Energy Currents
A Blog by Enerdynamics

In response to the standards, utilities should first assess the maturity of their current supply chain risk management practices in relation to the new mandates. Next, actions necessary to close gaps should be prioritized using a risk-based approach that matches the character of response to the seriousness of the risk. Entities have 18 months to implement the new regulations. For many entities, this will involve implementing changes to procurement practices, equipment specifications, standard terms and conditions in vendor contracts and agreements.

While new to NERC-CIP, other cybersecurity regulatory frameworks such as Federal Information Security Management Act (FISMA) and ISO 27001 have included supply chain management standards for some time. Mature reference materials are available to help utilities develop and implement their supply change risk management plans.

Some important related resources include:

• The National Institute of Standards (NIST) Special Publication (SP) 800-39: Managing Information Security Risk: Organization, Mission, and Information System View — defines a structured, yet flexible approach for managing information security risk that supports is a best practice applicable to all information security domains. 
• NIST SP 800-161: Supply Chain Risk Management Practices for Federal Information Systems — builds on SP- 800-39 to give more detailed guidance that can also be applied to electric utilities.
• Department of Energy’s Cybersecurity Procurement Language for Energy Delivery Systems guidance document  —  contains sample baseline cybersecurity procurement language that may be helpful to utilities when updating their existing processes and procedures. This is critical since including security controls in purchasing and vendor service contracts is very important part of supply chain risk management.

Some observers worry that the aggressive timeline for the standards' creation may cause unintended consequences and that the relative flexible and open-ended character of the standards lack the specific objective measures, which will make them difficult to administer and audit. These are legitimate concerns, but it is critical that the industry becomes more nimble and quick to respond to emerging cybersecurity threats, so it is imperative to find ways to expedite rulemaking while maintaining quality. Much of the “heavy lifting” involved with researching and developing cybersecurity supply chain risk management best practices had already been done by NIST, DOE, and other industry groups. NERC’s task was to adapt those practices for administration through the Critical Infrastructure Program, not develop an entire new body of work.

It is true that the flexible character of the NIST risk management frameworks will require a different approach to developing and auditing operating practices, which may create some headaches. But this approach provides much greater flexibility in allowing utilities to develop protection programs tailored to their specific needs. The value of that flexibility is worth the price of ambiguity. 

To learn more about protection of energy companies, or advance your knowledge within the utilities industry, browse through our online e-course materials and sign up your entire team for a remote lesson today! 

---------------------------------------

Footnotes:

[1] Affected entities include balancing authorities and reliability coordinators (including ISOs/RTOs), generation owners and operators, transmission owners and operators, and limited distribution equipment or systems that are used for protection of the bulk electric system.

Back to blog home page