NERC CIP Supply Chain Updates

There have been recent updates to NERC CIP Supply Chain Standard CIP-013-1, which is not yet approved but under development and subject to possible future changes and approval. The purpose of this project is to better protect BES Cyber Systems by implementing controls to reduce the risk of compromised vendor hardware and software. The following are the most important changes:

  1. Low Impact BES Cyber Systems escape! Draft 1 of CIP-013-1 had requirements for Low Impact BES Cyber Systems, but these have been removed in draft 2. While this would have been good for security, it didn't make sense to require Low Impact systems to implement these controls because industry uses a risk-based approach. Low Impact systems are Low Impact for a reason. They should have some controls but not the same as High and Medium Impact systems. High and Medium Impact systems must implement supply chain security still, however.
  2. Clarifying language was added to Requirement 2 that allows entities to follow a process rather than actually getting vendors to comply: "Note: Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract." The Standard Drafting Team (SDT) on an update call gave the specific example of having a process to ask for supply chain controls when negotiating contracts, but it won't be a violation of CIP if vendors don't agree to those controls and they fall out of the contract during contract negotiations. They also said contract language would not be in the scope of an audit - just the process. Entities are only required to have a process to try to get controls into contract language. Therefore, success for this standard will be in having the right process that covers what it needs to but doesn't go too far, which is a similar approach to the Information Protection Program in CIP-011-2.
  3. Requirement 3 (software authenticity) was moved to a new Part in CIP-010-3, Part 1.6. A question was asked on the webinar of an example of validating software source. The SDT responded that one way was to check the SSL on a webpage and validating the SSL certificate has been issued to the vendor and is still valid. For automated patching systems, you can use the automated system specifications. If the system says validates the patch prior to making it available to you, you can rely on that process and don’t have to re-validate patches. If a patch is validated once, it can be distributed to multiple machines without having to validate again.
  4. Requirement 4 (vendor remote access) was moved to two new Parts in CIP-005-6, Parts 2.4 and 2.5.
  5. Implementation was changed from twelve (12) months to eighteen (18) months, which is great news for industry. We all have more time to get ready. However, remember with all the different business units that will be affected it's never too early to start.

Remember the SDT is under tight timelines due to the FERC Order. The Deadline for filing with FERC is September. That requires NERC Board adoption in August with 2nd formal commenting and balloting through June 15. It's time to comment and ballot. The development project page is found at http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx .

Our Services