{"id":2260,"date":"2021-02-16T09:00:10","date_gmt":"2021-02-16T09:00:10","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=2260"},"modified":"2021-04-12T02:39:59","modified_gmt":"2021-04-12T02:39:59","slug":"an-introduction-to-nerc-cip-013-1","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2021\/compliance\/an-introduction-to-nerc-cip-013-1\/","title":{"rendered":"An Introduction to NERC CIP-013-1"},"content":{"rendered":"

On October 1, 2020, the North American Electric Reliability Corporation (NERC) CIP-013-1<\/a> standard, titled \u201cCyber Security – Supply Chain Risk Management\u201d, was enforced to address the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES). Electric grid companies have 18 months from the effective date to prove compliance, increased monitoring, and oversight over their supply chains. Failure to do so can result in fines of up to $1M per day per outstanding violation.<\/p>\n

To safeguard North America\u2019s electricity supply against cyber risks and attacks, NERC has issued several critical infrastructure protection (CIP) standards. The CIP-013-1 standard<\/a>, which has been approved by FERC<\/a> in the fall of 2018, includes a set of regulatory requirements \u201cto mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES)\u201d.<\/p>\n

Electric power and utility organizations have to comply with requirements to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers. The new standards will help utility companies protect bulk electric systems by limiting their exposure to malware, tampering, and other cyber risks that can originate with third-party relationships. It is important to understand that third parties will also need to familiarize themselves with the CIP-013-1 to preserve business relationships with power and utility companies.<\/p>\n

Why is CIP-013-1 required?<\/h2>\n

Development and enforcement of CIP-013-1 were mandated by the recognition of public entities and private industries of the changes in the cybersecurity landscape associated with supply chain vendors. To meet these security requirements and to enhance the security posture of the North American electric grid, FERC and NERC have recognized that supply chain risks affect power and utility companies, which rely increasingly on third parties for the reliable and safe operation of the grid. As a result, FERC Order 829<\/a>, issued in July 2016, directed the North American Electric Corporation (NERC) to develop a CIP reliability standard that addresses \u201csupply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.\u201d<\/p>\n

On the federal level, the National Institute for Standards and Technology updated the NIST SP 800-53 ver 5 with an emphasis on third-party vendors and suppliers, while NIST 800-161 specifically addresses 19 areas of supply chain risk management. On the other hand, the international IEC\/ISA 62443 standard provides guidance focused on supply chain risk management.<\/p>\n

NERC CIP-013-1 comes at a time when third-party vulnerabilities and data breaches impact critical infrastructure and federal agencies. The most recent event, making the news headlines across the globe, is the SolarWinds breach which affected among others<\/a> the Departments of Energy, Defense, and Homeland Security, and companies such as Microsoft, Intel, Cisco, Nvidia, VMware, Belkin, and the cybersecurity firm FireEye, which was first to discover the attack.<\/p>\n

Research has demonstrated that supply chain breaches are among the costliest cyber-attacks<\/a>. These attacks have caused downtime in major network infrastructure and derailed the physical operations of global companies. An attack of this nature could have potentially catastrophic results for both the American electric grid and the local communities.<\/p>\n

What are the requirements?<\/h2>\n

The objective of NERC CIP-013-1 is \u201cto mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.\u201d To meet this goal, CIP-013-1 mandates responsible entities to \u201cdevelop one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact BES Cyber Systems.\u201d These plans must be reviewed and approved every 15 months.<\/p>\n

According to the standard, the cybersecurity plan should include processes and procedures to address the following areas:<\/p>\n