Is an electricity provider’s supply chain its weakest link in the event of a cyberattack? The evidence is compelling that third parties often play unwitting roles. For example, the NotPetya ransomware attacks in mid-2017 originally gained a foothold via a backdoor in third-party accounting software. To safeguard North America’s electricity supply, the North American Electric Reliability Corporation (NERC) has issued several critical infrastructure protection (CIP) standards. The CIP-013-1 standard, which has been approved by FERC in the fall of 2018, addresses the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES).
This CIP standard will be enforceable starting on July 1, 2020. Affected companies will need to be able to prove that they’re compliant within 18 months of the NERC CIP-013-1 effective date in order to avoid penalties. NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation. For example, between 2016 and 2018, multiple penalties as high as $2.8 million were levied for a violation. Penalties could run even higher because reported penalty amounts don’t account for money spent by entities to remediate the violations.
Why is CIP-013-1 Required?
On a federal level, revisions of the NIST SP 800-53 standard combine elements of cybersecurity with an increased emphasis on third-party vendors and suppliers. Furthermore, NIST 800-161 specifically addresses 19 areas of supply chain risk management. The IEC/ISA 62443 standard and the SANS Institute also provide guidance focused on supply chain risk management. In line with NIST and SANS, FERC and NERC have recognized that this area also affects utilities, which now rely more heavily on third parties in their supply chains. As a result, FERC Order 829, issued in July 2016, asked for the development of a CIP reliability standard that addresses “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.”
NERC CIP-013-1 comes at a time when many industry regulators are implementing regulations for third-party risk management. Other, broader regulations like GDPR also focus on third-party risk. These regulations follow a long history of third-party data breaches across industries. Research has shown that breaches originating at third parties are among the costliest cyber-attacks. These attacks have caused downtime in major network infrastructure and derailed the physical operations of global companies like FedEx and Maersk. An attack of this nature that affects American power grids could potentially be catastrophic.
What Are the Requirements?
NERC CIP-013-1 purpose is “to mitigate cyber security risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.” To achieve its purpose, CIP-013-1 mandates responsible entities to “develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.” These plans must be reviewed and approved every 15 months by a CIP Senior Manager.
Mandatory elements of the plan focus on software integrity and authenticity, vendor remote access to BES cyber systems, information system planning and procurement, and vendor risk management and procurement controls.
The plans shall include processes used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the BES from vendor products or services resulting from procuring and installing vendor equipment and software as well as transitions from one vendor to another.
In addition, the plans shall include processes for vendors to notify responsible entities about incidents they have identified relating to the supply chain along with a formal way to coordinate responses between responsible entities and suppliers regarding such incidents. Other necessary elements include a notification process for when vendor personnel no longer require remote and on-site access to the BES, the full disclosure of known vulnerabilities by the vendor to the responsible entity, and vendor verification as to the integrity and authenticity of all software and patches supplied to the network. CIP-013-1 stipulates the coordination of all controls for vendor-initiated interactive remote access (IRA) and vendor system-to-system remote access.
While NERC doesn’t give prescriptive guidelines on how to fulfill CIP requirements, it’s worth clarifying potential misinterpretations of CIP-013:
- It’s not a requirement to stop using appliance-based products. An appliance should not, however, be treated as a magical approach that mitigates the weaknesses of any subcomponents.
- It’s also not a prohibition on using open source software, as it is possible to verify open source software authenticity and integrity just as with commercial off-the-shelf software.
CIP-013-1 Compliance Challenges
When electric utilities and other responsible entities focus on CIP-013-1 compliance, challenges can emerge concerning scoping and vendor relationships.
NERC CIP-013-1 only addresses high- and medium-risk BES cyber systems, and responsible entities must make strategic decisions regarding the scope of their activities in these areas. These decisions could range from simply becoming and remaining compliant to rolling out compliance more broadly, encompassing low-impact BES as well, for example, and potentially including the complete enterprise. This expanded strategy should deliver higher consistency and greater cyber hygiene across the business in relation to supply chain risks because the same vendors and products are often used in conjunction with high-, medium-, and low-risk BES cyber systems.
One clear imperative involves ensuring strong, trust-based relationships and meaningful partnerships between vendors and energy players. Organizations, like software vendors and consultants that support power and utilities companies, will need to familiarize themselves with the new regulations. These organizations will potentially need to adjust their operations in order to preserve business relationships. Responsible entities also need to know what repercussions vendors could face that do not comply with stipulated incident and vulnerability reporting as well as what the form and channel will look like for vulnerability and incident notifications between vendors and the responsible entity.
Towards NERC CIP-013-1 Compliance
Although we are still in the first days of 2020, July 1st will come sooner than you think. It is high time that utilities and other energy players acted to meet CIP-013-1 compliance.
Responsible entities should develop a strategy. First, determine CIP-013-1 responsibility and ownership in terms of the business and the compliance organization. Second, begin a dialogue with key stakeholders and vendors on the impact CIP-013-1 compliance will have on their organizations. Third, make sure the organization has enough time to define and implement the new controls and to demonstrate evidence of compliance within the enforcement timeframe.
The core of any CIP-013-1 initiative is the team assembled by a responsible entity to achieve supply chain cybersecurity compliance. This team operates best if a responsible entity’s executives provide oversight and sponsorship regarding its governance and steering.
It also makes sense to align all NERC CIP-013-1 compliance efforts with the architectures and strategies of other organizational cybersecurity and risk programs such as those supported by the NIST, SANS Institute, and the IEC/ISA 62443 standards.
In addition to the CIP-013-1 standards, several other important supply chain requirements appear in CIP-005-6 and CIP-010-3 regarding the governance of vendor remote access and the verification of the source and integrity of procured software. Responsible entities can also gain critical insights regarding cybersecurity automation from the broader NERC CIP compliance program on topics such as ensuring that evidence collection follows the leading practices developed through prior cycles of regulatory auditing.
For many organizations, NERC CIP-013-1 will necessitate a shift in cybersecurity priorities. While internal controls like firewalls and incident detection and response are important, they don’t always protect the organization from attacks that begin in the systems of third parties. When vendors have access to power and utilities companies’ systems, a successful attack on a vendor can quickly lead to a successful attack on that company. For this reason, a new focus on assessing, monitoring, and improving the cybersecurity of critical third parties is required.
Organizations should put mechanisms in place to validate and verify that vendors meet CIP-013-1 controls and that they proceed through supply chain procedures with a minimum of manual monitoring. They should also automate audits as much as possible, standardizing, and orchestrating evidence-gathering processes and associated tools.
Establishing a robust change control program will be crucial for ongoing maintenance and governance of the initiative. The program should clearly identify, approve, and document all modifications and updates made to BES high- and medium-impact cyber systems and associated technologies. Additionally, the change control process should identify and document the retirement of BES cyber systems and the removal of vendors from an approved vendor list.
Organizations Trust Tripwire for NERC CIP Compliance
Complying with NERC CIP-013-1 is an important first step in safeguarding the nation’s electric infrastructure from cyberattacks that originate among supply chain vendors. Taking steps early on to ensure sustainability and developing a coherent strategy can make compliance a solid foundation upon which to establish additional tailored supply chain cyber protections.
Tripwire has helped registered entities achieve and maintain NERC CIP compliance since 2008. As a recognized leader in solutions for IT and OT security and compliance, Tripwire has extensive experience helping customers automate compliance for numerous standards across almost any device, platform and system.
With the Tripwire NERC Solution Suite, electric utilities have a comprehensive solution—from products to customized extensions and content and expert consulting—to help them automate and simplify NERC compliance.
By meeting NERC compliance, these companies take important steps towards securing their IT/OT systems against inadvertent misuse and intentional, malicious attacks. In turn, these secure systems help these companies ensure the reliability of North America’s bulk electric system.
To learn more, download this short executive brief to get the need-to-know details on NERC CIP-013 cybersecurity best practices from Tripwire.