NERC CIP Supply Chain NOPR

As discussed earlier in this post, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Supply Chain project is underway. The Federal Energy Regulatory Commission (FERC) released its Notice of Proposed Rulemaking (NOPR) in which it proposes to approve CIP-013-1, CIP-005-6, and CIP-010-3. FERC also proposes to change the implementation plan from 18 months to 12 months, giving applicable registered entities less time to demonstrate compliance.

In addition, the same NOPR proposes to direct NERC to further modify CIP Standards to require protections for Electronic Access Control and Monitoring Systems (EACMS), Physical Access Controls (PACs), and Protected Cyber Assets (PCAs). Perhaps new Standard language will simply apply the same supply chain controls to these new device types. 

The FERC NOPR can be found here. The next step in the process is to allow for comments and then issue the FERC Order to approve the new Standards, which starts the implementation timeline.

PCS has begun helping its clients write procedures to address new CIP Supply Chain requirements, including the following:

  • Process for the procurement of BES Cyber Systems to identify and assess cyber security risk to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor to another vendor;
  • Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
  • Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
  • Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;
  • Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;
  • Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System;
  • Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s);
  • Review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan at least once every 15 calendar months;
  • Determining active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access);
  • Disabling active vendor remote access (including Interactive Remote Access and system-to-system remote access);
  • Prior to a change of operating system / firmware, software, or security patches, and when the method to do so is available to the Responsible Entity from the software source: (i) verify the identity of the software source; and (ii) verify the integrity of the software obtained from the software source.

Our Services