{"id":2295,"date":"2021-03-08T08:57:27","date_gmt":"2021-03-08T08:57:27","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=2295"},"modified":"2021-04-12T05:18:51","modified_gmt":"2021-04-12T05:18:51","slug":"supply-chain-risk-management-in-electric-grid-utilities","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2021\/cybersecurity\/supply-chain-risk-management-in-electric-grid-utilities\/","title":{"rendered":"Supply Chain Risk Management in Electric Grid Utilities"},"content":{"rendered":"

With the recent attack against software developed by SolarWind which affected both public and private organizations, the public has become more acutely aware of the impending threat of the usage of either products or services from organizations that are part of any supply chain management.<\/p>\n

The supply chain risk<\/h2>\n

To understand the impact a supply chain attack may have, it is useful to focus on how the SolarWinds hack developed and its impact.<\/p>\n

Malicious actors got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. Once installed, the malware \u201cphoned home\u201d to a command-and-control network run by the hacking group, which enabled them to enter the network and take further action. Since the patch originated and was digitally signed by SolarWinds, most user companies were not aware that the version of their software was compromised.<\/p>\n

Until recently, it was known that the attack had affected a handful of US federal and government agencies and organizations, and technology or security firms. However, a recent report from Kaspersky\u2019s ICS CERT unit noted<\/a> that \u201cabout 18,000 users may have installed backdoored versions of SolarWinds.\u201d What is particularly interesting is that among those 18,000 victims, there were \u201cnearly 2,000 domains impacted by Sunburst and estimated that roughly 32% of them were associated with industrial organizations.\u201d<\/p>\n

A majority of them are organizations in the manufacturing sector, followed by utilities, construction, transportation and logistics, oil and gas, mining, and energy. The SolarWinds software is highly integrated into many systems around the globe in different industries, therefore, it shouldn\u2019t come as a surprise if we experience second-stage activity in any of these organizations.<\/p>\n

How NERC manages supply chain risks<\/h2>\n

The digital transformation of the industrial sector, including the energy and power industry, has brought many benefits, but it has also created a never seen before expanded threat landscape. Interdependence and interconnectivity are holes in the security, safety, and reliability posture of the electric grid, threatening to wreak havoc if their vulnerabilities are exploited.<\/p>\n

We could rephrase this as “The North American Electric Reliability Corporation (NERC), in response to FERC Order 829 which recognizes the impact of supply chain risks to the organizations, developed Critical Infrastructure Protection (CIP) standard 13-1<\/a>. The standard includes cybersecurity requirements and their related security controls for supply chain risk management of BES Cyber Systems for electric power and utility companies.”The new standard was approved by the Federal Energy Regulatory Commission (FERC) on October 18, 2018, and it has been enforced on October 1, 2020.<\/p>\n

The standard applies to assets that are rated as high- and medium-impact Bulk Electric System Cyber Systems (BCS). It requires registered entities to develop documented plans to identify and assess vendor risks associated with their sold and installed products including software and the vendor\u2019s own supply chain. In addition to having an overarching plan, the requirements also explicitly cover six key required process areas.<\/p>\n

The five covered areas are:<\/p>\n