How Utility InfoSec Teams Need to Prepare for CIP-013 Regulations

The North American Electric Reliability Corporation (NERC) is a regulatory authority for much of North America’s bulk power system, serving over 334 million people. They have enacted a set of regulations (CIP-013) that will go into effect on July 1, 2020.

Utility companies are scrambling to deal with these regulations, which focus primarily on the security of their cyber supply chain, comprised of third party vendors. A significant concept related to this regulation is C-SCRM — Cyber Supply Chain Risk Management.

In this article, we’ll examine what Cyber Supply Chain Risk Management is, how the NIST S-SCRM program as related to third-party assessments, and what InfoSec teams need to do NOW to prepare:

What is Cyber Supply Chain Risk Management?

Information and operational technology (IT/OT) relies on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. NIST cautions organizations that they are at incredible risk of a supply chain compromise — whether intentional or unintentional.

Thanks to the massive complexity and risk involved in supply chain management, the concept of “Cyber Supply Chain Risk Management (or C-SCRM for short)” was introduced. C-SCRM is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains.

The NIST C-SCRM program started in 2008, when it initiated the development of C-SCRM practices for non-national security systems, in response to Comprehensive National Cybersecurity Initiative (CNCI) #11, “Develop a multi-pronged approach for global supply chain risk management.”

Since the program was introduced over 10 years ago, NIST has worked with a variety of stakeholders across many industries to review the supply chain, including tools, tech, and other standards of practice.

CIP-013 / C-SCRM & Third-Party Assessments

While malicious human interference is certainly a major factor in cyber supply chain risks, there are other factors that play a major role. The Congressional Research Service also names natural disasters, poor quality assurance and engineering practices from vendors, and an entity’s own business practices as major threats.

These threats, which can pose just as many consequences as malicious behavior, are why CIP-013 and C-SCRM also aim to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers.

Penalties For CIP-013 Non-Compliant Utility Companies

What happens if a utility company isn’t compliant with the new set of regulations by the time July 1st, 2020 rolls around? NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation. Between 2016 and 2018, multiple penalties were levied to as high as $2.8 million for a violator.

Deloitte warns that penalties could run even higher because reported penalty amounts don’t account for money spent by entities to remediate the violations.

4 CIP-013 Preparedness Tasks For Utility Companies

While July, 2020 may seem months off, utility companies need to begin preparation NOW as steps can take weeks or even months to complete. Here are 4 preparedness tasks to make sure your utility company is ready for the regulations:

1. Determine the impact to your supply chain management: Do you know how many vendors you have, their primary function, and what data and systems they have access to? Understanding this is a key first step to preparing for CIP-013.
2. Define your plan of action: Do you have existing data on the compliance of each vendor? When was the last time this was updated? If you haven’t assessed your vendors, do you have a plan (and a team) for tackling that project?
3. Conduct your assessments: Whether you’re starting from scratch or improving an existing process, Whistic can expedite your review process and allow you to quickly prioritize vendors that need more attention based on an initial assessment. Whistic’s vendor risk management platform provides the collaboration, automation and review features to cut the time needed to review a vendor significantly.
4. Get started: talk to a Whistic representative today!

If you’re interested in learning more about how you can efficiently conduct, review, and even respond to security questionnaires in the same platform, schedule a Whistic demo today.