Know Your Vendor: NERC CIP-013-1Addresses Supply Chain Cyber Risks
by Mark Rabuano – Manager, NERC Services
NERC’s targeted expansion of its oversight of cyber security could significantly impact the industry by next year. On January 19, 2017, NERC issued a draft of CIP-013-1 (Cyber Security – Supply Chain Risk Management) for formal comment and ballot. This Standard would require responsible entities to develop and implement a plan and controls to mitigate risk associated with supply chain cyber security for BES Cyber Systems.
NERC developed CIP-013-1 in response to FERC Order 829, issued July 21, 2016, which directed NERC to develop a new or modified reliability standard addressing supply chain risk management for industrial control system hardware, software and computing and networking services associated with Bulk Electric System (BES) operations. Motivated by the lack of supply chain security controls, FERC had moved forward with this directive despite pushback from a number of interested parties that questioned the need for NERC regulation of supply chain management.
NERC’s comment period for the current draft Standard closes March 6, 2017, with a deadline to file for FERC approval by September 2017. Under NERC’s proposed plan, the approved Standard would then take effect one year after FERC’s approval. While this may sound like generous lead time for entities to consider impacts to their supply
chain management, information security and procurement processes, prior NERC CIP implementation has taught the industry to mobilize sooner rather than later in preparing for new Standards.
As currently drafted, CIP-013-1 will require entities to perform the following:
- Document and implement a supply chain risk management plan and controls to mitigate cyber security risk to BES Cyber Systems (R1)
- Include controls that address potential risks during the procurement and deployment of vendor products/services (e.g., a process for notification of vendor security events (R1)
- Review and update the risk management plan at least once every 15 months to ensure periodic reassessment of selected controls and potential supply chain risks (R2)
- Implement a process to verify the integrity and authenticity of software and firmware before being placed in operation on High and Medium BES Cyber Systems (R3)
- Document a policy addressing software integrity and authenticity for Low Impact BES Cyber Systems (R5)
- Implement a process to control vendor remote access to High and Medium BES Cyber Systems (R4)
- Document a policy addressing vendor-initiated remote access for Low Impact BES Cyber Systems (R5)
Recognizing the diversity of responsible entities’ environments, systems, cyber security policies and supply chains, NERC drafted CIP-013-1 to allow flexibility in developing tailored controls and processes. It will likely require cross-functional participation of information security/IT, procurement and legal teams in order to implement it fully. For example, NERC expects entities to address supply chain risks through their procurement and contract negotiation processes, which could be accomplished by using standardized language in requests for proposals and supplier agreement templates.
High and Medium systems will, in addition, need to implement specific technical processes and controls for addressing software integrity and vendor remote access. Under the draft standard, responsible entities would have the flexibility either to apply these controls to their Low Impact systems or develop separate processes. Regardless, entities with only Low Impact systems will need to achieve minimum supply chain controls – for example, procedures and checklists for validating the integrity and source of software prior to installation.
NERC has attempted to address the web of jurisdictional, compliance and contractual challenges presented by the Standard through the following guidance:
- NERC will not require entities to abrogate or renegotiate vendor contracts that were executed prior to the forward-looking Standard’s effective date, which may introduce administrative challenges for entities tracking their respective procurement relationships with ‘legacy’ and CIP-013 vendors for particular BES Cyber Systems.
- Entities have minimal control to compel suppliers to accept any terms during the negotiation of procurement contracts. Successful implementation of an entity’s risk mitigation plan is supported by coordination and cooperation with the vendor community, but RFP or contract terms that are overly prescriptive may increase the risk of vendors walking away from providing certain services.
- NERC has recognized that obtaining specific controls in a negotiated contract with a vendor may not be feasible and therefore would not be considered as a failure by an entity to implement its plan.
As of this writing, it is too early to tell how the following changes in FERC leadership may affect this Standard’s future:
- On January 26, 2017, President Trump designated Commissioner Cheryl LaFleur as Acting Chair replacing Norman Bay, who resigned from FERC effective February 3. With Bay’s departure, FERC will lack the quorum of three Commissioners required to act on significant orders until replacement Commissioners are confirmed.
- Commissioner LaFleur was the single Commissioner who dissented on FERC Order 829, finding that the Commission issued a Final Rule without adequate additional stakeholder outreach and engagement on the contents of the directive and objectives of the Standard.
- This would suggest that the Standard that NERC submits to FERC for approval will be subject to a vigorous review, which is appropriate given the complex issues inherent in regulating supply chain risk management in the electric industry.
We will continue to provide periodic updates on the status and proposed timeline of this draft Standard. Once there is more certainty, we will be better able to support responsible entities’ planning and implementation of the Standard – including development of tailored procedures, agreement templates and controls to support an entity’s supply chain risk management plan. As always, we are happy to partner with responsible entities to navigate the complex business, compliance and procurement challenges presented by any NERC Standard.