mechanical calendar

Perspectives

Shining a light on NERC CIP-013

Understanding the cybersecurity supply chain risk management (C-SCRM) standard

The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility (P&U) companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). The new NERC supply chain standard will significantly affect electric P&U registered entities, which will need to develop plans to mitigate cybersecurity risks in their supply chain processes, with a minimum of six items explicitly required by NERC. Gain a greater understanding of the compliance steps you can take.

Introduction to the NERC CIP-013 cybersecurity supply chain risk management standard

What’s included and why now?
CIP-0131 addresses specific cybersecurity supply chain risks. One example is the insertion of counterfeit components into cyber assets and insecure vendor manufacturing and development practices. CIP-013 and C-SCRM also aim to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers. At-risk suppliers include hardware and software developers of BES cyber assets and BES system integrators.

Why does it matter?
New standards will help to improve the reliability of the BES, which is a key benefit to all providers. NERC CIP standards carry severe penalties for noncompliance; monetary penalties are real and enforcement actions have been taken by the NERC.

NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation. For example, between 2016 and 2018 multiple penalties were levied to as high as $2.8 million for a violator. Penalties could run even higher because reported penalty amounts don’t account for money spent by entities to remediate the violations.

Reasons for enforcement actions have included:

  • Incomplete or insufficient evidence of compliance
  • Nonconformance to established policies and procedures
  • Inadvertent disclosure of sensitive information

There have been a few recent events involving cybersecurity in the supply chain that brings home the need for better risk management:

  • Watering-hole attacks (compromising legitimate vendor websites), specifically targeted power and utility company industrial control system (ICS) vendors.
  • Microchips were introduced into motherboards and sold by some of the largest resellers; chips were designed to alter servers upon activation.

On October 18, 2018, the Federal Energy Regulatory Commission (FERC) approved CIP-013, which mandates that electric power and utilities comply with new C-SCRM requirements by July 1, 2020.

Electric P&U organizations: Understand the impact

Electric P&U organizations will be required to meet certain minimum requirements in their cybersecurity frameworks and in their supply chain vendor management. To be compliant, renegotiated and new vendor contracts must meet the new requirements starting July 1, 2020. In addition, technical controls related to verification of the integrity and authenticity of vendor software must be implemented.

Entities are required to implement a plan that addresses six specific areas—in contract language as well as technical and process controls (see chart). The CIP-013 standards become enforceable on July 1, 2020.

NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation of CIP-013. Between 2016 and 2018 multiple penalties were levied to as high a $2.8 million2 for a violator.

The CIP-013 requirements

Start your journey

Deloitte can help you understand what compliance steps you can take. Our electric P&U cybersecurity supply chain risk management solution includes a four-step process to:

  • Define the impact of the new standard, which spans potentially hundreds of vendors, their hardware, software, and systems
  • Build a plan to systematically manage the myriad cybersecurity risk management actions throughout the supply chain
  • Execute cyber risk assessments across vendors and contractors
  • Implement the C-SCRM requirements in a comprehensive and sustainable program
  • Get started. Deloitte can help. Understand, prepare, and implement the changes required to be compliant. Reach out to us to request a briefing, receive our playbook, and explore a workshop, facilitated by Deloitte.

Together, we can:

  • Prepare the scope
  • Identify the challenges
  • Define compliance approaches
  • Align stakeholders
Watch a replay of our recent Dbriefs webcast Cybersecurity Supply Chain Risk Management: Are you prepared? Don’t leave your planning to chance. What should you do before the NERC CIP-013 standard takes effect on July 1, 2020? View the on-demand webcast to learn more.

Let's talk

Sharon Chand
C-SCRM Solution Owner
Principal, Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 312 486 4878

   

Steve Batson
ICS/OT/C-SCRM
Senior manager, Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 615 734 4505

Sam Icasiano
C-SCRM Solution Architect
Senior manager, Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 973 602 6091

   

Matt Barbera
Power & Utilities Cyber Regulation
Senior manager, Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 212 436 3487

Shari Gribbin
Regulatory and Legal
Senior manager, Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 202 220 2184

     
chat icon

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?