New cybersecurity supply chain risk management (C-SCRM) regulations

December 11, 2018 | Energy, resources, and industrials

The changes take place against a backdrop of increased threats and threat vectors confronting the energy system supply chain—including insertion of counterfeit components in critical systems, poor vendor manufacturing processes, and increased use in third-party vendors. Recent examples include attacks on industrial control system vendor websites that have been linked to Russia and the proliferation of compromised microchips originating in China.

The three updated CIP standards apply to assets that are rated as high- and medium-impact according to the criteria of NERC, which includes assets such as control centers and certain substations and generation stations. This is the latest set of updates to the existing CIP standards. Overall, they represent some of the most broadly reaching standards to date in the areas of a business they touch. This includes areas that haven’t traditionally had CIP responsibilities, such as supply and procurement, as well as third-party vendors, system integrators, and software providers.

• CIP-013/Cybersecurity—supply chain risk management calls upon registered entities to develop documented C-SCRM plans to identify and assess risks related to vendor products, installing vendor products and software, and even transitioning from one vendor to another. In addition to having an overarching plan, the requirements also explicitly cover six key required process areas—but do not specify how to implement them. The six covered areas are vendor security incident notification, coordinated vendor incident response, vendor personnel termination notification, vendor vulnerability disclosures with respect to products and services, verification of vendor software integrity and authenticity, and coordination of vendor remote access controls.
• CIP-005/Cybersecurity—electronic security perimeters require registered entities to uphold two new standards identifying active vendor remote access sessions and establishing methods to disable active vendor remote access sessions. Whereas CIP-013, above, requires addressing this risk through a plan and potential procurement controls, CIP-005 captures the technical requirement that needs to be addressed.
• CIP-010/Cybersecurity—configuration change management and vulnerability assessments make it mandatory for an entity to verify where its software originates as well as the integrity of the software it has obtained from its source. The intent is to make it increasingly difficult for attackers to take advantage of vendor patch and software distribution practice to introduce compromises into a system.

Because of the number and complexity of the vendor relationships and contracts involved—often reaching into the thousands—implementation of these changes make a case for moving away from manual, labor-intensive action. The depth of analysis required becomes even greater when the risk comes not only from direct vendors (third parties) but multiple tiers of the vendors’ vendors (fourth parties and beyond). For affected organizations, operating this supply chain security program in a sustainable way will likely require automation. While this is a new and potentially disruptive prospect for the energy organizations in question, there are precedents, and maybe lessons, in industries such as financial services that have a history of automation in vendor risk management. Merely illuminating the full scope of an organization’s vendor ecosystem, even before assessing contracting terms and access points, will likely be a major challenge.

Other hurdles for organizations affected by the CIP updates include the need for organizational alignment among business areas such as procurement, operations (Industrial Controls System and Operational Technology, substation/transmission, and plant/generation operations), security, supply, legal, and compliance. They’ll need to work together—and with third parties, and potentially fourth parties—to implement the new standards, and ownership of the overall process needs to be clear. Instances where providers cannot meet a registered entity’s expectations also require processes to develop and implement controls to mitigate cybersecurity supply chain risks.

As in all security operations, the balance between containing risk and sustaining operations applies here, but it may be more acute with CIP-013 because FERC has only identified focus areas instead of imposing a specific plan of action from above. Presumably, the standard will be audited differently from one registered entity to another, based on how one has structures and words their supply chain risk management plan.

Logical first steps in addressing these updated requirements may include identifying and inventorying contracts and vendors, as well as mapping each to its respective business owner. Only then can readiness assessments and “health checks” of existing controls take place. Affected entities should have their planning for the compliance process in place by the first quarter of 2019, which would leave a year to define the compliance approach; conduct the risk assessments; and implement the people, process, and technology changes in their systems and with their vendors. Evidence—from renegotiated and new vendor contracts to technical controls related to verification of integrity and authenticity of vendor software—can help to demonstrate compliance with the new requirements, which will take effect July 1, 2020.

The electric industry has worked hard to build security and resiliency into the electric grids they operate. NERC standards changes are moving the spotlight to an equally vital risk area that is harder to see and protect than towers, cables, and substations: the code, components, and permissions that keep the grid running. These three CIP updates may be a new wrinkle, but they support the underlying principle of resilience, and the result should help make operators more confident.

Contact us