Every week, the North American Electric Reliability Corporation (NERC) releases a “Standards, Compliance and Enforcement” bulletin. These documents contain important information with regard to NERC’s Reliability Standards. That includes the Critical Infrastructure Protection (CIP), a suite of measures designed to help organizations secure their bulk assets and thereby support the operability of North America’s bulk electric system.
It’s imperative that organizations keep up with these bulletins so that they might modify their compliance efforts accordingly. Towards that end, here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q4 2020.
|Date of Bulletin
||Overview of Update
||Description of Update
||Comment period open for “Supply Chain Procurement Language” draft security guideline
||The Reliability and Security Technical Committee Executive Committee reviewed the initial draft of the Supply Chain Procurement Language guideline. This document provides resources that electric organizations can use to formalize risk mitigation practices when procuring a solution from a vendor and to thereby harden the security of their supply chain. Subsequently, the Committee approved to post this document for industry comment.
||FERC and NERC outline cyber incident response and recovery best practices
||Staff of NERC and the Federal Energy Regulatory Commission interviewed subject matter experts from eight electric utilities of varying size and function. Subsequently, they used those insights to release a report on the commonalities of organizations’ Incident Response and Recovery (IRR) plans. The full announcement is available here.
||Series of webinars released on the topic of managing cyber security supply chain risk
||The Supply Chain Working Group (SCWG), part of the Reliability and Security Technical Committee (RSTC), released a series of webinars that explore how to manage cyber security supply chain risk. The topics of these webinars are as follows: Cyber Security Risk Management Lifecycle, Provenance, Risk Consideration for Open-Source Software, Risks Related to Cloud Service Providers, Secure Equipment Delivery, Vendor Incident Response, Vendor Risk Management Lifecycle and Procurement Language (DRAFT).
||FERC takes action during September open meeting
||During its monthly open meeting, FERC released a notice of inquiry (NOI) seeking comment on potential security risks to the Bulk Electric System posed by the use of foreign-manufactured equipment and software. FERC went on to seek comment around strategies that organizations could use to minimize those digital security risks.
||Three standards take effect
||On October 1, 2020, three standards took effect: CIP-005-6, which helps organizations to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter; CIP-010-3, which specifies configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems; and CIP-013-1, which involves the implementation of security controls for supply chain risk management of BES Cyber Systems.
||Joint webinar announced
||The North American Transmission Forum (NATF), Reliability First and the SERC Reliability Corporation announced a joint webinar entitled “Identifying and Managing Potential Compromise of Network Interface Cards.” The webinar explored how organizations could reduce risk introduced by the supply chain.
||Second compliance filing submitted to FERC by NERC
||At the end of September 2020, NERC submitted the second compliance filing for FERC’s five-year performance review order. The filing included updates about NERC’s Infrastructure Security Program and addressed the directive to discuss how the Electricity Information Sharing and Analysis Center (E-ISAC) uses its All Points Bulletins to increase industry awareness of security threats.
||Reliability Standard audit worksheet posted
||NERC announced that it had posted a new Reliability Standard Audit Worksheet (RSAW) for CIP-008-6 – Cyber Security – Incident Reporting and Response Planning on its RSAW page. To learn more about CIP-008-6 before it becomes effective on January 1, 2021, click here.
||Reporting mechanisms for CIP-008-6 released
||NERC specified that NERC-registered entities must comply with CIP-008-6 by submitting reports to E-ISAC via one of five communication channels. The organization went on to explain how entities within the United States must also report those incidents to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (DHS CISA).
||E-ISAC expands cybersecurity program
||In partnership with the Department of Energy (DOE), E-ISAC expanded its Cybersecurity Risk Information Sharing Program (CRISP) to include two operational technology pilots. The purpose of these pilots was to capture operational technology data and compare it to CRISP information technology data for the purpose of identifying potential digital threats to entities’ industrial processes.
Check back next quarter for another roundup of security-related updates. In the meantime, you can review NERC’s full list of bulletins here.