Cybersecurity: NERC CIP safeguards supply chains

To safeguard North America’s electricity supply, the North American Electric Reliability Corporation (NERC) has proposed the CIP-013-1 standard (subject to Federal Energy Regulatory Commission’s approval) to address the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES). It helps to mitigate the risks of supply chain cybersecurity incidents that affect BES reliability, and requires responsible entities, which can include utilities and a wide variety of other stakeholders, to develop plans, policies and procedures concerning their supply chain vendors.

What the standard mandates

Electric energy players must develop and implement a comprehensive supply chain risk management plan that includes CIP senior manager reviews and approvals every 15 months. Mandatory elements of the plan focus on software integrity and authenticity, vendor remote access to BES cyber systems (BCSs), information system planning and procurement, and vendor risk management and procurement controls. CIP-013-1 stipulates the coordination of all controls for vendor-initiated interactive remote access (IRA) and vendor system-to-system remote access.

Addressing CIP-013-1 compliance challenges

When electric utilities and other responsible entities focus on CIP-013-1 compliance, three challenges can emerge: Establishing the necessary scope (NERC CIP-013-1 only addresses high- and medium-risk BES cyber systems, and responsible entities must make decisions regarding the scope of their activities in these areas), defining vendor relationships (adding specific language and stipulations concerning supply chain vendor management to their contracts), and interpreting the standard (the current language in NERC CIP-013-1 is not completely prescriptive). Other concerns arise regarding how vendors will collaborate with the CIP senior manager to improve the process.

Next steps toward CIP-013-1 compliance

Utilities and other energy players have anticipated the arrival of CIP-013-1 for years; now is the time to act:

• Develop a strategy: determine CIP-013-1 responsibility and ownership; begin a dialogue with key stakeholders and vendors; and check there is enough time to meet the compliance timeframe.
• Mobilize your CIP-013-1 team: oversee and sponsor the governance and steering of the team assembled to achieve supply chain cybersecurity compliance.
• Plan for sustainability from the start: design CIP-013-1 controls to include periodic reviews and approach all approval requirements in an orchestrated way that requires only minimal manual reviews. Put mechanisms in place to validate and verify that vendors meet CIP-013-1 controls.

Protection, starting now

Complying with NERC CIP-013-1 is an important first step in safeguarding the nation’s electric infrastructure from cyberattacks that originate among supply chain vendors. Taking steps early on to ensure sustainability and developing a coherent strategy can make compliance a solid foundation upon which to establish additional tailored supply chain cyber protections. Responsible entities and their vendors should view CIP-013-1 as a “win-win” opportunity since it can help to protect both parties from cyberattacks and strengthens already-established links.