{"id":2149,"date":"2021-01-04T06:16:50","date_gmt":"2021-01-04T06:16:50","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=2149"},"modified":"2021-04-12T05:12:33","modified_gmt":"2021-04-12T05:12:33","slug":"quarterly-roundup-of-key-nerc-security-updates-q4-2020","status":"publish","type":"post","link":"https:\/\/itegriti.com\/staging\/2021\/compliance\/quarterly-roundup-of-key-nerc-security-updates-q4-2020\/","title":{"rendered":"Quarterly Roundup of Key NERC Security Updates \u2013 Q4 2020"},"content":{"rendered":"

[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” border_style=”solid” type=”legacy” admin_toggled=”no”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”true” border_sizes_top=”0″ border_sizes_bottom=”0″ border_sizes_left=”0″ border_sizes_right=”0″ first=”true”][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” content_alignment_medium=”” content_alignment_small=”” content_alignment=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” sticky_display=”normal,sticky” class=”” id=”” font_size=”” fusion_font_family_text_font=”” fusion_font_variant_text_font=”” line_height=”” letter_spacing=”” text_color=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=””]<\/p>\n

Every week, the North American Electric Reliability Corporation (NERC) releases a \u201cStandards, Compliance and Enforcement\u201d bulletin<\/a>. These documents contain important information with regard to NERC\u2019s Reliability Standards<\/a>. That includes the Critical Infrastructure Protection<\/a> (CIP), a suite of measures designed to help organizations secure their bulk assets and thereby support the operability of North America\u2019s bulk electric system.<\/p>\n

It\u2019s imperative that organizations keep up with these bulletins so that they might modify their compliance efforts accordingly. Towards that end, here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q4 2020.<\/p>\n

[fusion_table fusion_table_type=”1″ fusion_table_rows=”” fusion_table_columns=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=””]<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Date of Bulletin<\/span><\/strong><\/td>\nOverview of Update<\/span><\/strong><\/td>\nDescription of Update<\/span><\/strong><\/td>\n<\/tr>\n<\/thead>\n
8\/31\/20<\/td>\nComment period open for \u201cSupply Chain Procurement Language\u201d draft security guideline<\/td>\nThe Reliability and Security Technical Committee Executive Committee reviewed the initial draft of the Supply Chain Procurement Language guideline<\/a>. This document provides resources that electric organizations can use to formalize risk mitigation practices when procuring a solution from a vendor and to thereby harden the security of their supply chain. Subsequently, the Committee approved to post this document for industry comment.<\/td>\n<\/tr>\n
9\/21\/20<\/td>\nFERC and NERC outline cyber incident response and recovery best practices<\/td>\nStaff of NERC and the Federal Energy Regulatory Commission interviewed subject matter experts from eight electric utilities of varying size and function. Subsequently, they used those insights to release a report on the commonalities of organizations\u2019 Incident Response and Recovery (IRR) plans. The full announcement is available here<\/a>.<\/td>\n<\/tr>\n
9\/21\/20<\/td>\nSeries of webinars released on the topic of managing cyber security supply chain risk<\/td>\nThe Supply Chain Working Group (SCWG), part of the Reliability and Security Technical Committee (RSTC), released a series of webinars that explore how to manage cyber security supply chain risk. The topics of these webinars are as follows: Cyber Security Risk Management Lifecycle<\/a>, Provenance<\/a>, Risk Consideration for Open-Source Software<\/a>, Risks Related to Cloud Service Providers<\/a>, Secure Equipment Delivery<\/a>, Vendor Incident Response<\/a>, Vendor Risk Management Lifecycle<\/a> and Procurement Language (DRAFT)<\/a>.<\/td>\n<\/tr>\n
9\/21\/20<\/td>\nFERC takes action during September open meeting<\/td>\nDuring its monthly open meeting, FERC released a notice of inquiry (NOI)<\/a> seeking comment on potential security risks to the Bulk Electric System posed by the use of foreign-manufactured equipment and software. FERC went on to seek comment around strategies that organizations could use to minimize those digital security risks.<\/td>\n<\/tr>\n
9\/28\/20<\/td>\nThree standards take effect<\/td>\nOn October 1, 2020, three standards took effect: CIP-005-6<\/a>, which helps organizations to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter; CIP-010-3<\/a>, which specifies configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems; and CIP-013-1<\/a>, which involves the implementation of security controls for supply chain risk management of BES Cyber Systems.<\/td>\n<\/tr>\n
10\/05\/20<\/td>\nJoint webinar announced<\/td>\nThe North American Transmission Forum (NATF), Reliability First and the SERC Reliability Corporation announced a joint webinar<\/a> entitled \u201cIdentifying and Managing Potential Compromise of Network Interface Cards.\u201d The webinar explored how organizations could reduce risk introduced by the supply chain.<\/td>\n<\/tr>\n
10\/05\/20<\/td>\nSecond compliance filing submitted to FERC by NERC<\/td>\nAt the end of September 2020, NERC submitted the second compliance filing<\/a> for FERC\u2019s five-year performance review order. The filing included updates about NERC\u2019s Infrastructure Security Program and addressed the directive to discuss how the Electricity Information Sharing and Analysis Center (E-ISAC) uses its All Points Bulletins<\/a> to increase industry awareness of security threats.<\/td>\n<\/tr>\n
11\/09\/20<\/td>\nReliability Standard audit worksheet posted<\/td>\nNERC announced that it had posted a new Reliability Standard Audit Worksheet (RSAW) for CIP-008-6 \u2013 Cyber Security \u2013 Incident Reporting and Response Planning on its RSAW page<\/a>. To learn more about CIP-008-6 before it becomes effective on January 1, 2021, click here<\/a>.<\/td>\n<\/tr>\n
12\/07\/20<\/td>\nReporting mechanisms for CIP-008-6 released<\/td>\nNERC specified that NERC-registered entities must comply with CIP-008-6 by submitting reports to E-ISAC via one of five communication channels. The organization went on to explain how entities within the United States must also report those incidents to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (DHS CISA).<\/td>\n<\/tr>\n
12\/07\/20<\/td>\nE-ISAC expands cybersecurity program<\/td>\nIn partnership with the Department of Energy (DOE), E-ISAC expanded its Cybersecurity Risk Information Sharing Program<\/a> (CRISP) to include two operational technology pilots. The purpose of these pilots was to capture operational technology data and compare it to CRISP information technology data for the purpose of identifying potential digital threats to entities\u2019 industrial processes.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

[\/fusion_table]<\/p>\n

Check back next quarter for another roundup of security-related updates. In the meantime, you can review NERC\u2019s full list of bulletins here<\/a>.<\/p>\n

[\/fusion_text][\/fusion_builder_column][\/fusion_builder_row][\/fusion_builder_container]<\/p>\n","protected":false},"excerpt":{"rendered":"

Here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q4 2020.<\/p>\n","protected":false},"author":12,"featured_media":2158,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2179],"tags":[],"_links":{"self":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/2149"}],"collection":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/comments?post=2149"}],"version-history":[{"count":8,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/2149\/revisions"}],"predecessor-version":[{"id":2159,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/2149\/revisions\/2159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media\/2158"}],"wp:attachment":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media?parent=2149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/categories?post=2149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/tags?post=2149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}