NERC has filed mandatory standard CIP-013-1 for supply chain risk management, requiring controls to mitigate cyber threats and their impact to the reliable operation of the Bulk Electric System. It is important that utilities carefully integrate the required new procurement processes with existing procedures to minimize impacts and maximize effectiveness.
The Key Requirements Include:
- A Cyber Security Risk Management Plan with formal documented operating processes to protect against supply chain risks.
- Security controls for industrial control systems that address software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls.
- Risks to cyber systems must be identified and addressed during the planning, acquisition, and deployment phases of the system life cycle.
Utilities should review their processes and systems, track industry developments, identify existing controls, and plan to develop, adopt, and integrate new controls necessary to meet the requirements of NERC’s mandatory supply chain standards.
Bill Hawk
Alan Yankowski
TRC’s Cyber Security Program Manager, Alan Yankowski has 30 years of experience directing complex projects that build and optimize organizational processes, measurement systems and infrastructure in a variety of industries. He has worked on physical and cyber security threat and vulnerability assessments for transit ports, public buildings, utilities and chemical facilities. He is experienced in a broad array of security programs and methodologies, including CFATS, NERC CIP, FEMA 426/452, FEMA 455 IRVS, and FTA. He holds a BA in Chemistry from the University of Rochester.