Complying with compliance mandates doesn’t eliminate risk. However, your efforts to comply with a mandate can improve your processes. That’s the assessment after attending a webinar featuring Patrick Miller, Managing Partner of Archer Energy Solutions.
The mandate discussed is NERC CIP-013-1 Cyber Security – Supply Chain Risk Management. NERC stands for North American Electric Reliability Corporation. NERC's standard, CIP-013-1, is designed to mitigate cybersecurity risks to the reliable operation of the Bulk Electric System by implementing security controls for supply chain risk management of BES Cyber Systems.
NERC CIP-013-1 is the sector’s answer to supply chain cybersecurity risk management. Rapidly advancing technologies have created both opportunities and risks. Many innovations, such as consumers selling back energy to utilities, have come directly from technology adoption. That said, while the utility supply chain has historically been a weakness, cyber risk has made the supply chain even weaker. The risk of espionage from a nation-state or industrial player is a clear and present danger. A hardware supplier, for example, could unknowingly create a back door into a utility through a compromised component installed on the network.
The growing trend toward cyber risk prompted NERC to release CIP-013-1 and require compliance by utilities and utility vendors. The webinar offered optimism with a dose of realism. Being about electricity, the webinar guidance is illuminating.
Here are five webinar highlights on CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program:
1. Step up your assessments
CIP-013-1’s requirement to address cyber risk in the supply chain will demand that utilities assess vendors and their products and services. Vendors will need to provide a more granular level of visibility to utilities. To help facilitate this information exchange, utilities can take advantage of frameworks and technology for managing assessments. For efficiency on the vendor side of the assessment, they can compile a database of answers to standard assessment questions.
2. Roll up your sleeves after the assessment
Whether you send or receive the assessment, answers and findings are only the beginning. The real work is in the adjustments coming from the assessment. If a vendor discloses a vulnerability or incident, what’s your mitigation and remediation process as a utility? For vendors, self-reflection through assessment questions often leads to changing processes, which takes time and effort.
3. Embrace a framework and pick up the lingo
There’s no need to reinvent the wheel. There is a tremendous amount of resources available on risk management in the supply chain. Whether you are a utility or a vendor, embracing a common framework and lexicon helps facilitate understanding between the two parties. Supply chain security frameworks and resources include BSI: BS ISO 28000:2007, NIST CSF, SP800-161, and SANS.
4. Expect higher costs and longer timelines
Implementing a supply chain risk management program to meet the CIP-013-1 mandate will slow the procurement process and increase costs due to administrative overhead and rules. Utilities and vendors need to educate company leaders to expect cost and time increases during this transition period. The good news: costs will moderate, and timelines will improve over time.
5. Be the solution, not the problem
Many utilities and vendors will be reluctant and even combative when it comes to adopting risk management practices to address cyber risk in the supply chain. Review the standard and understand what it means for your organization. Cyber risk shouldn’t be ignored. Webinar speaker, Patrick Miller, Managing Partner with Archer Energy Solutions, put it this way:
"NERC has given you rope with CIP-013-1. You can use the rope to make a noose or create a hammock," said Miller
The cyber threat to the electric industry’s supply chain is real but also manageable with the right technology. The key? Embrace the NERC standard that is designed to serve both utilities and vendors and empower cyber risk management in the supply chain.
See how NAVEX One solves compliance and risk management – so companies can stay compliant with NERC CIP-013-1.