I was quite
honored to be asked recently to be the keynote speaker at the second annual
IEEE Smart Grid Cybersecurity Workshop, which will be held on Thursday and
Friday December 12 and 13 at the same hotel in Atlanta where the NERC CIP will
meet on Tuesday and Wednesday (which I’ll also attend); the agenda is here. My topic
will be – what else? – “Developing your Supply Chain Cyber Risk Management Plan”.
Of course,
if you are a cynical person like me, you might point out that the smart grid
has to do primarily with distribution, while CIP-013 (which of course requires
the entity to develop a supply chain cybersecurity risk management plan) is a
standard for Bulk Electric System assets. Why talk about CIP-013 at this
workshop?
Fortunately,
I already have my answer for you: I’m not talking just, or even primarily,
about CIP-013. Any utility, in fact
any organization that runs using computing hardware and software that they
purchase, is subject to supply chain cybersecurity risks, and should have a
risk mitigation plan. Exactly the same considerations go into developing a plan
for cyber assets to be deployed on the distribution grid as for BES cyber assets.
So there, smarty pants. And I won’t be alone in discussing supply chain
security. There’s a panel on that topic right before me.
I’ll hope to
see you there!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, remains open to
NERC entities and vendors of hardware or software components for BES Cyber
Systems. To discuss this, you can email me at the same address.
Very insightful - and true. Don't ignore Distribution.... << Exactly the same considerations go into developing a plan for cyber assets to be deployed on the distribution grid as for BES cyber assets.>>
ReplyDeleteThanks, Rob. I will make sure to discuss Distribution assets, although I don't see any difference for that, except that CIP-013 doesn't apply so they don't need the same types of documentation as for BES assets.
ReplyDelete