New cybersecurity supply chain risk management (C-SCRM) regulations

Implementing CIP-013 compliance

With Federal Energy Regulatory Commission (FERC) approval of the latest addition to Critical Infrastructure Protection (CIP) requirements, North American Electric Reliability Corporation (NERC)-registered entities will have to meet new standards by a July 1, 2020, enforcement date.

December 11, 2018 | Energy, resources, and industrials

The changes take place against a backdrop of increased threats and threat vectors confronting the energy system supply chain—including insertion of counterfeit components in critical systems, poor vendor manufacturing processes, and increased use in third-party vendors. Recent examples include attacks on industrial control system vendor websites that have been linked to Russia and the proliferation of compromised microchips originating in China.

The three updated CIP standards apply to assets that are rated as high- and medium-impact according to the criteria of NERC, which includes assets such as control centers and certain substations and generation stations. This is the latest set of updates to the existing CIP standards. Overall, they represent some of the most broadly reaching standards to date in the areas of a business they touch. This includes areas that haven’t traditionally had CIP responsibilities, such as supply and procurement, as well as third-party vendors, system integrators, and software providers.

  • CIP-013/Cybersecurity—supply chain risk management calls upon registered entities to develop documented C-SCRM plans to identify and assess risks related to vendor products, installing vendor products and software, and even transitioning from one vendor to another. In addition to having an overarching plan, the requirements also explicitly cover six key required process areas—but do not specify how to implement them. The six covered areas are vendor security incident notification, coordinated vendor incident response, vendor personnel termination notification, vendor vulnerability disclosures with respect to products and services, verification of vendor software integrity and authenticity, and coordination of vendor remote access controls.
  • CIP-005/Cybersecurity—electronic security perimeters require registered entities to uphold two new standards identifying active vendor remote access sessions and establishing methods to disable active vendor remote access sessions. Whereas CIP-013, above, requires addressing this risk through a plan and potential procurement controls, CIP-005 captures the technical requirement that needs to be addressed.
  • CIP-010/Cybersecurity—configuration change management and vulnerability assessments make it mandatory for an entity to verify where its software originates as well as the integrity of the software it has obtained from its source. The intent is to make it increasingly difficult for attackers to take advantage of vendor patch and software distribution practice to introduce compromises into a system.

Because of the number and complexity of the vendor relationships and contracts involved—often reaching into the thousands—implementation of these changes make a case for moving away from manual, labor-intensive action. The depth of analysis required becomes even greater when the risk comes not only from direct vendors (third parties) but multiple tiers of the vendors’ vendors (fourth parties and beyond). For affected organizations, operating this supply chain security program in a sustainable way will likely require automation. While this is a new and potentially disruptive prospect for the energy organizations in question, there are precedents, and maybe lessons, in industries such as financial services that have a history of automation in vendor risk management. Merely illuminating the full scope of an organization’s vendor ecosystem, even before assessing contracting terms and access points, will likely be a major challenge.

Other hurdles for organizations affected by the CIP updates include the need for organizational alignment among business areas such as procurement, operations (Industrial Controls System and Operational Technology, substation/transmission, and plant/generation operations), security, supply, legal, and compliance. They’ll need to work together—and with third parties, and potentially fourth parties—to implement the new standards, and ownership of the overall process needs to be clear. Instances where providers cannot meet a registered entity’s expectations also require processes to develop and implement controls to mitigate cybersecurity supply chain risks.

As in all security operations, the balance between containing risk and sustaining operations applies here, but it may be more acute with CIP-013 because FERC has only identified focus areas instead of imposing a specific plan of action from above. Presumably, the standard will be audited differently from one registered entity to another, based on how one has structures and words their supply chain risk management plan.

Logical first steps in addressing these updated requirements may include identifying and inventorying contracts and vendors, as well as mapping each to its respective business owner. Only then can readiness assessments and “health checks” of existing controls take place. Affected entities should have their planning for the compliance process in place by the first quarter of 2019, which would leave a year to define the compliance approach; conduct the risk assessments; and implement the people, process, and technology changes in their systems and with their vendors. Evidence—from renegotiated and new vendor contracts to technical controls related to verification of integrity and authenticity of vendor software—can help to demonstrate compliance with the new requirements, which will take effect July 1, 2020.

The electric industry has worked hard to build security and resiliency into the electric grids they operate. NERC standards changes are moving the spotlight to an equally vital risk area that is harder to see and protect than towers, cables, and substations: the code, components, and permissions that keep the grid running. These three CIP updates may be a new wrinkle, but they support the underlying principle of resilience, and the result should help make operators more confident.

Contact us

Sharon Chand
Power & Utilities | Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP


Brian Murrell
Power & Utilities practice leader
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP


Sam Icasiano
Senior manager
Power & Utilities | Cyber Risk
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP


Bryan Goshorn
Senior manager
Supply Chain Risk | Risk Intelligence
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP


This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?