Shining a light on NERC CIP-013 Bookmark has been added
Shining a light on NERC CIP-013
Understanding the cybersecurity supply chain risk management (C-SCRM) standard
The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility (P&U) companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). The new NERC supply chain standard will significantly affect electric P&U registered entities, which will need to develop plans to mitigate cybersecurity risks in their supply chain processes, with a minimum of six items explicitly required by NERC. Gain a greater understanding of the compliance steps you can take.
- What’s included and why now?
- Electric P&U organizations: Understand the impact
- Start your journey
- Let’s talk
- Join the conversation
Introduction to the NERC CIP-013 cybersecurity supply chain risk management standard
What’s included and why now?
CIP-0131 addresses specific cybersecurity supply chain risks. One example is the insertion of counterfeit components into cyber assets and insecure vendor manufacturing and development practices. CIP-013 and C-SCRM also aim to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers. At-risk suppliers include hardware and software developers of BES cyber assets and BES system integrators.
Why does it matter?
New standards will help to improve the reliability of the BES, which is a key benefit to all providers. NERC CIP standards carry severe penalties for noncompliance; monetary penalties are real and enforcement actions have been taken by the NERC.
NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation. For example, between 2016 and 2018 multiple penalties were levied to as high as $2.8 million for a violator. Penalties could run even higher because reported penalty amounts don’t account for money spent by entities to remediate the violations.
Reasons for enforcement actions have included:
- Incomplete or insufficient evidence of compliance
- Nonconformance to established policies and procedures
- Inadvertent disclosure of sensitive information
There have been a few recent events involving cybersecurity in the supply chain that brings home the need for better risk management:
- Watering-hole attacks (compromising legitimate vendor websites), specifically targeted power and utility company industrial control system (ICS) vendors.
- Microchips were introduced into motherboards and sold by some of the largest resellers; chips were designed to alter servers upon activation.
1 FERC Order 850 Paragraph 2. https://www.ferc.gov/whats-new/comm-meet/2018/101818/E-1.pdf?csrt=4781084849890556366
On October 18, 2018, the Federal Energy Regulatory Commission (FERC) approved CIP-013, which mandates that electric power and utilities comply with new C-SCRM requirements by July 1, 2020.
Electric P&U organizations: Understand the impact
Electric P&U organizations will be required to meet certain minimum requirements in their cybersecurity frameworks and in their supply chain vendor management. To be compliant, renegotiated and new vendor contracts must meet the new requirements starting July 1, 2020. In addition, technical controls related to verification of the integrity and authenticity of vendor software must be implemented.
Entities are required to implement a plan that addresses six specific areas—in contract language as well as technical and process controls (see chart). The CIP-013 standards become enforceable on July 1, 2020.
NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation of CIP-013. Between 2016 and 2018 multiple penalties were levied to as high a $2.8 million2 for a violator.
The CIP-013 requirements
Start your journey
Deloitte can help you understand what compliance steps you can take. Our electric P&U cybersecurity supply chain risk management solution includes a four-step process to:
- Define the impact of the new standard, which spans potentially hundreds of vendors, their hardware, software, and systems
- Build a plan to systematically manage the myriad cybersecurity risk management actions throughout the supply chain
- Execute cyber risk assessments across vendors and contractors
- Implement the C-SCRM requirements in a comprehensive and sustainable program
- Get started. Deloitte can help. Understand, prepare, and implement the changes required to be compliant. Reach out to us to request a briefing, receive our playbook, and explore a workshop, facilitated by Deloitte.
Together, we can:
- Prepare the scope
- Identify the challenges
- Define compliance approaches
- Align stakeholders
Watch a replay of our recent Dbriefs webcast Cybersecurity Supply Chain Risk Management: Are you prepared? Don’t leave your planning to chance. What should you do before the NERC CIP-013 standard takes effect on July 1, 2020? View the on-demand webcast to learn more.