Person holding tablet displaying graphs

The Critical Infrastructure Protection Supply Chain Risk Management Deadline Is Coming – Are You Ready?

The Critical Infrastructure Protection Supply Chain Risk Management Deadline Is Coming – Are You Ready?

7 Minute Read

Power utilities in Canada face new risk management regulations around contractors and cyber security. Find out what your company needs to do to be compliant and avoid fines.

Senior Manager, Consulting Services – Energy and Utilities

Electricity regulators across Canada and the U.S. are currently adopting the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Supply Chain Risk Management (CIP 013-1) standard. CIP 013-1 is a new standard that works with the existing CIP Standards to ensure electricity utilities will have compliance plans to manage physical and cyber security through their contractors and suppliers. CIP compliance, including CIP 013-1, impacts many organizations including their supply chains; your company could suffer reputational damage and be at risk for fines if you are found to be non-compliant.

Supply chain risk management, and more specifically cyber risks, are becoming increasingly important in the energy and utilities industry. According to a Siemens survey in 2019, energy and utilities companies around the world are seeing a rise in cyber attacks. The survey found that 56 percent of respondents have experienced an outage or data breach in the last year, and 54 percent were expecting a cyber attack on critical infrastructure over the next year.

However, only 31 percent of respondents said they were ready to handle or contain a breach. NERC is aiming to improve that number through the CIP standards, including CIP 013-1. This will most likely include requirements for penetration testing of utilities and their supplier base for compliance in the not-to-distant future.

To start assessing your organization’s needs under CIP 013-1, you need to fully understand contractual responsibilities and how deep the responsibilities run into the supply chain. CIP 013-1 has created new rules for physical security, cyber security and employee background checks, with these rules also applying to service providers. These new rules need to be fully understood, contractually applied, monitored and documented.

For example, if an employee at a service company works on a substation and then leaves that company, what is the process for informing the utility, returning access cards and removing digital credentials? This is beyond just the utility itself; it must be demonstrated the process includes the involved subcontractors. This includes how information is received, documented and signed-off by and from the subcontractor.

In the auditing process, regulators want to see the processes and policies, but they also want to see evidence they are being followed. Without documented evidence, including subcontractor documentation, your utility could be vulnerable to fines and reputational harm if an incident were to occur. Developing clear documentation and retention standards for both the utility and its subcontractors is as important as developing solid processes and policies.

Meeting the CIP standards and requirements, including CIP 013-1, is a significant and important undertaking for utilities; but you don’t have to tackle it alone. MNP can facilitate assessments of your organization and subcontractors to help identify where you’re already compliant and/or what gaps exist. With an extensive background in supply chain management and cyber security, we can prepare your organization to understand and manage supply chain cyber risks, to protect your organization and be in CIP compliance.

To learn more about our CIP compliance support, contact Matt Hamilton, Senior Manager, Consulting, at 403.669.2446 or [email protected] 


  • Confidence

    May 15, 2024

    What is the impact of financial crime and how can you reduce risks to your business?

    During Victims and Survivors of Crime Week 2024, discover the impacts of financial crime and the steps you can take to protect your business from threats.

  • Progress

    How SMARTPro Helps Enhance Practice Value

    Learn how to get your practice into a ready state for a sale with SMARTPro.

  • Progress

    Your Construction Company and Employee Share Options

    MNP poses a few questions and offers a few tips to see if an employee share option plan will work for you and your construction company.