If you’re not part of the electric
power industry, you may not have heard of NERC, the North American
Electric Reliability Corporation. Or you may have heard of it, but all you know
is the acronym.
NERC is a non-profit corporation
owned by electric utilities and other power market participants. It develops
and audits compliance with a number of standards for reliability of the North
American Bulk Electric System (BES), including the famous (infamous?) NERC CIP standards
for cybersecurity of the grid. But the regulatory muscle behind all NERC standards
is provided by the Federal Energy Regulatory Commission (FERC), which is part
of the Department of Energy. This unusual arrangement was mandated by the
Electric Power Act of 2005.
NERC also plays a number of
important educational roles, one of which is to provide guidelines on grid security,
including supply chain cybersecurity. The supply chain guidelines are developed
by the NERC Supply Chain Working Group, which was formed in 2018, as the
industry was starting to prepare for implementation of NERC
CIP-013-1, the supply chain cybersecurity risk management standard. It’s important
to keep in mind that the guidelines are not aimed at compliance with CIP-013,
but simply at good supply chain security practices.
I’ve been a member of the SCWG
since shortly after its inception. In 2019, the group was asked to develop
guidelines on (I believe) five topics related to cybersecurity. I volunteered
to lead the group that developed a paper on supply chain cyber risk management
lifecycle. After the first couple meetings of the group, I realized there should
be a separate paper on vendor risk management lifecycle, so another group was
formed to lead that – and nobody else volunteered to lead it, so I led that as
well. The papers were published in 2019 and 2020 (in the end, there were 8 or 9
papers).
This year, the SCWG was asked by
NERC to update the guidelines papers. Since nobody else stepped forward (hard
to do in a WebEx, of course) I ended up leading both of those. Just as I’d
found the experience of developing the 2019 papers to be quite intellectually
stimulating, I found the same thing this year.
The two papers were published for
comment by NERC on Monday; they’ll be up for 45 days, and then we’ll draft the
final versions. The supply chain paper is here
and the vendor paper is here.
I think only NERC members can comment, but I’d love to hear any comments or
questions. I’ll make sure we take them into account when we revise the
documents, so your comments will be given as much attention as a NERC member’s.
I do want to point out that there
is some material that was added to the papers before publication, that’s common
to them as well as the other papers (which will be put up starting soon but
continuing into 2023 – since a few were written in 2020, not 2019). That’s the material
before the Executive Summary and after the table of participants. That material
has nothing to do with the topics, but you may find it interesting anyway (I’ve
always found the topic of the power grid in general to be quite interesting,
and have written about it – i.e., not from a cybersecurity point of view – a number
of times, like this
one and this
one).
And if you want to buff up on the
NERC CIP standards, you’ll find a few posts of interest by searching on CIP in
the search bar. There are probably about 4-500, so I wouldn’t plan on reading
every one of them in one sitting.
If you’re with a NERC entity or
an IT or OT supplier to the power industry, I’d love to have a discussion with
you about CIP-013 and supply chain cybersecurity. Please drop me an email.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment