FacebookTwitterEmail

Every week, the North American Electric Reliability Corporation (NERC) releases a “Standards, Compliance and Enforcement” bulletin. These documents contain important information with regard to NERC’s Reliability Standards. That includes the Critical Infrastructure Protection (CIP), a suite of measures designed to help organizations secure their bulk assets and thereby support the operability of North America’s bulk electric system.

It’s imperative that organizations keep up with these bulletins so that they might modify their compliance efforts accordingly. Towards that end, here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q4 2020.

Date of BulletinOverview of UpdateDescription of Update
8/31/20Comment period open for “Supply Chain Procurement Language” draft security guidelineThe Reliability and Security Technical Committee Executive Committee reviewed the initial draft of the Supply Chain Procurement Language guideline. This document provides resources that electric organizations can use to formalize risk mitigation practices when procuring a solution from a vendor and to thereby harden the security of their supply chain. Subsequently, the Committee approved to post this document for industry comment.
9/21/20FERC and NERC outline cyber incident response and recovery best practicesStaff of NERC and the Federal Energy Regulatory Commission interviewed subject matter experts from eight electric utilities of varying size and function. Subsequently, they used those insights to release a report on the commonalities of organizations’ Incident Response and Recovery (IRR) plans. The full announcement is available here.
9/21/20Series of webinars released on the topic of managing cyber security supply chain riskThe Supply Chain Working Group (SCWG), part of the Reliability and Security Technical Committee (RSTC), released a series of webinars that explore how to manage cyber security supply chain risk. The topics of these webinars are as follows: Cyber Security Risk Management Lifecycle, Provenance, Risk Consideration for Open-Source Software, Risks Related to Cloud Service Providers, Secure Equipment Delivery, Vendor Incident Response, Vendor Risk Management Lifecycle and Procurement Language (DRAFT).
9/21/20FERC takes action during September open meetingDuring its monthly open meeting, FERC released a notice of inquiry (NOI) seeking comment on potential security risks to the Bulk Electric System posed by the use of foreign-manufactured equipment and software. FERC went on to seek comment around strategies that organizations could use to minimize those digital security risks.
9/28/20Three standards take effectOn October 1, 2020, three standards took effect: CIP-005-6, which helps organizations to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter; CIP-010-3, which specifies configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems; and CIP-013-1, which involves the implementation of security controls for supply chain risk management of BES Cyber Systems.
10/05/20Joint webinar announcedThe North American Transmission Forum (NATF), Reliability First and the SERC Reliability Corporation announced a joint webinar entitled “Identifying and Managing Potential Compromise of Network Interface Cards.” The webinar explored how organizations could reduce risk introduced by the supply chain.
10/05/20Second compliance filing submitted to FERC by NERCAt the end of September 2020, NERC submitted the second compliance filing for FERC’s five-year performance review order. The filing included updates about NERC’s Infrastructure Security Program and addressed the directive to discuss how the Electricity Information Sharing and Analysis Center (E-ISAC) uses its All Points Bulletins to increase industry awareness of security threats.
11/09/20Reliability Standard audit worksheet postedNERC announced that it had posted a new Reliability Standard Audit Worksheet (RSAW) for CIP-008-6 – Cyber Security – Incident Reporting and Response Planning on its RSAW page. To learn more about CIP-008-6 before it becomes effective on January 1, 2021, click here.
12/07/20Reporting mechanisms for CIP-008-6 releasedNERC specified that NERC-registered entities must comply with CIP-008-6 by submitting reports to E-ISAC via one of five communication channels. The organization went on to explain how entities within the United States must also report those incidents to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (DHS CISA).
12/07/20E-ISAC expands cybersecurity programIn partnership with the Department of Energy (DOE), E-ISAC expanded its Cybersecurity Risk Information Sharing Program (CRISP) to include two operational technology pilots. The purpose of these pilots was to capture operational technology data and compare it to CRISP information technology data for the purpose of identifying potential digital threats to entities’ industrial processes.

Check back next quarter for another roundup of security-related updates. In the meantime, you can review NERC’s full list of bulletins here.

FacebookTwitterEmail