So You Want to Achieve NERC CIP-013-1 Compliance...

Image

Energy efficiency and availability is a major concern for all countries and governments. The electric grid is a vital sector, and any malfunctions will create ripple effects on any nation’s economy. As the grid is heavily dependent on cyber-enabled technologies and a vast chain of suppliers, contractors, and partners, the ability to safeguard the availability and reliability of the grid is crucial.

The introduction of NERC CIP-013-1 standards marks a significant step forward in fortifying our defenses against external threats to the Bulk Electric System, underscoring the high stakes of compliance. This approach emphasizes the urgency and necessity of adopting stringent security measures to protect our energy infrastructure, a mission that demands immediate attention and action from all stakeholders in the energy sector.

Why is CIP-013-1 Compliance Required?

Executive Order 14028, which focuses on improving the cybersecurity of the United States, particularly requires Federal agencies and critical infrastructure entities to take prompt actions to enhance the security and reliability of the software supply chain. As per the Executive Order, it is imperative to implement stricter and more dependable techniques without delay to ensure the safe and intended functioning of critical systems in the electric grid. One of the primary apprehensions is the security and integrity of "critical software," which executes critical operations that require trust.

Considering compliance with NERC CIP-013-1 within the context of Executive Order 14017 on America's Supply Chains will assist electric grid facilities in transitioning to a climate and environment-friendly energy sector.

The energy industry is becoming more global, intricate, and digitally driven. This growth also means that the supply chain for digital components of energy systems, such as software, virtual platforms and services, and data, is becoming more vulnerable to cyber threats. Almost all digital components of U.S. energy sector systems are susceptible to supply chain instability.

Cybersecurity threats to digital assets in the energy sector have become more sophisticated, with attackers exploiting vulnerabilities in various systems. Hostile nations with advanced cyber and intelligence capabilities pose a significant national security risk. Criminal actors also pose a threat, using tactics such as supply chain attacks.

What Are the NERC CIP-013-1 Requirements?

The NERC CIP-013-1 standard aims to minimize supply chain cybersecurity risks to the reliable operation of the BES Cyber Systems. To achieve this objective, CIP-013-1 mandates responsible entities to create documented supply chain cybersecurity risk management plans for high and medium-impact systems. These plans must be reviewed and approved by a CIP Senior Manager every 15 months and should focus on:

• Software integrity and authenticity.
• Vendor remote access.
• System planning and procurement.
• Vendor risk management and procurement controls.

The plans must include the processes utilized in identifying and evaluating the cyber security risks to the BES from purchasing vendor equipment or transitioning from one vendor to another. A systematic method of coordinating actions between responsible entities and suppliers for such incidents must also be included in the plans.

Other necessary elements include:

• A notification process for when vendor personnel no longer require remote and on-site access to the BES.
• The full disclosure of known vulnerabilities by the vendor to the responsible entity.
• Vendor verification for the integrity and authenticity of all software and patches supplied to the network.

CIP-013-1 Compliance Challenges

One of the main challenges is determining the scope of their compliance activities and managing vendor relationships. NERC CIP-013-1 only applies to high- and medium-risk BES cyber systems, leaving responsible entities to decide the extent of their compliance activities. An expanded approach can lead to greater consistency and better cyber hygiene across the business, especially when products are used across high-, medium-, and low-risk BES cyber systems.

Furthermore, to achieve compliance, it is important for vendors and energy players to establish strong, trust-based relationships and meaningful partnerships. Lastly, responsible entities should establish clear channels for vulnerability and incident notifications between vendors and the responsible entity.

Achieving and maintaining NERC CIP-013-1 Compliance

To ensure NERC CIP-013-1 compliance, organizations need to adopt a strategic approach with an adequate policy and allocate sufficient resources. The compliance team should align efforts with other cybersecurity frameworks, such as NIST Cybersecurity Framework and IEC/ISA 62443 standards, and should be overseen and sponsored by business leaders. It's also important to prioritize third-party cybersecurity and establish a robust change control program to maintain BES high- and medium-impact cyber systems.

Organizations Trust Fortra’s Tripwire for NERC CIP Compliance

Complying with NERC CIP-013-1 is an important first step in safeguarding the nation’s electric infrastructure from cyberattacks that originate among supply chain vendors. Taking steps early on to ensure sustainability and developing a coherent strategy can make compliance a solid foundation upon which to establish additional tailored supply chain cyber protections.

As a recognized leader in solutions for IT and OT security and compliance, Tripwire has extensive experience helping customers automate compliance for numerous standards across almost any device, platform and system. With the Tripwire NERC Solution Suite, electric utilities have a comprehensive solution—from products to customized extensions and content and expert consulting—to help them automate and simplify NERC compliance.

To learn more, download this short executive brief to get the need-to-know details on NERC CIP-013 cybersecurity best practices.