As the world is preparing for the winter of 2022, energy efficiency and availability becomes a major concern for all countries and governments. The electric grid is a vital sector, and any malfunctions will create ripple effects on any nation’s economy. As the grid is heavily dependent on cyber-enabled technologies and a vast chain of suppliers, contractors and partners, the ability to safeguard the availability and reliability of the grid is crucial.
To safeguard North America’s electric grid, the North American Electric Reliability Corporation (NERC) has issued several critical infrastructure protection (CIP) standards. The CIP-013-1, enforced in July 2020, addresses the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES). NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation. The total cost for failing to comply with the standard can be even higher if you consider the amount required to remediate discrepancies.
Why is CIP-013-1 Compliance Required?
President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity calls for Federal agencies and critical infrastructure entities to “take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
According to the EO, more stringent and reliable methods must be put in place immediately to guarantee that critical systems, such as the ones used in the electric grid, work safely and according to design. A major concern is the security and integrity of "critical software," or software that performs trust-critical operations.
Electric grid facilities should also consider compliance with NERC CIP-013-1 in the framework of Executive Order 14017 on America’s Supply Chains, which provides a roadmap for transitioning the energy sector to a climate- and environment-friendly context.
A report by the Department of Energy underscores that “as the energy sector grows increasingly globalized, complex, and digitized, the supply chain for digital components of energy systems – including software, virtual platforms and services, and data – is facing greater threats. Nearly all digital components of U.S. energy sector systems are vulnerable to cyber supply chain instability, stemming from a variety of causes and shared among a broad set of interdependent stakeholders.”
Digital assets across systems in the energy sector have been attacked and exploited by increasingly skilled cyber adversaries. National security concerns from hostile nations with advanced cyber and intelligence capabilities as well as threats from criminal actors using supply chain attacks like to the SolarWinds supply chain breach in 2020 are among the major cyber dangers.
What Are the Requirements?
The purpose of NERC CIP-013-1 standard is “to mitigate cyber security risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.” To achieve its purpose, CIP-013-1 mandates responsible entities to develop documented supply chain cybersecurity risk management plan(s) for high and medium impact BES Cyber Systems. These plans must be reviewed and approved every 15 months by a CIP Senior Manager.
These plans should focus on:
- Software integrity and authenticity
- Vendor remote access to BES cyber systems
- Information system planning and procurement
- Vendor risk management and procurement controls
The plans must include the processes utilized in identifying and evaluating the cyber security risks to the BES from purchasing vendor equipment or transitioning from one vendor to another. A systematic method of coordinating actions between responsible entities and suppliers for such incidents must also be included in the plans.
Other necessary elements include:
- A notification process for when vendor personnel no longer require remote and on-site access to the BES
- The full disclosure of known vulnerabilities by the vendor to the responsible entity
- Vendor verification for the integrity and authenticity of all software and patches supplied to the network
CIP-013-1 Compliance Challenges
When electric utilities and other responsible entities focus on CIP-013-1 compliance, challenges can emerge concerning scoping and vendor relationships.
NERC CIP-013-1 only addresses high- and medium-risk BES cyber systems, and responsible entities must make strategic decisions regarding the scope of their activities in these areas. These decisions could range from simply becoming and remaining compliant to rolling out compliance more broadly, encompassing low-impact BES as well, for example, and potentially including the complete enterprise. This expanded strategy should deliver higher consistency and greater cyber hygiene across the business in relation to supply chain risks, because the same vendors and products are often used in conjunction with high-, medium-, and low-risk BES cyber systems.
One clear imperative involves ensuring strong, trust-based relationships and meaningful partnerships between vendors and energy players. Software vendors and consultants that support power and utilities companies need to familiarize themselves with the requirements. These organizations will potentially need to adjust their operations in order to preserve business relationships. Responsible entities also need to know what repercussions vendors could face that do not comply with incident and vulnerability reporting, and what the form and channel will look like for vulnerability and incident notifications between vendors and the responsible entity.
Achieving and maintaining CIP-013-1 Compliance
Compliance is not a one-off exercise. It is a strategic choice and should be supported by an adequate policy. Power and utilities facilities should, first, determine CIP-013-1 responsibility and ownership. The second step is to begin a dialogue with key stakeholders and vendors on the impact CIP-013-1 compliance will have on their organizations. Third, make sure the organization has enough time and resources to define and implement the controls and demonstrate evidence of compliance.
The team put together by a responsible body to accomplish supply chain cybersecurity compliance is at the center of every CIP-013-1 activity. This team performs best when the leaders of a responsible organization oversee and sponsor its governance and direction.
Align with other standards
It also makes sense to align all NERC CIP-013-1 compliance efforts with the architectures and strategies of other organizational cybersecurity frameworks, like those supported by NIST and IEC/ISA 62443 standards. In addition to the CIP-013-1 standards, several other important supply chain requirements appear in CIP-005-6 and CIP-010-3 regarding the governance of vendor remote access and the verification of the source and integrity of procured software.
Responsible entities can also gain critical insights regarding cybersecurity automation from the broader NERC CIP compliance program on topics such as ensuring that evidence collection follows the best practices developed through prior cycles of regulatory auditing.
Cybersecurity as a top priority
For many organizations, NERC CIP-013-1 will necessitate a shift in cybersecurity priorities. While internal controls like firewalls and incident detection and response are important, they don’t always protect the organization from attacks that begin in the systems of third parties. When vendors have access to a power and utilities companies’ systems, a successful attack on a vendor can quickly lead to a successful attack on that company. For this reason, a new focus on assessing, monitoring, and improving the cybersecurity of critical third parties is required.
Organizations should put mechanisms in place to validate and verify that vendors meet CIP-013-1 controls, and that they proceed through supply chain procedures with a minimum of manual monitoring. They should also automate audits as much as possible, standardizing, and orchestrating evidence-gathering processes and associated tools.
Establishing a robust change control program will be crucial for ongoing maintenance and governance of the initiative. The program should clearly identify, approve, and document all modifications and updates made to BES high- and medium-impact cyber systems and associated technologies. Additionally, the change control process should identify and document the retirement of BES cyber systems and the removal of vendors from an approved vendor list.
Organizations Trust Tripwire for NERC CIP Compliance
Complying with NERC CIP-013-1 is an important first step in safeguarding the nation’s electric infrastructure from cyberattacks that originate among supply chain vendors. Taking steps early on to ensure sustainability and developing a coherent strategy can make compliance a solid foundation upon which to establish additional tailored supply chain cyber protections.
As a recognized leader in solutions for IT and OT security and compliance, Tripwire has extensive experience helping customers automate compliance for numerous standards across almost any device, platform and system. With the Tripwire NERC Solution Suite, electric utilities have a comprehensive solution—from products to customized extensions and content and expert consulting—to help them automate and simplify NERC compliance.
By meeting NERC compliance, these companies take important steps towards securing their IT/OT systems against inadvertent misuse and intentional, malicious attacks. In turn, these secure systems help these companies ensure the reliability of North America’s bulk electric system.
To learn more, download this short executive brief to get the need-to-know details on NERC CIP-013 cybersecurity best practices from Tripwire.