NERC CIP-013-1. Tough love for the bulk electric industry
Complying with compliance mandates doesn’t eliminate risk. However, your efforts to comply with a mandate can improve your processes. That’s the assessment after attending the webinar: Reg Watch: Cyber Risk in the Supply Chain, which you can watch right now. The webinar features Patrick Miller, Managing Partner of Archer Energy Solutions, with a lively discussion on cyber risk in the utility supply chain, and a standard designed to address it.
The mandate discussed is NERC CIP-013-1 Cyber Security – Supply Chain Risk Management. NERC stands for North American Electric Reliability Corporation and most everyone who is in the utility industry or serves it knows NERC.
NERC CIP-013-1 is the electric sector’s answer to supply chain cyber security risk management. Rapidly advancing technologies have created both opportunities and risks. Many innovations, such as consumers selling back energy to utilities, have come directly from technology adoption. That said, while the utility supply chain has historically been a weakness, cyber risk has made the supply chain even weaker. The risk of espionage from a nation-state or industrial player is a clear and present danger. A hardware supplier, for example, could unknowingly create a back door into a utility through a compromised component installed on the network.
The growing trend toward cyber risk prompted NERC to release CIP-013-1 and require compliance by utilities and utility vendors. The webinar offered optimism with a dose of realism. Being about electricity, the webinar guidance is illuminating.
Here are five webinar highlights on CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program:
- Step up your assessments
CIP-013-1’s requirement to address cyber risk in the supply chain will demand that utilities assess vendors and their products and services. Vendors will need to provide a more granular level of visibility to utilities. To help facilitate this information exchange, utilities can take advantage of frameworks and technology for managing assessments. For efficiency on the vendor side of the assessment, they can compile a database of answers to standard assessment questions.
- Roll up your sleeves after the assessment
Whether you send or receive the assessment, answers and findings are only the beginning. The real work is in the adjustments coming from the assessment. If a vendor discloses a vulnerability or incident, what’s your mitigation and remediation process as a utility? For vendors, self-reflection through assessment questions often leads to changing processes, which takes time and effort.
- Embrace a framework and pick up the lingo
There’s no need to reinvent the wheel. There is a tremendous amount of resources available on risk management in the supply chain. Whether you are a utility or a vendor, embracing a common framework and lexicon helps facilitate understanding between the two parties. Supply chain security frameworks and resources include BSI: BS ISO 28000:2007, NIST CSF, SP800-161, and SANS.
- Expect higher costs and longer timelines
Implementing a supply chain risk management program to meet the CIP-013-1 mandate will slow the procurement process and increase costs due to administrative overhead and rules. Utilities and vendors need to educate company leaders to expect cost and time increases during this transition period. The good news: costs will moderate, and timelines will improve over time.
- Be the solution, not the problem
Many utilities and vendors will be reluctant and even combative when it comes to adopting risk management practices to address cyber risk in the supply chain. Review the standard and understand what it means for your organization. Cyber risk shouldn’t be ignored. Webinar speaker, Patrick Miller, Managing Partner with Archer Energy Solutions, put it this way:”NERC has given you rope with CIP-013-1. You can use the rope to make a noose or create a hammock.”
For more guidance on NERC CIP-013-1 adoption, watch the webinar. The cyber threat to the electric industry’s supply chain is real but also manageable with the right technology. The key? Embrace the NERC standard that is designed to serve both utilities and vendors and empower cyber risk management in the supply chain.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.