The Critical Infrastructure Protection Supply Chain Risk Management Deadline Is Coming – Are You Ready?

Electricity regulators across Canada and the U.S. are currently adopting the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Supply Chain Risk Management (CIP 013-1) standard. CIP 013-1 is a new standard that works with the existing CIP Standards to ensure electricity utilities will have compliance plans to manage physical and cyber security through their contractors and suppliers. CIP compliance, including CIP 013-1, impacts many organizations including their supply chains; your company could suffer reputational damage and be at risk for fines if you are found to be non-compliant.

Supply chain risk management, and more specifically cyber risks, are becoming increasingly important in the energy and utilities industry. According to a Siemens survey in 2019, energy and utilities companies around the world are seeing a rise in cyber attacks. The survey found that 56 percent of respondents have experienced an outage or data breach in the last year, and 54 percent were expecting a cyber attack on critical infrastructure over the next year.

However, only 31 percent of respondents said they were ready to handle or contain a breach. NERC is aiming to improve that number through the CIP standards, including CIP 013-1. This will most likely include requirements for penetration testing of utilities and their supplier base for compliance in the not-to-distant future.

To start assessing your organization’s needs under CIP 013-1, you need to fully understand contractual responsibilities and how deep the responsibilities run into the supply chain. CIP 013-1 has created new rules for physical security, cyber security and employee background checks, with these rules also applying to service providers. These new rules need to be fully understood, contractually applied, monitored and documented.

For example, if an employee at a service company works on a substation and then leaves that company, what is the process for informing the utility, returning access cards and removing digital credentials? This is beyond just the utility itself; it must be demonstrated the process includes the involved subcontractors. This includes how information is received, documented and signed-off by and from the subcontractor.

In the auditing process, regulators want to see the processes and policies, but they also want to see evidence they are being followed. Without documented evidence, including subcontractor documentation, your utility could be vulnerable to fines and reputational harm if an incident were to occur. Developing clear documentation and retention standards for both the utility and its subcontractors is as important as developing solid processes and policies.

Meeting the CIP standards and requirements, including CIP 013-1, is a significant and important undertaking for utilities; but you don’t have to tackle it alone. MNP can facilitate assessments of your organization and subcontractors to help identify where you’re already compliant and/or what gaps exist. With an extensive background in supply chain management and cyber security, we can prepare your organization to understand and manage supply chain cyber risks, to protect your organization and be in CIP compliance.

To learn more about our CIP compliance support, contact Matt Hamilton, Senior Manager, Consulting, at 403.669.2446 or [email protected]