On October 1, 2020, the North American Electric Reliability Corporation (NERC) CIP-013-1 standard, titled “Cyber Security – Supply Chain Risk Management”, was enforced to address the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES). Electric grid companies have 18 months from the effective date to prove compliance, increased monitoring, and oversight over their supply chains. Failure to do so can result in fines of up to $1M per day per outstanding violation.
To safeguard North America’s electricity supply against cyber risks and attacks, NERC has issued several critical infrastructure protection (CIP) standards. The CIP-013-1 standard, which has been approved by FERC in the fall of 2018, includes a set of regulatory requirements “to mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES)”.
Electric power and utility organizations have to comply with requirements to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers. The new standards will help utility companies protect bulk electric systems by limiting their exposure to malware, tampering, and other cyber risks that can originate with third-party relationships. It is important to understand that third parties will also need to familiarize themselves with the CIP-013-1 to preserve business relationships with power and utility companies.
Why is CIP-013-1 required?
Development and enforcement of CIP-013-1 were mandated by the recognition of public entities and private industries of the changes in the cybersecurity landscape associated with supply chain vendors. To meet these security requirements and to enhance the security posture of the North American electric grid, FERC and NERC have recognized that supply chain risks affect power and utility companies, which rely increasingly on third parties for the reliable and safe operation of the grid. As a result, FERC Order 829, issued in July 2016, directed the North American Electric Corporation (NERC) to develop a CIP reliability standard that addresses “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.”
On the federal level, the National Institute for Standards and Technology updated the NIST SP 800-53 ver 5 with an emphasis on third-party vendors and suppliers, while NIST 800-161 specifically addresses 19 areas of supply chain risk management. On the other hand, the international IEC/ISA 62443 standard provides guidance focused on supply chain risk management.
NERC CIP-013-1 comes at a time when third-party vulnerabilities and data breaches impact critical infrastructure and federal agencies. The most recent event, making the news headlines across the globe, is the SolarWinds breach which affected among others the Departments of Energy, Defense, and Homeland Security, and companies such as Microsoft, Intel, Cisco, Nvidia, VMware, Belkin, and the cybersecurity firm FireEye, which was first to discover the attack.
Research has demonstrated that supply chain breaches are among the costliest cyber-attacks. These attacks have caused downtime in major network infrastructure and derailed the physical operations of global companies. An attack of this nature could have potentially catastrophic results for both the American electric grid and the local communities.
What are the requirements?
The objective of NERC CIP-013-1 is “to mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.” To meet this goal, CIP-013-1 mandates responsible entities to “develop one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact BES Cyber Systems.” These plans must be reviewed and approved every 15 months.
According to the standard, the cybersecurity plan should include processes and procedures to address the following areas:
- Software integrity and authenticity
- Vendor remote access to BES cyber systems
- Information system planning and procurement
- Vendor risk management
- Procurement controls
The documentation and enforcement of these processes for the procurement of BES Cyber Systems from third-party vendors will assist responsible entities to identify, assess, and mitigate cybersecurity risks to the BES resulting from vendor equipment and software.
In addition, the plans should include incident response procedures to notify responsible entities on supply chain incidents and coordinate responses between utilities companies and suppliers. Other necessary requirements include:
- Remote access controls and policies for vendor personnel to access the BES
- Information sharing for the disclosure of known vulnerabilities by the vendor to the responsible entity
- Software integrity and authenticity verification and validation process of all software and patches supplied by a vendor to the network.
Towards CIP-013-1 compliance
CIP-013-1 only addresses high- and medium-risk BES cyber systems and does not provide any recommendations or best practices on how to meet compliance with the requirements. Responsible entities must make strategic decisions regarding the extent of compliance. These decisions could range from simply becoming and remaining compliant to rolling out compliance more broadly, encompassing low-impact BES as well, and potentially including the whole enterprise.
This expanded strategy will deliver higher reliability and safety and greater cybersecurity resilience across the entire business to mitigate supply chain risks. This is a sensible decision since the same vendors and products are often used in conjunction with high-, medium-, and low-risk BES cyber systems.
How ITEGRITI can help
ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in the energy, healthcare, transportation, education, retail and financial sectors. Our portfolio includes NERC compliance projects since 2006, in all regions throughout the U.S. and Canada, supporting utilities, transmission, municipalities, cooperatives, and generation representing coal, natural gas, and renewables – wind, solar, hydro, and geothermal.
We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor, and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event. To learn how we can help you, contact our experts.