Wednesday, September 21, 2022

NERC's supply chain security guidelines


If you’re not part of the electric power industry, you may not have heard of NERC, the North American Electric Reliability Corporation. Or you may have heard of it, but all you know is the acronym.

NERC is a non-profit corporation owned by electric utilities and other power market participants. It develops and audits compliance with a number of standards for reliability of the North American Bulk Electric System (BES), including the famous (infamous?) NERC CIP standards for cybersecurity of the grid. But the regulatory muscle behind all NERC standards is provided by the Federal Energy Regulatory Commission (FERC), which is part of the Department of Energy. This unusual arrangement was mandated by the Electric Power Act of 2005.

NERC also plays a number of important educational roles, one of which is to provide guidelines on grid security, including supply chain cybersecurity. The supply chain guidelines are developed by the NERC Supply Chain Working Group, which was formed in 2018, as the industry was starting to prepare for implementation of NERC CIP-013-1, the supply chain cybersecurity risk management standard. It’s important to keep in mind that the guidelines are not aimed at compliance with CIP-013, but simply at good supply chain security practices.

I’ve been a member of the SCWG since shortly after its inception. In 2019, the group was asked to develop guidelines on (I believe) five topics related to cybersecurity. I volunteered to lead the group that developed a paper on supply chain cyber risk management lifecycle. After the first couple meetings of the group, I realized there should be a separate paper on vendor risk management lifecycle, so another group was formed to lead that – and nobody else volunteered to lead it, so I led that as well. The papers were published in 2019 and 2020 (in the end, there were 8 or 9 papers).

This year, the SCWG was asked by NERC to update the guidelines papers. Since nobody else stepped forward (hard to do in a WebEx, of course) I ended up leading both of those. Just as I’d found the experience of developing the 2019 papers to be quite intellectually stimulating, I found the same thing this year.

The two papers were published for comment by NERC on Monday; they’ll be up for 45 days, and then we’ll draft the final versions. The supply chain paper is here and the vendor paper is here. I think only NERC members can comment, but I’d love to hear any comments or questions. I’ll make sure we take them into account when we revise the documents, so your comments will be given as much attention as a NERC member’s.

I do want to point out that there is some material that was added to the papers before publication, that’s common to them as well as the other papers (which will be put up starting soon but continuing into 2023 – since a few were written in 2020, not 2019). That’s the material before the Executive Summary and after the table of participants. That material has nothing to do with the topics, but you may find it interesting anyway (I’ve always found the topic of the power grid in general to be quite interesting, and have written about it – i.e., not from a cybersecurity point of view – a number of times, like this one and this one).

And if you want to buff up on the NERC CIP standards, you’ll find a few posts of interest by searching on CIP in the search bar. There are probably about 4-500, so I wouldn’t plan on reading every one of them in one sitting.

If you’re with a NERC entity or an IT or OT supplier to the power industry, I’d love to have a discussion with you about CIP-013 and supply chain cybersecurity. Please drop me an email.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment