It’s imperative that organizations keep up with these bulletins so that they might modify their compliance efforts accordingly. Towards that end, here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q4 2020.
Date of Bulletin
Overview of Update
Description of Update
Comment period open for “Supply Chain Procurement Language” draft security guideline
The Reliability and Security Technical Committee Executive Committee reviewed the initial draft of the Supply Chain Procurement Language guideline. This document provides resources that electric organizations can use to formalize risk mitigation practices when procuring a solution from a vendor and to thereby harden the security of their supply chain. Subsequently, the Committee approved to post this document for industry comment.
FERC and NERC outline cyber incident response and recovery best practices
Staff of NERC and the Federal Energy Regulatory Commission interviewed subject matter experts from eight electric utilities of varying size and function. Subsequently, they used those insights to release a report on the commonalities of organizations’ Incident Response and Recovery (IRR) plans. The full announcement is available here.
Series of webinars released on the topic of managing cyber security supply chain risk
During its monthly open meeting, FERC released a notice of inquiry (NOI) seeking comment on potential security risks to the Bulk Electric System posed by the use of foreign-manufactured equipment and software. FERC went on to seek comment around strategies that organizations could use to minimize those digital security risks.
Three standards take effect
On October 1, 2020, three standards took effect: CIP-005-6, which helps organizations to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter; CIP-010-3, which specifies configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems; and CIP-013-1, which involves the implementation of security controls for supply chain risk management of BES Cyber Systems.
Joint webinar announced
The North American Transmission Forum (NATF), Reliability First and the SERC Reliability Corporation announced a joint webinar entitled “Identifying and Managing Potential Compromise of Network Interface Cards.” The webinar explored how organizations could reduce risk introduced by the supply chain.
Second compliance filing submitted to FERC by NERC
At the end of September 2020, NERC submitted the second compliance filing for FERC’s five-year performance review order. The filing included updates about NERC’s Infrastructure Security Program and addressed the directive to discuss how the Electricity Information Sharing and Analysis Center (E-ISAC) uses its All Points Bulletins to increase industry awareness of security threats.
Reliability Standard audit worksheet posted
NERC announced that it had posted a new Reliability Standard Audit Worksheet (RSAW) for CIP-008-6 – Cyber Security – Incident Reporting and Response Planning on its RSAW page. To learn more about CIP-008-6 before it becomes effective on January 1, 2021, click here.
Reporting mechanisms for CIP-008-6 released
NERC specified that NERC-registered entities must comply with CIP-008-6 by submitting reports to E-ISAC via one of five communication channels. The organization went on to explain how entities within the United States must also report those incidents to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (DHS CISA).
E-ISAC expands cybersecurity program
In partnership with the Department of Energy (DOE), E-ISAC expanded its Cybersecurity Risk Information Sharing Program (CRISP) to include two operational technology pilots. The purpose of these pilots was to capture operational technology data and compare it to CRISP information technology data for the purpose of identifying potential digital threats to entities’ industrial processes.
Check back next quarter for another roundup of security-related updates. In the meantime, you can review NERC’s full list of bulletins here.
By David Bisson|2021-04-12T05:12:33+00:00January 4th, 2021|Compliance|Comments Off on Quarterly Roundup of Key NERC Security Updates – Q4 2020
Click below to easily share this article with a friend, colleague, or coworker.