NERC CIP Cybersecurity Regulations Take Effect October 2020 – What You Need to Know About Your Electric Grid Supply Chain Cybersecurity Planning
Half of all cyberattacks are aimed at supply chain partners. Attackers want to gain access to any valuable systems, including third party partners and suppliers, and/or exploit these partners and suppliers in order to gain entry to otherwise well protected electrical grid systems. Cyberthreats are one of the biggest issues facing global supply chains in 2020, following the uptake of connected technologies and the subsequent expansion and diversification of supply chains. Because of this, cyber-related vulnerabilities in the electric grid supply chain present a "clear and present danger" to US national security. The importance of grid cybersecurity was highlighted in December 2015 when hackers attacked Ukraine’s power grid and knocked out power to customers of three distribution utilities in western Ukraine for several hours – a first-time cyberattack causing a blackout. Another wake-up call occurred in March 2018 when officials at the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) confirmed Russian government cyber actors penetrated the computers of multiple U.S. electric utilities in a 2017 campaign, gaining remote access to energy sector networks.
Power grid implications
Cyberattacks on the power grid are likely to have catastrophic effects, as virtually everything and everyone relies on the ubiquity of electricity for heating, communication, mobility, healthcare, etc. Driving an escalating risk is the increasing sophistication of the grid, where information technology (IT) and operational technology (OT) systems are converging to make the grid more automated and efficient, but also opening up new cyber vulnerabilities and threats. On the OT side, for example, critical cyber assets include smart grid devices, smart meters, protective relays, outage and restoration software and more. On the IT side, supply chain items that could expose a utility and the electric grid to cyberattacks include customer service systems, telephone and electronic communications, physical security systems and any interfaces with operations systems, as well as general day-to-day IT infrastructure and use.
As a result, utility regulations are starting to demand more robust third-party and supplier risk management. However, according to the "State of the Electric Utility 2020" report, 37% of U.S.-based power and utilities (P&U) organizations claim to have not completely implemented cybersecurity programs in their organizations, much less supply chain risk management. Supply chain security is an important consideration that is not covered in many organizations’ cybersecurity programs today, and here’s why:
- It is difficult to assess where the biggest cyber risks exist in the supply chain.
- A lot of organizations struggle to pinpoint the supplier with flaws in their security posture amongst the full set of suppliers in complex global, multi-tier supply chains.
- It is overwhelming to scope and address the risks involved.
- How to quantify and mitigate the risk of, for example, a data breach originating from a third-party component?
- It is challenging to have full, consistent visibility.
- Some suppliers may see their security practices as proprietary, limiting visibility for the procuring or end user organization. And where such information is available, buyer organizations are likely faced with different security credentials per supplier.
Regulations are quickly approaching
The bulk energy system is an ideal target of malicious attacks because the compromise of generation and transmission facilities and their cyber-physical equipment has the potential to produce the most severe and detrimental consequences. Because of this, the White House on May 1 of this year issued Executive Order (EO) 13920 on Securing the U.S. Bulk Power System, and the U.S. Department of Energy (DOE) has issued a request for information to collect feedback for proposed rulemaking expected as soon as September. The regulation would focus on cybersecurity metrics, as well as foreign ownership and control, alongside, and as part of, the federal acquisition process and North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP) standards.
The Federal Energy Regulatory Commission has implemented a new regulatory requirement for the bulk energy system, NERC CIP-013-1, which increases utilities’ responsibility to evaluate the cybersecurity of their third-party vendors and partners as part of supply chain risk management, which goes into effect starting October 2020.
NERC CIP-013-1 requires power and utilities organizations to develop and implement documented supply chain cybersecurity risk management plans and have these reviewed and obtain CIP senior manager or delegate approval at least once every 15 calendar months. Plans should include:
- Processes used in procurement planning to identify and assess cyber security risk
- Notification by the vendor of vendor-identified incidents related to the products or services provided that pose cybersecurity risk
- Coordination of responses to vendor-identified incidents related to the products or services provided
- Notification by vendors when remote or on-site access should no longer be granted to vendor representatives
- Disclosure by vendors of known vulnerabilities
- Verification of software integrity and authenticity of all software and patches provided by the vendor
In short, NERC CIP-013-1 focuses on software integrity and authenticity, vendor access, as well as vendor risk management and procurement controls. Suppliers or vendors in scope for these requirements include those who develop and supply hardware and software, in addition to any system integrators and/or suppliers or vendors who administer and maintain systems on behalf of utilities.
How to mitigate cybersecurity risks lurking in the electric grid supply chain
Against a backdrop of the EO, in addition to the expected DOE regulation and NERC CIP-013-1 taking effect, it’s of paramount importance for utilities to assess internal and supply chain security, and start internal conversations with affected departments such as procurement. Utilities should standardize and align vendor assessment questionnaires with a chosen risk management framework, using this to establish a common security and risk understanding with third party suppliers. Any gaps or vulnerabilities found should be categorized and mitigated as appropriate, utilizing a formal process for the identification of vendor risk and incident response.
At UL, we have extensive expertise in helping organizations manage the cybersecurity of their supply chains and can support an organization’s procurement needs to help suppliers and vendors better demonstrate the robustness level of their security practices. The UL Supplier Cyber Trust Level solution has been developed to help utilities and their suppliers manage the cybersecurity of their respective supply chains. It satisfies requirements of the new NERC CIP-013-1 regulation such as vendor risk management, secure hardware and software development, incident notification, vulnerability disclosure, and software integrity and authenticity, while also aligning to leading industry standards.
The UL Supplier Cyber Trust Level analyzes supplier’s security practices across multiple trust categories resulting in a documented supplier Trust Level rating. This rating demonstrates the robustness of a supplier’s security practices across the software and hardware development life cycle, hosted systems, information management systems and their third-party management, among others.
There is currently no single certification or framework on the market that adequately addresses the complexities of securing an organization-wide supply chain. Individual, separate security industry standards and certifications often address only a portion of the overall cybersecurity posture of an organization, which means they do not address other security aspects that are often critical for the supply chain. For example, many standards or frameworks address either IT or OT security, rather than taking a holistic approach that is needed in today’s complex environments. The UL Supplier Cyber Trust Level reviews supplier or vendor’s organizational security practices, and also reviews how they develop their products and software, leveraging secure development life cycle and related industry best practices for ensuring, for example, that software is free from known vulnerabilities.
The UL Supplier Cyber Trust Level assessment enables a holistic view of a supplier’s security posture, while providing a fair and consistent evaluation for organizations of the cybersecurity posture from supplier to supplier. The UL Supplier Cyber Trust Level leverages security controls from many well-known industry best practices, standards and frameworks, including National Institute of Standards and Technology (NIST) cyber supply chain risk management, European Union Agency for Cybersecurity (ENISA) supply chain attacks, NERC CIP-013-1 standard, International Electrotechnical Commission (IEC) 20243-1, 62443-4-1 and 62443-2-4 standards and International Organization for Standardization (ISO) 27001 standard, among others.
UL is actively engaged in the industry and educating utility stakeholders regarding cybersecurity risks and solutions. This includes collaboration with the North American Transmission Forum (NATF) and mapping UL’s Supplier Cyber Trust Level to NATF Cyber Security Supply Chain Criteria for Suppliers, among actively discussing with and advising other important industry stakeholders.
To learn more about UL’s Supplier Cyber Trust Level solution for IoT supply chains, click here.