<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Vendor Risk Management, Energy & Utilities

Guidance for CIP-013: Effective Date, Guidelines, and Enforcement


Updated April 2, 2020 - Latest NERC CIP-013 Guidance

NERC CIP-013 Overview

On July 21, 2016, the Federal Energy Regulatory Commission (FERC) issued Order No. 829, directing the North American Electric Reliability Corporation (NERC) to develop a new or modified “Reliability Standard”. This new standard would gover third parties, or supply chain risk management (SCRM) in the power and utilities sectors. The new NERC supply chain risk management standard would cover industrial control system (ICS) hardware, software, and computing and networking services associated with the Bulk Electric System (BES).

By fall 2018, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard, “NERC CIP-013-1” was released, establishing new cybersecurity requirements for organizations in the power and utilities sectors. NERC’s CIP-013 standard mandates that power and utilities secure their global supply chain by holding their vendors to cybersecurity requirements. With CIP-013 enforcement and deadlines around the corner, organizations are looking for solutions that provide them the most visibility across their supply chain with the fastest time to value.

In order to mitigate risks in the global supply chain, and mitigate supply chain disruption caused by cybersecurity risks, responsible entities in the power and utilities sectors must come together and use this regulation as a means to protect the Bulk Electric System (BES) as a whole.

This new CIP-013 supply chain risk management regulation serves to limit power and utilities’ expose to third party cyber risks as they expand business in a predominantly digital age. Thus, the standard and upcoming effective date impacts all entities in the power and utilities industry, requiring them to focus on assessments, risk measurement, risk management, and cybersecurity best practices across numerous vendors.


What Organizations Must Comply to the CIP-013 Requirements?

The focus of this NERC regulation is on suppliers for strong reasons, as the electric grid remains one of the largest targets of cyberattacks and remains a top focus for critical infrastructure security. Unfortunately, in many cases when an attacker successfully breaches a supplier, that same attacker can easily attack the larger P&U organization.

According to NERC, “The security objective [of the CIP-013 regulation] is to ensure entities consider cyber security risks to the BES from vendor products or services.” 

The risks addressed in CIP-013-1 are highly specific to supply chain risk management. Power and utility organizations must develop and implement CIP-013 plans with activity that both identifies vulnerabilities in the supply chain and mitigates them. These programs have to be created by the organizations themselves, with optional guidance from advisories and management capabilities from solutions that support CIP-031 compliance, at scale, with multi-tenant functionality

The cybersecurity SCRM requirements outlined in CIP-013 aim to improve security against an increasing number of attacks that target supply chains, especially in the electric power and utilities sectors. These requirements also cater to organizations who have a vast number of vendors, or third-parties, that provide them services and solutions that allow them to reliably support the BES. Thus, the impact of CIP-013 on both power and utilities organizations and their vendors could be significant.

P&U organizations are the most obvious entities that must adopt the NERC regulatory standard. Other organizations, however, could also fall under the regulation, such as software vendors that support these critical infrastructure organizations, and consultants that advise them. These entities should educate themselves on CIP-013 and other P&U focused regulations as they serve these sectors, because they may need to adjust their information security strategies to maintain partnerships in the P&U industry. 

Power and utilities organizations have already begun to address CIP-013 compliance, partnering with system integrators that specialize in P&U advisory and solution providers like CyberSaint


What is the NERC CIP-013 Effective Date?

Although the CIP regulation was approved in the fall of 2018, this critical infrastructure protection (CIP) standard is enforceable starting on July 1, 2020. Organizations are currently using this few month push as a forcing function to create a robust supply chain risk management program, and to leverage solutions like CyberSaint to mitigate cyber risk.

There is a gradual rollout of the regulation, but even the months provided are where most organizations are catching up on supply chain risk management best practices. P&U organizations will soon need to prove compliance across their global supply chains - within 18 months of the NERC CIP-013-1 effective date, they have to be confident in their proof of compliance to avoid penalties.

CIP-013 solutions, such as integrated risk management solutions and especially those with strong metrics and evidence organization functions such as CyberStrong, are in high demand from P&U companies who want to get compliant quickly and effectively without taxing their teams through a spreadsheet-based assessment of their supply chain.


What is the Penalty for Non-Compliance Against CIP-013?

For each outstanding violation of the CIP-013 requirements, NERC is authorized to fine organizations up to $1 million per day.

This large penalty may seem extreme to some, but the value in protecting the Bulk Electric System is even greater. In addition, the supply chain is a massive focus for cybercriminals targeting critical infrastructure, and with the increasing amount of cyber incidents that occur, it is clear that better supply chain risk management is needed. Some examples of attacks that are pervasive in P&U supply chains include cyberterrorist attacks on third party websites, and in a recent case, nation states sneaking rice-sized microchips into servers provided by industry leaders on which many of the largest power and utility companies rely.

Reasons for enforcement actions include both incomplete or insufficient evidence of compliance, to nonconformance to established policies and procedures within the organization, and unintended disclosure of information considered sensitive.


What does CIP-013 Implementation Include?

Some of the requirements included in NERC CIP-013-1 include:

- Implementing controls that limit exposure to Malware
- Implementing controls that limit exposure to tampering
- Vendor procurement guidelines
- Vendor permissions
- Vendor monitoring

It’s clear that the release and near-term enforcement of the new NERC CIP-013-1 regulation will create a shift in focus for P&U information security organizations. 

Supply chain risk management is a clear improvement area for many industries, including the P&U sector. Scoping, assessing, and remediating cyber risk in accordance with CIP-013 will be a new, major focus for vendor risk teams within P&U information security organizations.

These best practices will not only help organizations get ahead of cyber threats, but when supported by solutions like CyberStrong that have rapid time to value and unparalleled visibility across the supplier base, will also help these infosec teams achieve proactive risk management from assessment to Boardroom. Getting to maturity on NERC’s new standard will be critical to the future success of the Bulk Electric System in this age of digitalization and increasing cyber attacks.

You may also like

Informing Cyber Risk Management ...
on May 18, 2023

Cybersecurity is no longer just an IT issue but a business risk that can impact an organization's reputation, financial health, and legal compliance. Cybersecurity risks are ...

Is Your Organization Prepared for ...
on May 3, 2023

Data storage, as well as maintenance tools and applications, have undergone many iterations in the past decade, with the introduction of cloud computing and Security Information ...

Strategies for Automating a Cyber ...
on May 8, 2023

Cybersecurity leaders and teams are overburdened by several growing trends and issues. And when your cybersecurity team is overworked and unequipped to manage cyber risk ...

Selecting the Right Cyber Risk ...
on April 13, 2023

Cyber risk quantification is the process of determining the likelihood and potential impact of a cyber attack or security breach. The probability and impact will vary based on ...

Leveraging Cyber Security ...
on May 26, 2023

A common misunderstanding with cyber risk management is that only the CISO and security practitioners should be concerned about cyber and information security. Instead, the state ...

Tips and Tricks to Transform Your ...
on April 12, 2023

Simply being “cyber aware” is an unviable option for board members as the impact of cybersecurity expands beyond IT systems. An unnoticed security gap or dated risk assessment are ...