NERC CIP-013-1. Tough love for the bulk electric industry

Published on April 24, 2018

Complying with compliance mandates doesn’t eliminate risk. However, your efforts to comply with a mandate can improve your processes. That’s the assessment after attending the webinar: Reg Watch: Cyber Risk in the Supply Chain, which you can watch right now. The webinar features Patrick Miller, Managing Partner of Archer Energy Solutions, with a lively discussion on cyber risk in the utility supply chain, and a standard designed to address it.    

The mandate discussed is NERC CIP-013-1 Cyber Security – Supply Chain Risk Management. NERC stands for North American Electric Reliability Corporation and most everyone who is in the utility industry or serves it knows NERC. 

NERC CIP-013-1 is the electric sector’s answer to supply chain cyber security risk management. Rapidly advancing technologies have created both opportunities and risks. Many innovations, such as consumers selling back energy to utilities, have come directly from technology adoption. That said, while the utility supply chain has historically been a weakness, cyber risk has made the supply chain even weaker. The risk of espionage from a nation-state or industrial player is a clear and present danger.  A hardware supplier, for example, could unknowingly create a back door into a utility through a compromised component installed on the network.  

The growing trend toward cyber risk prompted NERC to release CIP-013-1 and require compliance by utilities and utility vendors. The webinar offered optimism with a dose of realism. Being about electricity, the webinar guidance is illuminating.  

Here are five webinar highlights on CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program: 

  1. Step up your assessments
    CIP-013-1’s requirement to address cyber risk in the supply chain will demand that utilities assess vendors and their products and services. Vendors will need to provide a more granular level of visibility to utilities. To help facilitate this information exchange, utilities can take advantage of frameworks and technology for managing assessments. For efficiency on the vendor side of the assessment, they can compile a database of answers to standard assessment questions.
  2. Roll up your sleeves after the assessment
    Whether you send or receive the assessment, answers and findings are only the beginning. The real work is in the adjustments coming from the assessment. If a vendor discloses a vulnerability or incident, what’s your mitigation and remediation process as a utility?  For vendors, self-reflection through assessment questions often leads to changing processes, which takes time and effort.
  3. Embrace a framework and pick up the lingo
    There’s no need to reinvent the wheel. There is a tremendous amount of resources available on risk management in the supply chain. Whether you are a utility or a vendor, embracing a common framework and lexicon helps facilitate understanding between the two parties. Supply chain security frameworks and resources include BSI: BS ISO 28000:2007, NIST CSF, SP800-161, and SANS.
  4. Expect higher costs and longer timelines
    Implementing a supply chain risk management program to meet the CIP-013-1 mandate will slow the procurement process and increase costs due to administrative overhead and rules. Utilities and vendors need to educate company leaders to expect cost and time increases during this transition period. The good news: costs will moderate, and timelines will improve over time.
  5. Be the solution, not the problem
    Many utilities and vendors will be reluctant and even combative when it comes to adopting risk management practices to address cyber risk in the supply chain. Review the standard and understand what it means for your organization. Cyber risk shouldn’t be ignored. Webinar speaker, Patrick Miller, Managing Partner with Archer Energy Solutions, put it this way: “NERC has given you rope with CIP-013-1. You can use the rope to make a noose or create a hammock.”  

For more guidance on NERC CIP-013-1 adoption, watch the webinar. The cyber threat to the electric industry’s supply chain is real but also manageable with the right technology. The key? Embrace the NERC standard that is designed to serve both utilities and vendors and empower cyber risk management in the supply chain.  

Related Articles: