In our previous blog, we had introduced the NERC CIP 013-1, whose purpose is to address the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES). The standard was enforced on July 1st, 2020, and Responsible Entities have 18 months from the effective date to prove compliance, increased monitoring, and oversight over their supply chains.
The following image, courtesy of Deloitte, provides a quick refresher on the Reliability Standard’s requirements.
CIP-013-1 compliance: A strategic choice
CIP-013-1 only addresses high- and medium-risk BES cyber systems and does not provide any recommendations or best practices on how to meet compliance with the requirements. Responsible entities must make strategic decisions regarding the extent of compliance. These decisions could range from simply becoming and remaining compliant, to rolling out compliance more broadly, encompassing low-impact BES as well, and potentially including the whole enterprise.
The strategy towards achieving CIP-013-1 compliance should include all supply chain stakeholders. Maintaining CIP-013-1 compliance requires collaboration and information sharing between all partners and vendors. It also requires dedication and resources. Therefore, all organizations need to ensure and allocate enough time and personnel to define and implement the new controls, and to demonstrate evidence of compliance within the enforcement timeframe.
It is also advisable to align the compliance efforts and to further strengthen the CIP-013-1 requirements with strategies and practices of other cybersecurity and risk frameworks and programs, such as the NIST Cybersecurity Framework and the IEC/ISA 62443 standards. In addition to the CIP-013-1 requirements, Responsible Entities may enhance their supply chain policies by implementing the measures in CIP-005-6 (Part 2), and CIP-010-3 (Section 1.6), (regarding the governance of vendor remote access and the verification of the source and integrity of procured software, respectively.)
Checklist for NERC CIP-013-1 compliance
The best way to maintain compliance with the CIP-013-1 requirements is to understand the risk associated with the software supply chain. Having this knowledge is key to ensuring that security measures and mitigations are proportionate, effective, and responsive. Responsible Entities should perform the following steps to assess their level of software supply chain risk.
The first step is to have complete visibility into the software components used in all applications. To achieve that, you should create a Software Bill of Materials (SBOM), and investigate each potentially dangerous component. SBOM is a nested inventory, listing all software components making up applications.
SBOMs are great sources for vulnerability management and asset management processes, and they can be used to quickly identify software dependencies and supply chain risks. Using the SBOM inventory, the entities can identify the developers of the components and determine the name of the product associated with the software along with the version.
Verify authenticity and validity
Following the identification of all software components, the second step is to verify their authenticity by searching the code signing certificates for identification information. These code signing SSL/TLS certificates are issued only after thorough investigations of the identity of the software developer in accordance with the Certification Authority Browser Forum (CA/Browser Forum) guidelines.
Based on the information provided in the certificate, the Entities can verify the validity of the digital certificate and confirm that the vendor and source location information match what was agreed to during the procurement discussions. As an overarching rule, source locations that lack SSL digital certificates or contain discrepancies in their certification should never be trusted.
In addition to the authenticity of the software source, Entities should look for any expired certificates and the expiration date of the digital certificate. Even if digital certificates lifecycles have shortened to almost a year, software components signed with certificates that are nearing their expiration dates might not be trustworthy. Checking the timestamp is a good practice to verify the age of a certificate.
Scan for malware
Responsible Entities should perform a malware scan using trusted and up-to-date antivirus software. Malware scans should be performed outside the production or operational environment. Any discovered malware or vulnerability risks must automatically result in a trust score of zero. Malware is a deliberate, malicious action by adversaries to implant software in a victim’s computing ecosystem to gain presence and to further launch attacks to disrupt the reliable and safe operations of the Entity.
Scan for vulnerabilities
While malware is an intentional action, vulnerabilities are unintentional software flaws that adversaries exploit to gain access to a target’s cyber-enabled infrastructure. Entities should scan their software components for known vulnerabilities and exploits. To gain intelligence on known vulnerabilities, it is advised to sign up to receive CISA alerts and advisories, or search known vulnerability databases, such as the MITRE Common Vulnerabilities and Exposure (CVE) notices, and the NIST National Vulnerability Database (NVD).
Keep an updated baseline
Based on the findings of the previous steps, Responsible Entities should generate a trustworthy baseline. This baseline should be updated on a frequent basis to adapt to the changing environment and threat landscape. Updates should be based on intelligence or advisories received by NERC or other federal agencies and organizations.
Develop quality evidence
During the NERC CIP audits, Responsible Entities need to demonstrate the existence of evidence to prove compliance with the CIP standards. All findings and actions described in the previous steps should be saved in meaningful evidence files. It is also worth noting that evidence of compliance will become extremely useful in the unfortunate event of a cyber incident.
How ITEGRITI helps
Besides the aforementioned recommendations, the best practice Responsible Entities can follow to protect themselves against supply chain attacks is to apply due diligence. If a breach occurs in your company, then it is you who will be held accountable for the damage and costs to recover, along with any non-compliance fines. Not the software vendor or supplier.
As this standard is fairly new, organizations need to consider the risks associated with non or partial compliance of the standard. They may want to consider the services of organizations, such as ITEGRITI, that are well-versed in the interpretation and implementation of NERC CIP regulations. You can read more here.
ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in energy, healthcare, transportation, education, retail and financial sectors. We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor, and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event.