On January 19, 2017, the North American Electric Reliability Corporation (“NERC”) released a draft Reliability Standard CIP-013-1 – Cyber Security – Supply Chain Risk Management (the “Proposed Standard”). The Proposed Standard addresses directives of the Federal Energy Regulatory Commission (“FERC”) in Order No. 829 to develop a new or modified reliability standard to address “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.”
The Proposed Standard requires each affected entity to develop and implement a cybersecurity risk management plan that addresses the following security objectives: (1) software integrity and authenticity, (2) vendor remote access, (3) information system planning and (4) vendor risk management and procurement controls.
NERC will host a webinar on February 2, 2017 to discuss the Proposed Standard and respond to questions from webinar participants. A formal comment period for the Proposed Standard is now open and will remain open through 8 p.m. ET on Monday, March 6, 2017. NERC must file the final version of the Proposed Standard with FERC by September 27, 2017.