Cybersecurity: NERC CIP safeguards supply chains
October 19, 2018
October 19, 2018
To safeguard North America’s electricity supply, the North American Electric Reliability Corporation (NERC) has proposed the CIP-013-1 standard (subject to Federal Energy Regulatory Commission’s approval) to address the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES). It helps to mitigate the risks of supply chain cybersecurity incidents that affect BES reliability, and requires responsible entities, which can include utilities and a wide variety of other stakeholders, to develop plans, policies and procedures concerning their supply chain vendors.
Electric energy players must develop and implement a comprehensive supply chain risk management plan that includes CIP senior manager reviews and approvals every 15 months. Mandatory elements of the plan focus on software integrity and authenticity, vendor remote access to BES cyber systems (BCSs), information system planning and procurement, and vendor risk management and procurement controls. CIP-013-1 stipulates the coordination of all controls for vendor-initiated interactive remote access (IRA) and vendor system-to-system remote access.
When electric utilities and other responsible entities focus on CIP-013-1 compliance, three challenges can emerge: Establishing the necessary scope (NERC CIP-013-1 only addresses high- and medium-risk BES cyber systems, and responsible entities must make decisions regarding the scope of their activities in these areas), defining vendor relationships (adding specific language and stipulations concerning supply chain vendor management to their contracts), and interpreting the standard (the current language in NERC CIP-013-1 is not completely prescriptive). Other concerns arise regarding how vendors will collaborate with the CIP senior manager to improve the process.
Utilities and other energy players have anticipated the arrival of CIP-013-1 for years; now is the time to act:
Complying with NERC CIP-013-1 is an important first step in safeguarding the nation’s electric infrastructure from cyberattacks that originate among supply chain vendors. Taking steps early on to ensure sustainability and developing a coherent strategy can make compliance a solid foundation upon which to establish additional tailored supply chain cyber protections. Responsible entities and their vendors should view CIP-013-1 as a “win-win” opportunity since it can help to protect both parties from cyberattacks and strengthens already-established links.
About the Authors