NERC has filed mandatory standard CIP-013-1 for supply chain risk management, requiring controls to mitigate cyber threats and their impact to the reliable operation of the Bulk Electric System. It is important that utilities carefully integrate the required new procurement processes with existing procedures to minimize impacts and maximize effectiveness.
The Key Requirements Include:
- A Cyber Security Risk Management Plan with formal documented operating processes to protect against supply chain risks.
- Security controls for industrial control systems that address software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls.
- Risks to cyber systems must be identified and addressed during the planning, acquisition, and deployment phases of the system life cycle.
Utilities should review their processes and systems, track industry developments, identify existing controls, and plan to develop, adopt, and integrate new controls necessary to meet the requirements of NERC’s mandatory supply chain standards.