I’ve been part of the NERC[i] Supply Chain Working Group (SCWG) since they started up about five years ago. In 2019, the group developed about seven short guidelines on supply chain cybersecurity risk management; these are all being updated now (plus, Tobias Whitney of Fortress Information Security is leading development of a new document on Procurement Sourcing, which looks to be quite interesting). I led the teams that developed two of these guidelines, as well as the teams that updated both of them last year.
Both guidelines have recently received
final approval from the NERC Reliability and Security Technical Committee and
have been posted on NERC’s website. The documents are Supply
Chain Cybersecurity Risk Management Lifecycle and Vendor
Risk Management Lifecycle. Leading the groups that developed and revised
both of these was a great experience; I think both documents are worth reading by anybody involved in supply chain cybersecurity for
critical infrastructure. If that fits your job description, you may want to review
both of these. A few points about them:
First, don’t be fooled by the fact
that they’re NERC documents. There is almost nothing in them that just applies
to the electric power industry. Since NERC is entirely focused on operations, all
these documents are appropriate to what I call “OT-focused” industries: gas
pipelines, oil refineries, power generation and transmission, pulp and paper
mills, manufacturing of all types, etc. In all these industries, Job Number One
is protecting the availability of the process by which the industry makes its
money.
“IT-focused” industries are those for
which protection of the confidentiality and integrity of data is the most
important consideration, such as banking, insurance, consulting, most
government agencies, etc. While there are many supply chain cybersecurity
considerations that apply to both groups (e.g. they both need to ensure the integrity
and availability of their network infrastructure devices), there are other
considerations that mostly apply to one or the other (e.g. the vendor’s
protection of customer data is a concern mainly for IT-focused industries, since often
OT-focused industries will not provide any operational data at all to their vendors).
Also, neither of these documents
provides guidance on compliance with the NERC CIP standards, including NERC CIP-013, the standard for supply chain cybersecurity risk management.
That being said, CIP-013 R1 requires the NERC entity to develop a good supply chain
cybersecurity risk management plan for their OT systems, and both of these
documents point to elements that might be included in such a plan.
Last, I want to point out that there
are a few pages of boilerplate NERC language in both documents, which you might
or might not care to read (the Preface and Preamble sections at the beginning
of both documents, and the Metrics section at the end).
I hope you enjoy these documents,
and I’d love to hear any comments you have on either one.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
North American Electric Reliability Corporation, the organization that develops
and audits the NERC Reliability and Security standards, including the NERC CIP (Critical
Infrastructure Protection) standards. NERC is the Electric Reliability Organization
chosen by FERC, the Federal Energy Regulatory Commission, in accordance with
Section 215 of the Electric Power Act of 2005. FERC provides the regulatory “muscle”
behind the NERC standards.
No comments:
Post a Comment