January/February 2021 | Vol. 26 No. 1

by Steve Griffith, Industry Director, NEMA

Among the many North American Electric Reliability Corporation (NERC) Standards, few get as much attention as those for critical infrastructure protection (CIP).

NERC is the Federal entity responsible for overseeing the bulk electric system (BES) for  North America. NERC developed the CIP Standards to apply specifically to the cybersecurity aspects of the BES. These Standards define the reliability requirements for planning, operating, and protecting the North American bulk power supply system.

There are 10 fundamental requirements within the NERC CIP Standards:

1. Identification and Classification: BES are identified, categorized, and defined as a grouped set of cyber assets. Cyber assets are programmable electronic devices also capable of holding data.
2. Security Controls: Clear accountability is needed to protect BES cyber systems.
3. Background Checks and Training: Train staff and contractors appropriately to reduce BES cyber systems’ exposure to associated cyber risks.
4. Electronic Security: Create electronic security perimeters around cyber assets.
5. Physical Security: Define operational and physical controls in a physical security plan,a visitor control program, and a maintenance and testing program.
6. System Security: Apply specific technical, operational, and procedural elements such as security patch management, malicious code prevention, and system access controls.
7. Incident Management: Have a clear and planned incident response plan to help mitigate the risk to a BES cyber system’s efficient and reliable functioning.
8. Recovery Plan: Define requirements in support of the recovery phase from a cybersecurity incident that has affected the BES cyber systems’ reliable functioning.
9. Configuration and Vulnerabilities: Set clear requirements for preventing and detecting any unauthorized changes and achieve this through system configuration controls and active testing for system vulnerabilities.
10. Information Protection: Identify specific types of information that could affect the reliable functioning of the BES if misused.

The NERC CIP Standards also contain numerous sub-Standards that give detailed information and direction on which appropriate methods to use for proper compliance and aspects of enforcement.

SUPPLY CHAIN RISK MANAGEMENT

CIP-013-1, one of the more recent NERC CIP Standards, focuses on mitigating reliable operation risks by implementing security controls for supply chain risk management of BES cyber systems. The CIP-013-1 Standard covers, at a minimum, the following four objectives:

1. Software Integrity/Authenticity: Example controls include patch procedures that ensure they are from the original source and server- side encryption keys with validation processes.
2. Vendor Remote Access: Example controls include operator-controlled, time-limited access; and changing default passwords.
3. Information System Planning: Example controls include a screening criterion to identify high-risk systems or changes, and new system design processes that incorporate layered protections.
4. Vendor Risk Management: Example controls include incorporating risk assessment information in requests for proposals (RFPs) and the establishment of procurement review teams that include CIP personnel.

While the NERC CIP 013-1 Standard is meant to address what is needed in these objectives, it does not describe how to achieve them.

There are several industry Standards and best practices that manufacturers already utilize to mitigate the cyber risks in the supply chain. One of them is the NEMA Supply Chain Best Practices document originally published back in 2015. That document is currently undergoing a revision that includes new sections on market expectations, cyber insurance, and vendor dependencies. It is expected to be published Q1 2021. ei