NERC CIP-013, the Supply Chain Cyber Risk Management Standard

Overview:

In July 2016, the Federal Energy Regulatory Commission (FERC) ordered NERC to develop a supply chain cyber security risk management standard to protect against cybersecurity threats that arise in the supply chain for hardware and software used to monitor and operate the North American Bulk Electric System (BES). 

Since there had so far been only a few true supply chain cyberattacks, FERC’s main motivation for ordering this was their concern that supply chain attacks were likely to increase, both in number and in impact. This was a prescient move, since within the next four years there had been two truly catastrophic supply chain cyberattacks, NotPetya and SolarWinds, that caused serious damage worldwide; there were many more such attacks that were only slightly less serious. 

NERC assembled a team to draft the new standard and shepherd it through the NERC balloting process. The standard was named CIP-013-1. It came into effect on October 1, 2020.

CIP-013-1 was the first NERC standard that included the word “risk” in its title. This was done because FERC, in their Order that mandated the new standard, pointed out that NERC’s traditional prescriptive “one-size-fits-all” approach to new standards couldn’t work when it came to cybersecurity, given the wide diversity of suppliers and products (including hardware, software and services) that were likely to be in scope for the new standard. 

Unfortunately, implementation of CIP-013-1 (and its immediate successor CIP-013-2, which was almost unchanged from version 1), failed to achieve the level of improvement in supply chain security of the Bulk Electric System that had been expected, in part because FERC’s Order in 2016 had only given NERC one year to develop the new standard and get it approved by a supermajority of the NERC Ballot Body, before submitting it to FERC for their approval. This forced the drafting team to make some important compromises to get CIP-013-1 approved, which diminished the effectiveness of the standard. 

In October 2024, FERC issued a Notice of Proposed Rulemaking (NOPR) pointing out some deficiencies in the implementation of CIP-013 and requesting comments on improvements that could be made. The deadline for comments was December 2024. It is expected that, before the end of 2025, FERC will issue an Order requiring certain improvements to CIP-013 (these would be made in a new version named CIP-013-3).

Why you should Attend:

CIP-013-1 was one of the first mandatory supply chain cybersecurity standards worldwide; as a result, it contained flaws that FERC is likely to order to be corrected. Assuming that order is issued in 2025, it is unlikely that the new version will be drafted, approved by NERC and FERC, and implemented any sooner than late 2028. 

However, FERC’s Notice of Proposed Rulemaking (NOPR) of October 2024 made it clear they had identified three major concerns that would need to be addressed in the next version of CIP-013; although these met some opposition in the comments received, it’s very likely they will survive in FERC’s final Order, whenever it is issued. They are all very sensible concerns (for example, one concern was that there was no explicit obligation for a NERC entity to follow up with a vendor about remediation of negative findings from a cybersecurity assessment conducted by the entity – no matter how severe the negative findings. As a result, some NERC entities today do not follow up with a vendor who admits to following clearly deficient security practices).

NERC Entities with high and/or medium impact BES Cyber Systems should start taking FERC’s three concerns into account when they conduct the annual revision of their Supply Chain Cybersecurity Risk Management Plan that is mandated by CIP-013-2 Requirement R1. Even though doing that by itself will not make them more or less compliant than they otherwise would be, it will likely be looked on favorably by CIP auditors – and it will better protect the entity from supply chain cyberattacks.

Areas Covered in the Session:

• FERC Order 829 of July 2016, which required NERC to develop a supply chain cybersecurity risk management standard, but ordered that they develop and approve the standard within one year, when two years would have been much more appropriate
• Development of CIP-013-1, and the compromises required for the Standards Drafting Team to be able to meet the accelerated schedule they faced
• FERC’s Order 850, which approved CIP-013-1, but also ordered changes
• FERC’s Notice of Proposed Rulemaking (NOPR) in October 2024, requesting comments on improving CIP-013
• Likely changes coming to CIP-013; improvements that NERC entities can make to their CIP-013 compliance programs to get a head start on those improvements

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.