It's an exciting era in energy generation. The rapid adoption of IT systems and networked technology has enabled new business models and catalyzed production decentralization. However, with innovation comes new types of risks and new entry points for malicious actors to take advantage. In the beginning, many imagined physical acts of sabotage. Now, the primary concern is over cyber attacks conducted remotely by state-sponsored hacking groups armed with malware, botnets, and stolen access credentials.
As it is in other highly regulated industries, third-party and supply chain cyber risk is a growing threat. Many components vital to utility systems, namely bulk electric systems (BES), are manufactured and assembled by outside suppliers, widening the attack surface for bad actors looking to infiltrate our critical infrastructure. To help utilities and their vendors understand and mitigate cyber risks, the North American Electric Reliability Corp. (NERC) has introduced standard CIP-013-1, "Cyber Security–Supply Chain Risk Management." The new standard is slated to go into effect on July 1 or October 1, 2019, pending final approval.
Whether you are a utility provider, or a supplier for such a provider, CIP-013-1 presents a number of risk management, security, and compliance challenges. Instead of treating this as another checkbox exercise, optimizing risk management processes for the new standard is a timely opportunity to harness resources and focus on strengthening and streamlining your supply chain risk management program.
Preparing for Enactment
There are several preparations to undertake now in advance of the standard's full enactment by both the responsible entities (users, owners, and operators of the bulk power system) and their suppliers (any organization providing system components, IT hardware and software, or related services such as system integration). NERC CIP-013-1 specifies that each responsible entity must develop "one or more documented supply chain security risk management plan(s) for high and medium impact BES Cyber Systems."
The standard stipulates that the plan(s) should include processes for procurement planning such as incident notification by vendor, coordination of response to those incidents, vendor access management and coordinated controls, vendor disclosure of known vulnerabilities, and verification of software integrity and authenticity. They should ensure that cyber risks to the BES from vendor products or services have been thoroughly considered, and encompass risks introduced during procurement and installation as well as during transition from one vendor to another. Responsible entities will be required to regularly reassess their plans and risk management controls to address emerging vulnerabilities and keep up with recommended security frameworks. Additionally, contract negotiation processes should address all applicable areas of risk outlined in these plans.
NERC's Enforcement Compliance Authority is likely to assess, based on the existence and thoroughness of the plan, how well the risk mitigation concepts were integrated into procurement processes, and if the processes were implemented in good faith. The Enforcement Authority will pay particular attention to vendor risk assessments and steps taken to mitigate risks, including security provisions included in contracts.
Use the months leading up to full enactment of CIP-013-1 to assess internal and supply chain security and start internal conversations with affected departments, especially procurement. Standardize and align your vendor assessment questionnaires with your chosen risk management framework and use it to establish a common security and risk lexicon with your suppliers. Fix the gaps and vulnerabilities you find and establish a process for mitigating vendor risk and responding to incidents.
Make Cost-Effective Improvements Now
Direct and indirect costs will go up, so make sure you are able to measure return on investment for the changes you plan to make. Under the new standard, you do not have to rewrite existing contracts, but when it comes time for renewals or new relationships, contracts and arrangements will have to be updated. Everything will take more time, so leave room in your cycles.
To achieve the level of risk program maturity required to sustain the cyber security measures in CIP-013-1, utility providers should look into supporting technology that enables automated processes, centralizes documentation, and streamlines departmental collaboration. Integrated risk management platforms can make it easier to bring process and practice into alignment with supply chain policies, compliance requirements, and best practice frameworks by mapping policies to controls, making the assessment process efficient and repeatable, tracking remediation efforts, and enforcing accountability.
As regulations go, NERC CIP-013-1 is fairly straightforward. There's no doubt it represents a significant amount of self-assessment and improvement work for utilities and their vendors. The more complex the equipment or system, the more difficult it will be to comply. Many would rather avoid the extra work and expense, and there may be resistance. In the end, it is not this set of written mandates, but the very real dangers of cyber risk that compel all stakeholders to learn and improve. Collaboration and intelligence sharing will make the process easier and more productive. After all, when it comes to threats to critical infrastructure and public safety, we really are all in this together. ■
–Tony Rock is Chief Operations Officer at Lockpath. He works with leaders in the energy sector to address compliance and risk management challenges, from business continuity to information security.