Shining a Light on NERC CIP-013-1
Electricity is critical to our modern technological society. The Electric Reliability Organization (ERO) works to ensure that we meet our electrical needs through a dependable and secure North American bulk electric system (BES). The North American Electric Reliability Corporation (NERC) and the six Regional Entities (REs) comprise the ERO. They aim to reduce the risks to our electrical grid power to ensure its stability.
In 2017, NERC developed new risk-based critical infrastructure protection (CIP) Reliability Standards to help BES Cyber Systems mitigate cyber-security related supply chain risks. The Reliability Standard CIP-013-1 – Cyber Security – Supply Chain Risk Management will require electric power and utility (P&U) companies, which have medium to high impacts to our power grid, to limit their exposure to third-party cyber risks.
The CIP-013-1 – Cyber Security – Supply Chain Risk Management standard aims to reduce or remediate cyber-security supply chain risks that threaten the stable and secure operation of high and medium impact BES Cyber Systems. The standard covers these BES Cyber Systems’ entire supply chain lifecycle, from planning and acquisition to deployment.
CIP-013-1 sets forth obligations for electric P&U companies that have high and medium impact BES Cyber Systems, referred to as “Responsible Entities.” These entities’ supply chain programs must have specific cyber-security controls in place in order for their existing and future third-party vendor contracts meet the new requirements within 18 months after July 1, 2020. Otherwise, they face fines up to $1 million per day per violation.
What does CIP-013-1 require?
First, CIP-013-1 requires responsible entities to implement one or more documented supply chain cyber-security risk management plan(s) for high and medium impact BES Cyber systems. Such plans must have at least seven different processes that mitigate risks and be documented. Specifically, the plan(s) must include:
- At least one process used in procurement planning for BES Cyber Systems to identify and evaluate cyber security risk(s) from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).
- At least one process used to procure BES Cyber Systems that targets the following (where applicable)
- Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
- Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
- Notification by vendors when remote or onsite access should no longer be granted to vendors;
- Disclosure by vendors of known vulnerabilities;
- Verification of integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and
- Coordination of controls for vendor-initiated Interactive Remote Access, and system-to-system remote access with a vendor(s).
Here, a vendor may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers; or (iii) system integrators.
Second, responsible entities must implement the supply chain cyber-security risk management plan(s) they developed, as well as document the actual implementation.
Third, at least one time every 15 months, responsible entities must reassess their supply chain cyber security risk management plan(s) and obtain CIP Senior Manager or delegate approval of them. The entities must also maintain evidence of the review and the approval.
Planning for Compliance
CIP-013-1’s gradual launch gives companies an appropriate amount of time to evaluate their existing third-party risk management programs and implement the new cyber security controls.
For many companies, CIP-013-1 will require an overhaul of third-party risk management operations. While existing internal security controls like antivirus software and firewalls may help protect a business from cyber threats, they don’t always ensure protection from attacks that originate in third-party systems.
Consequently, there’s an increased focus on implementing systematic processes to identify risks, implement controls, and continuously monitor third-party risks.
With CIP-013-1’s July 1st implementation deadline quickly approaching, Vendorpedia’s priority is to ensure that our customers are prepared and have an actionable plan to meet the new standard’s supply chain risk requirements. With Vendorpedia, companies can not only start implementing a comprehensive CIP-013-1 program, but will receive access to vital resources necessary to successfully support compliance for a variety of third-party risk management standards and frameworks.