On July 21, 2016, the Federal Energy Regulatory Commission (FERC) issued Order No. 829, directing the North American Electric Reliability Corporation (NERC) to develop a new or modified ‘Reliability Standard.’
NERC is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC develops and enforces Reliability Standards; annually assesses seasonal and long?term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. This would govern third parties, otherwise known as supply chain risk management in the power and utilities sectors. In 2018, NERC released NERC-CIP-013-1, which mandates that power and utilities secure their global supply chain by holding their vendors to cybersecurity requirements. The standard covers industrial control system hardware, software and computing and networking services associated with the Bulk Electric System (BES).
Third Party Risk Management (TPRM) has become an increasingly popular focus for businesses. As this has happened, there are more and more industry-specific guidelines and standards for TPRM, like NERC-CIP-013-1. The risks addressed in CIP-013-1 are highly specific to supply chain risk management. Some of the rationale for the new standard is due to third party cyberattacks, such as sneaking micro-chips into servers which were designed to alter servers upon activation. Power and utility (P&U) organizations must develop and implement plans that both identify vulnerabilities in the supply chain and mitigate them. The focus is on suppliers because the electric grid is one of the largest targets for cyberattacks. The reason for this is because of the merging of Operational Technology (the technology supporting the grids), typical IT/Information Systems, Third Party Risk, and physical security risk. All of these together increase the attack surface. The urgency of CIP-013-1 stems from increasing nation-state threats, the societal consequences of failure, and heightened regulatory pressures and compliance hurdles. A breach in a supplier/third party could lead to an attacker gaining access to the power and utility organization. Other organizations other than just power and utility organizations may also be subject to the CIP-013-1 requirements. These include organizations who have a vast number of vendors, or third-parties, that provide services and solutions that allow P&U’s to reliably support the BES.
The cyber requirements in CIP-013-1 aim to improve security against attacks that target supply chains, especially in the electric power and utilities sectors. Some of the requirements included in CIP-013-1 include implementing controls that limit exposure to malware, limit exposure to tampering, vendor procurement guidelines, vendor permissions and vendor monitoring.
The effective date for NERC CIP-013-1 was July 1, 2020. Organizations have 18 months from that date to be confident in their proof of compliance to avoid penalties. For each outstanding violation of the requirements, NERC is authorized to find organizations up to $1 million per day. Reasons for enforcement actions include both incomplete or insufficient evidence of compliance, to nonconformance to established policies and procedures within the organization, and unintended disclosure of information considered sensitive.
There are three major requirements in order to become CIP-013-1 compliant, which are broken into three (3) main categories: R1, R2 and R3. Requirement R1 states that “Each responsible entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES.” The plan needs to include multiple components. The first being that one or more process(es) must be used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) when procuring and installing vendor equipment and software, and when transitioning from one vendor(s) to another vendor(s) (aka transition risk). The other is that there must be one or more process(es) in place to address the following when procuring BES Cyber Systems:
Notification of vendor-identified incidents which involve the products or services to the responsible entity;
Coordination of responses to vendor-related incidents;
Notification by vendors when remote or on-site access is no longer required from the vendor;
Disclosure by vendors of known vulnerabilities;
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System;
Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s).
The focus of Requirement R1 is on the steps the Responsible Entity takes to consider cyber security risk from vendor products or services during BES Cyber System planning and procurement. A Responsible Entity could require vendors to meet minimum cyber security control requirements based on the criticality of the product for given products or services that a vendor must meet prior to transacting with that for those products or services. These “must-have” controls could vary based on the various products the Responsible entity procures for its BES Cyber Systems. This risk based approach can be applied to all aspects for Requirement R1 in order to increase efficiency of procuring vendors that meet the security objectives of R1. The evidence required to demonstrate compliance for R1 include on or more documented supply chain cyber security risk management plan(s) as specified in the Requirement.
Requirement R2 states that “Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1”. This does not require the responsible entity to renegotiate or abrogate existing contracts. Contracts that enter the Responsible Entity’s procurement process on or after the effective date are within scope of CIP-013-1. Entities must show that for the BES Cyber Systems and/or related services, the Responsible Entity has implemented its Plan as required in Requirement R1. This can be completed by an independent assessor which evaluates a vendor’s cyber security controls. In fact, the ERO promotes this practice as it provides disinterested third parties or departments that are independent from the department performing a reliability function. The evidence required for R2 shall include documentation to demonstrate implementation of the plan from R1, which could include correspondence, policy documents, or working documents that demonstrate use of the supply chain cyber security risk management plan.
Requirement R3 declares that a Responsible Entity requires the supply chain security risk management plan(s), as identified in R1, be reviewed and approved by a CIP Senior Manager or delegate at least once every 15 months. The evidence required to demonstrate compliance is the dated supply chain cyber security risk management plan(s) approved by the CIP Senior manager or delegate(s) as long as any additional evidence to demonstrate review. This may include, but is not limited to, policy documents, revision history, records of review, or workflow evidence from a document management system that indicate review of supply chain risk management plan(s) at least once every 15 months; and documented approval by the CIP Senior Manager or delegate.
Department of Energy (DOE) has just recently launched an initiative to enhance the cybersecurity of electric utilities’ industrial control systems and secure the energy sector supply chain (April 20, 2021). This comes as part of the Biden Administration’s effort to safeguard U.S. critical infrastructure from persistent and sophisticated threats. Over the next 100 days, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER)—in partnership with electric utilities—will continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities. The initiative:
Encourages owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities;
Includes concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks;
Reinforces and enhances the cybersecurity posture of critical infrastructure information technology (IT) networks; and
Includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems.
The DOE also released a new Request for Information to seek input from electric utilities, energy companies, academia, research laboratories, government agencies, and other stakeholders to inform future recommendations for supply chain security in U.S. energy systems. The responses received will enable DOE to evaluate new executive actions to further secure the nation’s critical infrastructure against malicious cyber activity and strengthen the domestic manufacturing base.
How Can Schneider Downs Help?
Schneider Downs can help with NERC CIP-013-1 compliance through their ThirdParty Risk Management function. As a part of the IT Risk Advisory Services department, the team has the expertise, credentials and tools to help you build, implement, recalibrate, and manage a world-class third-party risk management program. Learn more at www.schneiderdowns.com/tprm or contact us at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.