NERC CIP-013: Cyber Security – Supply Chain Risk Management for Utilities

Supply chain risk management is of paramount importance to cyber security for utilities. That’s because any supply chain disruption can have severe consequences for these critical infrastructure providers, which has become increasingly evident in recent years.

To address this risk, the Federal Energy Regulatory Commission (FERC) requires compliance with the requirements provided by the North American Electric Reliability Corporation (NERC) CIP-013: Cyber Security – Supply Chain Risk Management for Utilities.

Here we examine why this standard is so important, its requirements and evidence, and what utilities need to know about their supply chain cyber security risk management plans.

Download a free eBook on Selecting & Implementing Automated NERC Compliance Management Software

The Importance of Cyber Security Supply Chain Risk Management for Utilities

Cyberattacks are becoming more sophisticated, with attackers frequently targeting supply chains as a means to infiltrate utility systems. In this context, enhancing cyber security controls around the supply chain helps utilities to:

• Protect critical infrastructure: Cyber security breaches can result in widespread outages, posing significant threats to public safety. An example here is the 2015 Ukraine power grid cyberattack via malware-infected software updates that left roughly 225,000 customers without electricity.
• Prevent unauthorized access: Vulnerabilities can expose components, hardware, and software to cyberattackers, such as in the 2020 SolarWinds cyberattack. This event—perhaps the largest of its kind—affected more than 30,000 organizations. Here hackers installed malicious code into a third-party software patch to access victim accounts and avoid detection by antivirus software.
• Mitigate insider threats: Third-party vendors that perform maintenance and software updates can introduce insider threats if not subject to strict security standards.
• Ensure regulatory compliance: Failure to comply with NERC CIP-013 can result in significant fines and penalties for utilities. NERC can levy penalties of up to $1 million per day to registered entities that are out of compliance with the standard.

CIP-013 Requirements

CIP-013 requires responsible entities to develop supply chain cyber security risk management plan(s) that include procurement processes to identify and assess cyber security risks from products or services arising from:

• Procuring and installing new vendor equipment and software
• Transitioning from one vendor to another

Furthermore, procurement processes must address several key items:

• Vendor notification requirements for incidents such as vendor-identified breaches or security gaps that pose cyber security risk
• How you will respond to these incidents once the vendor has notified you
• Requirements for vendors to notify you when remote or onsite access should be revoked from vendor representatives, such as when a vendor employee is terminated
• Vendor disclosure of known vulnerabilities in products or services
• Verification of all vendor-provided software patches for software integrity and authenticity
• How you will coordinate controls for both vendor-initiated interactive remote access and system-to-system remote access

It’s important to note here that CIP-013 specifically covers new contracts and purchases. That is, utilities don’t need to change any existing contracts or perform analysis on existing software. However, when you purchase new you must follow the procedures set out in your supply chain cyber security risk management plan.

In addition, it’s worth pointing out that the standard doesn’t cover what the actual terms and conditions of procurement contracts must be. Nor does it mandate a specific level of vendor performance and adherence to contracts. Rather, utilities must follow their established procurement processes for addressing cyber security risk in the supply chain as events occur.

CIP-013 Evidence

To demonstrate compliance with CIP-013, you will need both documented supply chain cyber security risk management plan(s) as well as documentation of implementation. This documentation may include:

• Policy documents
• Vendor contracts
• Vendor correspondence
• Vendor Risk Assessments
• Reports from a compliance management tool that show you’re using your plan

The CIP senior manager or delegate must review and approve the plan at least once every 15 months, with evidence that may include:

• Date of review and approval
• Policy documents
• Revision history
• Review evidence
• Workflow evidence from the document management system

What Goes In the Supply Chain Cyber Security Risk Management Plan?

The North American Transmission Forum (NATF) has developed guidance aimed at helping the utility industry determine how to comply with CIP-013. The NATF Model for developing the supply chain cyber security risk management plan focuses on five overarching steps:

1. Collecting information
2. Evaluating that information and addressing risks
3. Conducting a risk assessment
4. Making the purchasing decision
5. Implementing your controls and monitoring your risks

On the NATF website utilities can find the NATF Supply Chain Security Criteria and Energy Sector Supply Chain Risk Questionnaire (ESSCR) to help inform their risk management plans.

The NATF Supply Chain Security Criteria includes a high-level overview of best practices to look for with vendors in areas such as:

• Access control and management
• Asset, change and configuration management
• Governance
• Incident response
• Information protection
• Vulnerability management

The ESSCR looks at supplier information on a more granular level, providing over 200 questions utilities can ask third-party suppliers on practices related to:

• Supply chain practices and external dependencies
• Workforce management procedures
• Identity and access management
• Cyber security program management
• Change and configuration management
• Cyber security tools & architecture
• Data protection
• Event and incident response procedures
• Mobile devices and applications
• Risk management
• Vulnerability management

Simplifying CIP-013 Compliance

More than just documenting your supply chain cyber security risk management plan, utilities must have strong processes in place to implement and document them.

An automated NERC compliance management system supports these efforts by giving them a centralized system for:

• Tracking vendor products and services
• Storing vendor agreements
• Documenting communication with vendors
• Recording incidents and response history
• Monitoring and benchmarking supplier performance
• Linking vendor risk information with asset tracking information

Not only does this help utilities stay in compliance with CIP-013, it also helps them make smarter selection decisions around suppliers, while providing better visibility into risk.

Conclusion

Supply chain risk management is paramount in the utility industry, particularly as it relates to cyber security and protecting critical infrastructure. Attacks on the utilities sector have often come through the supply chain, and can have enormous impacts on customers and utilities themselves.

CIP-013 requires robust supply chain cyber security risk management plans that ensure procurement processes don’t inadvertently put infrastructure at risk. An automated NERC compliance management system can help ensure the plan is in place and working, providing a single source of truth for vendor-related documentation and performance.

Download a free guide on Planning a Successful Preparation of the NERC CIP Evidence Request Tool (ERT)

About the Author

Kathryn Wagner is Vice President, Industry Solutions, Energy & Utilities at AssurX. Kathryn brings more than 25 years of experience in manufacturing systems integration and compliance while being responsible for the development and evolution of product offerings for NERC compliance and related systems that focus on reliability and resilience.