critical Manufacturing Sector Forum, NEMA hosted more than 80 participants for a series of intelligence briefings, programmatic updates, and interactive, scenario-based discussions as part of a Critical Manufacturing Tabletop Exercise. This exercise fleshed out details on how government agencies, like CISA, and critical manufacturing owners and operators can coordinate during a cyber attack with physical impacts., Attendees also identified best practices for manufacturers’ incident response, recovery, business continuity, and resilience plans.  

On the policy front, NEMA continues to raise awareness among domestic federal agencies and Congress, as well as global legislative, administrative, and regulatory bodies, about the unique yet necessary role of assuring cybersecurity postures and readiness for operational technologies and industrial control systems.

Cyber Labeling for Consumer IoT Devices Program

In collaboration with industry partners including NEMA, the FCC released guidelines in March for voluntary cybersecurity labeling of consumer IoT devices, otherwise known as the U.S. Cyber Trust Mark Program. A Further Notice of Proposed Rulemaking (FNOPR) was also published requesting public feedback on additional declarations related to the label. The FNOPR requested feedback on whether products that bear a label provide assurances that they do not contain hidden vulnerabilities from high-risk countries or that they cannot be remotely controlled by servers from such places. NEMA responded to the FNOPR and filed comments expressing the following concerns:

• The Cyber Trust Mark is designed to provide assurance to consumers that IoT products include a set of baseline security capabilities. It is not designed to eliminate all risk, nor should it be used as a means to address every cybersecurity and national security concern present across the connected ecosystem.
• For the FCC to require manufacturers to make disclosures or declarations regarding where firmware and software will be developed and deployed would stretch the program beyond its intended scope. This requirement has not been subject to the rigorous technical process of NIST’s Baseline Consumer Profile and could put the program out of alignment between NIST and the rest of the federal government.
• Adding a “under penalty of perjury” clause to these types of declarations and disclosures could disincentivize manufacturers from participating in this voluntary program.
• The Administration has tasked other executive branch agencies with addressing concerns in this FNPRM. This program should avoid acting in advance of those national security efforts.

Publication of the FCC’s Final Rule on the Cyber Trust Mark is expected in July 2024. NEMA will continue to work with the FCC and industry stakeholders to develop a final mark that is practical and promotes the concept of cybersecurity as a collective effort.