Person holding tablet displaying graphs

The Critical Infrastructure Protection Supply Chain Risk Management Deadline Is Coming – Are You Ready?

The Critical Infrastructure Protection Supply Chain Risk Management Deadline Is Coming – Are You Ready?

7 Minute Read

Power utilities in Canada face new risk management regulations around contractors and cyber security. Find out what your company needs to do to be compliant and avoid fines.

Senior Manager, Consulting Services – Energy and Utilities

Electricity regulators across Canada and the U.S. are currently adopting the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Supply Chain Risk Management (CIP 013-1) standard. CIP 013-1 is a new standard that works with the existing CIP Standards to ensure electricity utilities will have compliance plans to manage physical and cyber security through their contractors and suppliers. CIP compliance, including CIP 013-1, impacts many organizations including their supply chains; your company could suffer reputational damage and be at risk for fines if you are found to be non-compliant.

Supply chain risk management, and more specifically cyber risks, are becoming increasingly important in the energy and utilities industry. According to a Siemens survey in 2019, energy and utilities companies around the world are seeing a rise in cyber attacks. The survey found that 56 percent of respondents have experienced an outage or data breach in the last year, and 54 percent were expecting a cyber attack on critical infrastructure over the next year.

However, only 31 percent of respondents said they were ready to handle or contain a breach. NERC is aiming to improve that number through the CIP standards, including CIP 013-1. This will most likely include requirements for penetration testing of utilities and their supplier base for compliance in the not-to-distant future.

To start assessing your organization’s needs under CIP 013-1, you need to fully understand contractual responsibilities and how deep the responsibilities run into the supply chain. CIP 013-1 has created new rules for physical security, cyber security and employee background checks, with these rules also applying to service providers. These new rules need to be fully understood, contractually applied, monitored and documented.

For example, if an employee at a service company works on a substation and then leaves that company, what is the process for informing the utility, returning access cards and removing digital credentials? This is beyond just the utility itself; it must be demonstrated the process includes the involved subcontractors. This includes how information is received, documented and signed-off by and from the subcontractor.

In the auditing process, regulators want to see the processes and policies, but they also want to see evidence they are being followed. Without documented evidence, including subcontractor documentation, your utility could be vulnerable to fines and reputational harm if an incident were to occur. Developing clear documentation and retention standards for both the utility and its subcontractors is as important as developing solid processes and policies.

Meeting the CIP standards and requirements, including CIP 013-1, is a significant and important undertaking for utilities; but you don’t have to tackle it alone. MNP can facilitate assessments of your organization and subcontractors to help identify where you’re already compliant and/or what gaps exist. With an extensive background in supply chain management and cyber security, we can prepare your organization to understand and manage supply chain cyber risks, to protect your organization and be in CIP compliance.

To learn more about our CIP compliance support, contact Matt Hamilton, Senior Manager, Consulting, at 403.669.2446 or [email protected] 


  • February 26, 2024

    Protecting yourself against fraud is a matter of good business practice

    It’s difficult to keep up with all the products and services required to defend against fraud. But security solutions all have one thing in common. When it comes to safeguarding your company, good business practices will always be your best protection.

  • February 29, 2024

    What’s next for businesses now that CDAP has ended?

    The federal government has announced that the Boost Your Business Technology grant is fully subscribed and will no longer accept new applications. MNP Digital remains committed to supporting Canadian small businesses with their digital transformation goals.

  • Performance

    February 29, 2024

    2024 Alberta Budget Highlights

    View a summary of MNP’s highlights from the 2024 Alberta Budget.