CyberSaint Blog | Expert Thought

CIP-013 Implementation: Know Supplier Posture & Accelerate Compliance

Written by Alison Furneaux | April 8, 2020

As the deadline for NERC CIP-013 compliance approaches, power and utility companies are focused on implementing supply chain risk management strategies across their global vendor base.

The North American Electric Reliability Corporation’s (NERC) CIP-013-1 standard is a timely regulation, as third-party risk management, and especially risk management down the supply chain, has been coming into strong focus over the last few years in practically every sector.

According to the "State of the Electric Utility 2020" report, 37% of U.S-based P&U organizations claim to have not completely implemented cybersecurity programs in their organizations, much less supply chain risk management (SCRM). Cyberattacks on the electric grid are likely to have catastrophic effects. Thus, in 2016 FERC released the directive for an SCRM standard, resulting in CIP-013-1.

Standards organizations like NIST began to include supply chain risk management language in their control frameworks, and even privacy regulations such as the General Data Protection Regulation (GDPR) include supply chain risk management requirements. It’s clear that CIP-013-1 implementation is needed in the power and utilities (P&U) sectors, and creating a CIP-013 program across global supply chains will be a high priority for organizations supporting our Bulk Electric System (BES).

Generally, NERC CIP standards carry strict penalties for noncompliance, including monetary repercussions, and this regulatory standard’s penalties are no different. With penalties escalating up to $1 Million per day of non-compliance, having a CIP-013 implementation plan to align your supply chain between now and July 1, 2020, will be key to having success and avoiding disruption, both in cybersecurity and financially.

Prioritizing security risk across your supply chain ahead of the 18-month period before enforcement actions will allow P&U organizations to bolster their compliance program, mitigate cyber risk, and create an internal culture that is aware of suppliers’ risk and supply chain cyber as well.

Thankfully, cybersecurity compliance and risk management solutions support supply chain risk management for P&U organizations, and CIP 13 compliance tools enable utility companies to assess and rapidly mitigate supply chain risk before July 1, 2020. With this CIP 13 compliance implementation guidance, you will be able to assess all of your options when building your new CIP-013 program. The CIP-013 implementation guidance below will also cover what to look for in a supply chain risk management tool, and what functionalities to prioritize that will support your CIP-013 program.

CIP-013 Implementation Guidance:

  • 1. Prioritize Communication: Create Tribal Knowledge Across All P&U Organization Layers

When researching a CIP-013 tool, it is important that all P&U organizations expect their supplier entities to develop a cyber security and risk mitigation strategy of their own. In fact, many leading P&U organizations are using CIP-013 implementation as a forcing function to strengthen the cyber posture of their vendor base. Communication is key when rolling out new vendor requirements, and a robust CIP-013 solution will visualize and simplify the compliance process for both internal information security teams and those suppliers working to meet the CIP-013 requirements.

Setting expectations communicating on real-time asks, and gaps, and defining success criteria for your supply chain are key to success, and clear communication across all the layers in your organization - from the infosec team to the Board - is critical to success.

Only the most advanced solutions that support CIP-013 will be able to put cybersecurity activities into business context with dashboarding, reporting, and tracking capabilities that are easy for both suppliers and internal teams to utilize when communicating across various organizational layers as you develop your program.

P&U Boards of Directors and infosec teams alike will be able to view and understand supply chain gaps, plans to close those gaps, and the return on security investment (ROSI) for both the P&U organization to the individual supplier. Drill-down capabilities allow suppliers and vendor risk teams to dive into requirements and know where any supplier stands on any CIP-013 requirement at a time. 

  • 2. Prioritize Assessments: Know Where Your Suppliers Stand on Cyber Best Practices

No automated solution could ever supplement traditional vendor risk management processes such as assessments or questionnaires, simply because of the heavy focus on people and process, as opposed to technology-based controls that these compliance standards require. However, by selecting a CIP-013 solution that provides a real-time look at supplier cybersecurity posture and performance, information security leaders and P&U vendor risk management teams can have confidence in the data they request, track, and report on as they follow COP-013 implementation guidance and program development.

Solutions like CyberSaint’s CyberStrong platform have been named an emerging leader in the utilities sector and are used by some of the largest P&U organizations in the world to address not only internal NERC-CIP, NIST, and other compliance requirements, but also to quickly stand up a robust supply chain risk management program aligned with standards such as CIP-013-1.

  • 3. Prioritize Optimized Remediation Plans: Empower Suppliers to Remediate the Lowest-Hanging-Fruit Controls First, and Set Themselves Up For Future Success

It’s important that suppliers know how to develop a prioritized compliance plan of action, and that it is easy for their internal team to roll out, track, and report continuously both to you as the P&U organization requesting compliance and to their own C-Suite. CIP-013 tools that leverage cost and Impact weighted control optimizations use credible machine learning to fast-track risk management decision-making - the output being a dynamic list of low-hanging fruit opportunities to remediate risk aligned with CIP-013.

Some of the most cutting-edge P&U vendor risk teams use CyberStrong to map data on people, processes, technology, risk, and cost against their current gaps within assessments. This control optimization technology provides a list of recently identified opportunities to mitigate risk that bode the lowest cost and highest impact on security posture, encouraging ‘always-on’ continuous improvement and a fast track to CIP-013 compliance.

After CIP-013 compliance is met, optimizations can be used to help your supply chain further align with cybersecurity best practices such as NIST, other NERC-CIP standards, and custom vendor questionnaires with ease.

Don't Wait to Accelerate Supply Chain Risk Management

Summarizing this CIP-013 implementation guidance, a competitive CIP-013 solution will allow P&U vendor risk and information security programs to:

  • - Scope their vendors and understand vendor assets, their hardware, software, and other key BES cyber systems - potentially across hundreds or thousands of vendors
  •  
  • - Develop and implement a plan to dynamically manage the constant flow of cybersecurity risks throughout a global supply chain, and always know how to prioritize remediation actions
  •  
  • - Perform continuous cyber risk assessments across all vendors
  •  
  • - Measure supply chain risk management and CIP-013 posture across all vendors at scale, on a continuous basis that is both manageable and easily understood 
  •  
  • - Align both technical and business-side stakeholders on a rollout plan, and a supply chain risk management strategy that is easily presented, updated with real-time data, and that fuels informed decision-making
  •  
  • CyberSaint is here to help with CIP-013 implementation. CyberStrong’s supply chain risk management capabilities are used by P&U organizations to address, measure, and scale vendor risk assessments and vendor risk program management across some of the largest, most distributed supply chains. With a focus on simplifying cybersecurity program management, CyberStrong supports even the most complex programs and allows security leaders and vendor risk teams to not only keep up with but mature past regulatory change challenges. Request a meeting with us to see the solution in action.