On October 1st, 2020 the NERC CIP-013-1 cybersecurity supply chain risk management standard will come into effect – with the date recently changed from July 1st. This means power & utility (P&U) companies will have 18 months to prove compliance, increased monitoring and oversight over their global supply chains. Failure to do so can result in fines of up to $1M per day.
Energy organizations should now focus on addressing specific third-party cybersecurity risks, such as the insertion of counterfeit components into cyber assets, vendor remote access vulnerabilities and insecure vendor development practices. This blog looks at some key points of the standard and how TPRM technology can help ensure supply chain compliance.
Introducing NERC CIP-013-1
The CIP-013-1 is an update to the Critical Infrastructure Protection (CIP) standard, which includes a set of regulatory requirements “to mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES)”. Due to the nature of global cyber threats, these types of standards are periodically updated and extended in scope.
The new version was issued by the North American Electric Reliability Corporation (NERC), and approved by the Federal Energy Regulatory Commission (FERC) on October 18, 2018.
Electric power and utilities organizations will now have to comply with new requirements in order to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers. The new standards will help utility companies protect bulk electric systems by limiting their exposure to malware, tampering, and other cyber risks that can originate with third-party relationships.
The new requirements
- Organizations will have to develop and implement a security supply chain risk management plan for High and Medium impact BES Cyber Systems.
- The plan will have to be reviewed every 15 calendar months by a CIP Senior Manager.
- Mandatory elements focus on software integrity and authenticity, information system planning and procurement, vendor remote access to BES cyber systems, and vendor risk management and procurement controls.
The CIP standard carries severe penalties for noncompliance. In fact, the NERC can penalize registered entities up to $1 million per day per outstanding violation.
It’s important to understand that third-parties themselves will also need to familiarize with the CIP-013-1 in order to preserve business relationships with P&U companies.
Preparing for compliance and considering third-party risk
You could start by determining ownership of CIP-013-1 within your organization and kick off the dialogue with key stakeholders and suppliers on the impact of the regulation. As with other compliance and strategic projects, the key is communication. And then comes technology.
Electric utilities and other responsible entities need the right tools to not only identify these risks in their supply chain, but also determine the right approach to respond. Our ThirdPartyTrust platform automates third-party risk management throughout the global supply chain, applying comprehensive due diligence and ongoing monitoring to all third-parties and the various geo-political climates in which they operate.
This is especially important in the context of NERC CIP-013-1 because, while internal controls like firewalls and threat detection are important, they don’t always protect the organization from attacks that begin in the systems of third-parties. For this reason, a new focus on assessing, monitoring, and improving the cybersecurity of critical third-parties is required.
By leveraging the security profiles of 8,000+ third-parties already assessed in our network, organizations can speed up assessments and open threads for immediate response. This allows for custom streamlined assessments to ensure both internal policy and industry regulation compliance, such as CIP-013-1.
At ThirdPartyTrust, we offer a reliable third-party risk management (TPRM) system that automates the capture and processing of security issues and non-compliance with the FERC and NERC.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program and comply with industry standards, request your free trial now: