On October 18, 2018 the Federal Energy Regulatory Commission (FERC) issued Order No. 850 approving three NERC Critical Infrastructure Protection Reliability Standards including CIP-013-1. This new supply chain standard requires electric utilities (including Distribution Providers) to phase in risk management practices for control system related asset acquisition. This is the first time NERC has addressed utility procurement processes. Modifications to CIP-005-6 and CIP-010-3 have also been proposed to conform to FERC directives.
The new standards will require electric utilities to develop, document, and implement supply chain cyber security risk management plans for high and medium impact BES Cyber Systems. The new regulations are aimed at ensuring software integrity and authenticity, strengthening vendor remote access protections, information system planning, and addressing vendor risk management procedures and controls.
FERC approved NERC’s implementation plan which provides various due dates for assets depending on circumstances. For instance, new high impact BES Cyber Systems have a 12-month implementation plan requirement, while existing BES Cyber Systems may have up to 24 months to comply.
The standards require each utility to develop and implement plans that include security controls for supply chain management for industrial control system hardware, software, and services related to bulk electric system operations. Utilities will have until June 2020 to comply with the new standards, in large part because it is projected that compliance will require significant technical upgrades which could impact capital budgets and planning cycles. Existing procurement agreements are not affected.
The implementation guidance provided by NERC offers considerations for methods to be employed in implementing the requirements in CIP-013-1. Examples of approaches that utilities could use to meet the requirements are provided. The examples do not constitute the only approaches to complying with CIP-013-1 and utilities may develop alternative approaches that better fit their situation. TRC can assist your company with these important decisions. The North American Transmission Forum (NATF) also offers implementation guidance which is provided below.
Related Areas for Future Standard Development
FERC expressed concern in its final rule that security gaps in the electrical grid continue to be unaddressed. FERC noted that firewalls, authentication servers, firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems and other components which all fall under the category of electronic access control and monitoring systems (EACMS) are unaddressed by NERC’s standard proposal. FERC noted that the EACMS, if compromised, could provide attackers control of assets requiring protection from cyber-attack. FERC has therefore directed NERC to develop modifications to the approved standards to encompass supply chain risk management of EACMS.
To address this issue, FERC gave NERC 24 months to develop modifications that include EACMS associated with medium and high impact BES Cyber Systems. In its order, FERC noted that EACMS provide the first line of defense against cyber threats to operational control systems and therefore must be included in the new standards.
In addition to adding EACMS, NERC has committed to further evaluating whether the reliability standards should be expanded even further to include other cyber assets and systems for example motion sensors and badge readers that control access to a facility’s physical perimeter.
NERC is planning to take an active role in helping utilities stay ahead of cyber security supply chain risk management challenges. Discussions regarding a third party accreditation process are underway. Utilities should review the details of CIP-013-1, CIP-005-6 and CIP-010-3 to identify procurement process changes that are needed for compliance. It is important to begin as soon as possible to meet implementation deadlines. NERC has prepared an in-depth guidance document to assist with the transition and explain the basis for the changes. TRC’s experts can help you understand your regulatory obligations, inventory and characterize your hardware and software assets, evaluate and assess the potential risks, and develop a plan for bringing your systems and procedures into full compliance