New NERC Standards Extend Cybersecurity Protection for Energy Companies
by Tom Vosburg, Enerdynamics Project Manager
North American Electric Reliability Corporation or NERC adopted in October NERC CIP-013-1, a new mandatory Critical Infrastructure Protection standard to address cybersecurity supply chain risk management. Such adoption marked another important milestone in efforts to better secure the nation’s bulk electric system. Work on the new standard began in 2016 in response to FERC Order No. 829, which gave NERC 12 months to develop a package of recommended cybersecurity supply chain protections standards – an aggressive timeline considering the scope and complexity of issues to address.
The new regulations mandate that affected entities develop a Cyber Security Risk Management Plan that:
- includes a comprehensive set of well-defined operating processes to protect against supply chain risks
- specifies security controls that address software integrity
The plan must also address better management of vendor remote access to utility systems, and it must demonstrate integration of cybersecurity risk management into every phase of information system lifecycle planning through operation and asset disposal.
In response to the standards, utilities should first assess the maturity of their current supply chain risk management practices in relation to the new mandates.Next, actions necessary to close gaps should be prioritized using a risk-based approach that matches the character of response to the seriousness of the risk.Entities have 18 months to implement the new regulations. For many entities, this will involve implementing changes to procurement practices, equipment specifications, standard terms and conditions in vendor contracts and agreements.
While new to NERC-CIP, other cybersecurity regulatory frameworks such as Federal Information Security Management Act (FISMA) and ISO 27001 have included supply chain management standards for some time. Mature reference materials are available to help utilities develop and implement their supply change risk management plans.
Some important related resources include:
- The National Institute of Standards (NIST) Special Publication (SP) 800-39: Managing Information Security Risk: Organization, Mission, and Information System View — defines a structured, yet flexible approach for managing information security risk that supports is a best practice applicable to all information security domains.
- NIST SP 800-161: Supply Chain Risk Management Practices for Federal Information Systems — builds on SP- 800-39 to give more detailed guidance that can also be applied to electric utilities.
- Department of Energy’s Cybersecurity Procurement Language for Energy Delivery Systems guidance document — contains sample baseline cybersecurity procurement language that may be helpful to utilities when updating their existing processes and procedures. This is critical since including security controls in purchasing and vendor service contracts is very important part of supply chain risk management.
Some observers worry that the aggressive timeline for the standards' creation may cause unintended consequences and that the relative flexible and open-ended character of the standards lack the specific objective measures, which will make them difficult to administer and audit. These are legitimate concerns, but it is critical that the industry becomes more nimble and quick to respond to emerging cybersecurity threats, so it is imperative to find ways to expedite rulemaking while maintaining quality. Much of the “heavy lifting” involved with researching and developing cybersecurity supply chain risk management best practices had already been done by NIST, DOE, and other industry groups. NERC’s task was to adapt those practices for administration through the Critical Infrastructure Program, not develop an entire new body of work.
It is true that the flexible character of the NIST risk management frameworks will require a different approach to developing and auditing operating practices, which may create some headaches. But this approach provides much greater flexibility in allowing utilities to develop protection programs tailored to their specific needs. The value of that flexibility is worth the price of ambiguity.
 Affected entities include balancing authorities and reliability coordinators (including ISOs/RTOs), generation owners and operators, transmission owners and operators, and limited distribution equipment or systems that are used for protection of the bulk electric system.
Back to blog home page