In honor of International Data Privacy Day, celebrated annually on January 28, companies around the world are pausing to reflect on best practices for data security. For federally-regulated energy utilities and service providers, “best practices” are rapidly evolving to include supply chain risk management protections for the nation’s bulk electric system (BES).
While the global supply chain affords significant benefits to electric customers, it also creates significant opportunities for cybercriminals to affect the operations of the BES and to access customer data. In light of these risks, the Federal Energy Regulatory Commission (FERC) recently approved new mandatory Reliability Standards to mitigate third-party cyber risks associated with the supply chain for grid-related cyber systems. Effective July 1, 2020, the new standards augment the current Critical Infrastructure Protections (CIP) to require that covered facilities implement a plan to protect grid infrastructure and customer data through supply chain security controls. Following the 18-month implementation period, covered facilities without such a plan will be in violation of the new Reliability Standard, and may be subject to substantial penalties assessed by the North American Electric Reliability Corporation (NERC, the FERC-designated Electric Reliability Organization).
FERC Continues Key Cyber Efforts with New Supply Chain-Related Reliability Standards
FERC repeatedly has recognized the customer benefits of a robust global energy supply chain, including reduced rates, improved interoperability, rapid innovation, and a wide variety of energy product features and choices. Despite these benefits, FERC determined in 2016 that supply chain risks to cybersecurity and customer data privacy are significant due to the ever-increasing threat of “insertion of counterfeits or malicious software; unauthorized production, tampering, or theft; as well as poor management and development practices.” Based on this determination, FERC issued Order No. 829 on July 21, 2016, directing NERC to develop reliability standards addressing supply chain risk management for industrial control system hardware, software, and computing and networking services. By Order issued October 18, 2018, FERC subsequently approved NERC’s newly developed standard, CIP-013-001: “To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.”
With an effective date of July 1, 2020 plus an 18-month implementation period, this standard applies to balancing authorities as well as transmission and generation owners and operators. Effectively, this implicates all cyber systems associated with medium- and high-impact BES facilities (i.e., large generation and transmission). In keeping with this 2020 rollout, FERC recently vowed to prioritize supply chain management challenges by naming “Supply Chain/Insider Threat/Third-Party Authorized Access” as one of five “focus areas” for federal energy regulators in the New Year. In particular, FERC has stated that staff will closely monitor supply chain security plan development and implementation pursuant to the new standard.
New CIP Requirements Emphasize Due-diligence, Preparedness
To satisfy CIP-013-001, covered facilities must independently design and practice a security plan to include processes for mitigating cybersecurity risks in the supply chain—activities such as procuring and installing vendor equipment, products, and services. In general, the standard is designed to address multiple cybersecurity objectives, and plans must reflect consideration of all NERC-specified issues. Plans must also reflect principles of adaptive management, and provide for periodic reassessment of vendor relationships and vulnerabilities.
In particular, plans must describe the facility’s internal process to:
- Conduct vendor due-diligence, including internal policies that require vendors to provide an independent assessment, from an auditor, to evaluate the vendor’s activity-specific controls and tests for meeting minimum security criteria;
- Evaluate the auditor’s qualifications and cybersecurity frameworks used to perform the vendor assessment, ensuring that all third-party assessments are performed by auditor(s) with appropriate independence, credentials, and sufficient understanding of cyber security supply chain risk in the electric industry;
- Evaluate the scope and the results of all third-party, independent assessments;
- Document its evaluation of the independent auditor’s qualifications, methodology, scope of the review, and conclusions to determine what existing or additional mitigating actions are appropriate to manage risk; and
- Document existing and additional mitigating actions.
For most facilities, the push to meet these new requirements must begin immediately. Those without complete programs or sufficient evidence of compliance within 18 months of the effective date face significant enforcement action: for each outstanding violation, NERC is authorized to fine organizations up to $1 million per day.