Updated April 2, 2020 – Latest NERC CIP-013 Guidance
NERC CIP-013 Overview
On July 21, 2016, the Federal Energy Regulatory Commission (FERC) issued Order No. 829, directing the North American Electric Reliability Corporation (NERC) to develop a new or modified “Reliability Standard”. This new standard would gover third parties, or supply chain risk management (SCRM) in the power and utilities sectors. The new NERC supply chain risk management standard would cover industrial control system (ICS) hardware, software, and computing and networking services associated with the Bulk Electric System (BES).
By fall 2018, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard, “NERC CIP-013-1” was released, establishing new cybersecurity requirements for organizations in the power and utilities sectors. NERC’s CIP-013 standard mandates that power and utilities secure their global supply chain by holding their vendors to cybersecurity requirements. With CIP-013 enforcement and deadlines around the corner, organizations are looking for solutions that provide them the most visibility across their supply chain with the fastest time to value.
In order to mitigate risks in the global supply chain, and mitigate supply chain disruption caused by cybersecurity risks, responsible entities in the power and utilities sectors must come together and use this regulation as a means to protect the Bulk Electric System (BES) as a whole.
This new CIP-013 supply chain risk management regulation serves to limit power and utilities’ expose to third party cyber risks as they expand business in a predominantly digital age. Thus, the standard and upcoming effective date impacts all entities in the power and utilities industry, requiring them to focus on assessments, risk measurement, risk management, and cybersecurity best practices across numerous vendors.
What Organizations Must Comply to the CIP-013 Requirements?
The focus of this NERC regulation is on suppliers for strong reasons, as the electric grid remains one of the largest targets of cyberattacks and remains a top focus for critical infrastructure security. Unfortunately, in many cases when an attacker successfully breaches a supplier, that same attacker can easily attack the larger P&U organization.
According to NERC, “The security objective [of the CIP-013 regulation] is to ensure entities consider cyber security risks to the BES from vendor products or services.”
The risks addressed in CIP-013-1 are highly specific to supply chain risk management. Power and utility organizations must develop and implement CIP-013 plans with activity that both identifies vulnerabilities in the supply chain and mitigates them. These programs have to be created by the organizations themselves, with optional guidance from advisories and management capabilities from solutions that support CIP-031 compliance, at scale, with multi-tenant functionality.
The cybersecurity SCRM requirements outlined in CIP-013 aim to improve security against an increasing number of attacks that target supply chains, especially in the electric power and utilities sectors. These requirements also cater to organizations who have a vast number of vendors, or third-parties, that provide them services and solutions that allow them to reliably support the BES. Thus, the impact of CIP-013 on both power and utilities organizations and their vendors could be significant.
P&U organizations are the most obvious entities that must adopt the NERC regulatory standard. Other organizations, however, could also fall under the regulation, such as software vendors that support these critical infrastructure organizations, and consultants that advise them. These entities should educate themselves on CIP-013 and other P&U focused regulations as they serve these sectors, because they may need to adjust their information security strategies to maintain partnerships in the P&U industry.
Power and utilities organizations have already begun to address CIP-013 compliance, partnering with system integrators that specialize in P&U advisory and solution providers like CyberSaint.
What is the NERC CIP-013 Effective Date?
Although the CIP regulation was approved in the fall of 2018, this critical infrastructure protection (CIP) standard is enforceable starting on July 1, 2020. Organizations are currently using this few month push as a forcing function to create a robust supply chain risk management program, and to leverage solutions like CyberSaint to mitigate cyber risk.
There is a gradual rollout of the regulation, but even the months provided are where most organizations are catching up on supply chain risk management best practices. P&U organizations will soon need to prove compliance across their global supply chains – within 18 months of the NERC CIP-013-1 effective date, they have to be confident in their proof of compliance to avoid penalties.
CIP-013 solutions, such as integrated risk management solutions and especially those with strong metrics and evidence organization functions such as CyberStrong, are in high demand from P&U companies who want to get compliant quickly and effectively without taxing their teams through a spreadsheet-based assessment of their supply chain.
What is the Penalty for Non-Compliance Against CIP-013?
For each outstanding violation of the CIP-013 requirements, NERC is authorized to fine organizations up to $1 million per day.
This large penalty may seem extreme to some, but the value in protecting the Bulk Electric System is even greater. In addition, the supply chain is a massive focus for cybercriminals targeting critical infrastructure, and with the increasing amount of cyber incidents that occur, it is clear that better supply chain risk management is needed. Some examples of attacks that are pervasive in P&U supply chains include cyberterrorist attacks on third party websites, and in a recent case, nation states sneaking rice-sized microchips into servers provided by industry leaders on which many of the largest power and utility companies rely.
Reasons for enforcement actions include both incomplete or insufficient evidence of compliance, to nonconformance to established policies and procedures within the organization, and unintended disclosure of information considered sensitive.
What does CIP-013 Implementation Include?
Some of the requirements included in NERC CIP-013-1 include:
– Implementing controls that limit exposure to Malware
– Implementing controls that limit exposure to tampering
– Vendor procurement guidelines
– Vendor permissions
– Vendor monitoring
It’s clear that the release and near-term enforcement of the new NERC CIP-013-1 regulation will create a shift in focus for P&U information security organizations.
Supply chain risk management is a clear improvement area for many industries, including the P&U sector. Scoping, assessing, and remediating cyber risk in accordance with CIP-013 will be a new, major focus for vendor risk teams within P&U information security organizations.
These best practices will not only help organizations get ahead of cyber threats, but when supported by solutions like CyberStrong that have rapid time to value and unparalleled visibility across the supplier base, will also help these infosec teams achieve proactive risk management from assessment to Boardroom. Getting to maturity on NERC’s new standard will be critical to the future success of the Bulk Electric System in this age of digitalization and increasing cyber attacks.