5 Strategies for Complying with NERC CIP-013-1

Complying with compliance mandates doesn’t eliminate risk. However, your efforts to comply with a mandate can improve your processes. That’s the assessment after attending a webinar featuring Patrick Miller, Managing Partner of Archer Energy Solutions. 

The mandate discussed is NERC CIP-013-1 Cyber Security – Supply Chain Risk Management. NERC stands for North American Electric Reliability Corporation. NERC's standard, CIP-013-1, is designed to mitigate cybersecurity risks to the reliable operation of the Bulk Electric System by implementing security controls for supply chain risk management of BES Cyber Systems.  

NERC CIP-013-1 is the sector’s answer to supply chain cybersecurity risk management. Rapidly advancing technologies have created both opportunities and risks. Many innovations, such as consumers selling back energy to utilities, have come directly from technology adoption. That said, while the utility supply chain has historically been a weakness, cyber risk has made the supply chain even weaker. The risk of espionage from a nation-state or industrial player is a clear and present danger. A hardware supplier, for example, could unknowingly create a back door into a utility through a compromised component installed on the network. 

The growing trend toward cyber risk prompted NERC to release CIP-013-1 and require compliance by utilities and utility vendors. The webinar offered optimism with a dose of realism. Being about electricity, the webinar guidance is illuminating. 

Here are five webinar highlights on CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program: 

1. Step up your assessments 

CIP-013-1’s requirement to address cyber risk in the supply chain will demand that utilities assess vendors and their products and services. Vendors will need to provide a more granular level of visibility to utilities. To help facilitate this information exchange, utilities can take advantage of frameworks and technology for managing assessments. For efficiency on the vendor side of the assessment, they can compile a database of answers to standard assessment questions. 

2. Roll up your sleeves after the assessment 

Whether you send or receive the assessment, answers and findings are only the beginning. The real work is in the adjustments coming from the assessment. If a vendor discloses a vulnerability or incident, what’s your mitigation and remediation process as a utility? For vendors, self-reflection through assessment questions often leads to changing processes, which takes time and effort. 

3. Embrace a framework and pick up the lingo 

There’s no need to reinvent the wheel. There is a tremendous amount of resources available on risk management in the supply chain. Whether you are a utility or a vendor, embracing a common framework and lexicon helps facilitate understanding between the two parties. Supply chain security frameworks and resources include BSI: BS ISO 28000:2007, NIST CSF, SP800-161, and SANS

4. Expect higher costs and longer timelines 

Implementing a supply chain risk management program to meet the CIP-013-1 mandate will slow the procurement process and increase costs due to administrative overhead and rules. Utilities and vendors need to educate company leaders to expect cost and time increases during this transition period. The good news: costs will moderate, and timelines will improve over time. 

5. Be the solution, not the problem 

Many utilities and vendors will be reluctant and even combative when it comes to adopting risk management practices to address cyber risk in the supply chain. Review the standard and understand what it means for your organization. Cyber risk shouldn’t be ignored. 

The cyber threat to the electric industry’s supply chain is real but also manageable with the right technology. The key? Embrace the NERC standard that is designed to serve both utilities and vendors and empower cyber risk management in the supply chain. 

See how NAVEX One solves compliance and risk management – so companies can stay compliant with NERC CIP-013-1. 

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

A Deeper Dive into Human Rights Impact Assessments – Part 2
A Deeper Dive into Human Rights Impact Assessments – Part 1

Classifying Your Third Parties: An Essential Third Party Due Diligence First Step

More than 90 percent of FCPA enforcement actions over the past 40 years can be linked back to a third party’s misconduct. Proper third party risk management starts with properly identifying and classifying each of your business partners that comprise your supply chain. Learn how proper classification of your third parties will help you perform the proper due diligence on the anti-corruption risks inherent to each relationship.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Future-Casting Culture in M&A Due Diligence

M&A activity shows no signs of slowing in 2020 or in the years to come. To  keep pace confidently, organizations will have to prioritize cultural alignment and assessment and explore new ways to do that effectively. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.