Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

Vendor Risk Management, Energy & Utilities

Guidance for CIP-013: Effective Date, Guidelines, and Enforcement

down-arrow

Updated April 2, 2020 - Latest NERC CIP-013 Guidance

NERC CIP-013 Overview

On July 21, 2016, the Federal Energy Regulatory Commission (FERC) issued Order No. 829, directing the North American Electric Reliability Corporation (NERC) to develop a new or modified “Reliability Standard”. This new standard would govern third parties, or supply chain risk management (SCRM) in the power and utilities sectors. The new NERC supply chain risk management standard would cover industrial control system (ICS) hardware, software, and computing and networking services associated with the Bulk Electric System (BES).

By the fall of 2018, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard, “NERC CIP-013-1,” was released, establishing new cybersecurity requirements for organizations in the power and utilities sectors. NERC’s CIP-013 standard mandates that power and utilities secure their global supply chain by holding their vendors to cybersecurity requirements. With CIP-013 enforcement and deadlines around the corner, organizations are looking for solutions that provide them the most visibility across their supply chain with the fastest time to value.

In order to mitigate risks in the global supply chain, and mitigate supply chain disruption caused by cybersecurity risks, responsible entities in the power and utilities sectors must come together and use this regulation as a means to protect the Bulk Electric System (BES) as a whole.

This new CIP-013 supply chain risk management regulation limits power and utilities’ exposure to third-party cyber risks as they expand business in a predominantly digital age. Thus, the standard and upcoming effective date impacts all entities in the power and utilities industry, requiring them to focus on assessments, risk measurement, risk management, and cybersecurity best practices across numerous vendors.

What Organizations Must Comply with the CIP-013 Requirements?

This NERC regulation focuses on suppliers for strong reasons, as the electric grid remains one of the largest targets of cyberattacks and remains a top focus for critical infrastructure security. Unfortunately, when an attacker successfully breaches a supplier, the same attacker can easily attack the larger P&U organization in many cases.

According to NERC, “The security objective [of the CIP-013 regulation] is to ensure entities consider cyber security risks to the BES from vendor products or services.” 

The risks addressed in CIP-013-1 are highly specific to supply chain risk management. Power and utility organizations must develop and implement CIP-013 plans with an activity that identifies vulnerabilities in the supply chain and mitigates them. These programs have to be created by the organizations themselves, with optional guidance from advisories and management capabilities from solutions that support CIP-031 compliance, at scale, with multi-tenant functionality. 

The cybersecurity SCRM requirements outlined in CIP-013 aim to improve security against increasing attacks that target supply chains, especially in the electric power and utilities sectors. These requirements also cater to organizations with a vast number of vendors, or third parties, that provide services and solutions that allow them to reliably support the BES. Thus, the impact of CIP-013 on both power and utilities organizations and their vendors could be significant.

P&U organizations are the most obvious entities that must adopt the NERC regulatory standard. Other organizations, however, could also fall under the regulation, such as software vendors that support these critical infrastructure organizations, and consultants that advise them. These entities should educate themselves on CIP-013 and other P&U-focused regulations as they serve these sectors, because they may need to adjust their information security strategies to maintain partnerships in the P&U industry. 

Power and utilities organizations have already begun addressing CIP-013 compliance, partnering with system integrators specializing in P&U advisory and solution providers like CyberSaint

What is the NERC CIP-013 Effective Date?

Although the CIP regulation was approved in the fall of 2018, this critical infrastructure protection (CIP) standard is enforceable starting on July 1, 2020. Organizations are currently using this few-month push as a forcing function to create a robust supply chain risk management program and to leverage solutions like CyberSaint to mitigate cyber risk.

There is a gradual rollout of the regulation, but even the months provided are where most organizations are catching up on supply chain risk management best practices. P&U organizations will soon need to prove compliance across their global supply chains - within 18 months of the NERC CIP-013-1 effective date, they have to be confident in their proof of compliance to avoid penalties.

CIP-013 solutions, such as integrated risk management solutions and especially those with strong metrics and evidence organization functions such as CyberStrong, are in high demand from P&U companies who want to get compliant quickly and effectively without taxing their teams through a spreadsheet-based assessment of their supply chain.

What is the Penalty for Non-Compliance Against CIP-013?

For each outstanding violation of the CIP-013 requirements, NERC is authorized to fine organizations up to $1 million per day.

This large penalty may seem extreme to some, but the value of protecting the Bulk Electric System is even greater. In addition, the supply chain is a massive focus for cybercriminals targeting critical infrastructure, and with the increasing amount of cyber incidents that occur, it is clear that better supply chain risk management is needed. Some examples of attacks that are pervasive in P&U supply chains include cyberterrorist attacks on third-party websites, and in a recent case, nation states sneaking rice-sized microchips into servers provided by industry leaders on which many of the largest power and utility companies rely.

Reasons for enforcement actions include incomplete or insufficient evidence of compliance, nonconformance to established policies and procedures within the organization, and unintended disclosure of sensitive information.

What Does CIP-013 Implementation Include?

Some of the requirements included in NERC CIP-013-1 include:

- Implementing controls that limit exposure to Malware
- Implementing controls that limit exposure to tampering
- Vendor procurement guidelines
- Vendor permissions
- Vendor monitoring

Clearly, the release and near-term enforcement of the new NERC CIP-013-1 regulation will shift focus for P&U information security organizations. 

Supply chain risk management is a clear improvement area for many industries, including the P&U sector. Scoping, assessing, and remediating cyber risk in accordance with CIP-013 will be a new, major focus for vendor risk teams within P&U information security organizations.

These best practices will not only help organizations get ahead of cyber threats but, when supported by solutions like CyberStrong that have rapid time to value and unparalleled visibility across the supplier base, will also help these infosec teams achieve proactive risk management from assessment to Boardroom. Getting to maturity on NERC’s new standard will be critical to the future success of the Bulk Electric System in this age of digitalization and increasing cyber-attacks.

You may also like

How to Leverage the FAIR Model ...
on December 19, 2024

In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and ...

Kyndall Elliott
How to Effectively Communicate Top ...
on December 9, 2024

Effective cybersecurity reporting is more important than ever for CISOs, CIOs, and other security leaders in today's complex threat landscape. Reporting isn’t just about sharing ...

November Product Update
on November 27, 2024

The CyberSaint team has been working hard to deliver the latest updates to streamline and improve our customers’ user experience and address their top-of-mind challenges. We’re ...

Putting the “R” back in GRC - ...
on December 5, 2024

Cyber GRC (Governance, Risk, and Compliance) tools help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...