Sunday, April 2, 2023

NERC’s new supply chain cyber risk management guidelines

I’ve been part of the NERC[i] Supply Chain Working Group (SCWG) since they started up about five years ago. In 2019, the group developed about seven short guidelines on supply chain cybersecurity risk management; these are all being updated now (plus, Tobias Whitney of Fortress Information Security is leading development of a new document on Procurement Sourcing, which looks to be quite interesting). I led the teams that developed two of these guidelines, as well as the teams that updated both of them last year.

Both guidelines have recently received final approval from the NERC Reliability and Security Technical Committee and have been posted on NERC’s website. The documents are Supply Chain Cybersecurity Risk Management Lifecycle and Vendor Risk Management Lifecycle. Leading the groups that developed and revised both of these was a great experience; I think both documents are worth reading by anybody involved in supply chain cybersecurity for critical infrastructure. If that fits your job description, you may want to review both of these. A few points about them:

First, don’t be fooled by the fact that they’re NERC documents. There is almost nothing in them that just applies to the electric power industry. Since NERC is entirely focused on operations, all these documents are appropriate to what I call “OT-focused” industries: gas pipelines, oil refineries, power generation and transmission, pulp and paper mills, manufacturing of all types, etc. In all these industries, Job Number One is protecting the availability of the process by which the industry makes its money.

“IT-focused” industries are those for which protection of the confidentiality and integrity of data is the most important consideration, such as banking, insurance, consulting, most government agencies, etc. While there are many supply chain cybersecurity considerations that apply to both groups (e.g. they both need to ensure the integrity and availability of their network infrastructure devices), there are other considerations that mostly apply to one or the other (e.g. the vendor’s protection of customer data is a concern mainly for IT-focused industries, since often OT-focused industries will not provide any operational data at all to their vendors).

Also, neither of these documents provides guidance on compliance with the NERC CIP standards, including NERC CIP-013, the standard for supply chain cybersecurity risk management. That being said, CIP-013 R1 requires the NERC entity to develop a good supply chain cybersecurity risk management plan for their OT systems, and both of these documents point to elements that might be included in such a plan.

Last, I want to point out that there are a few pages of boilerplate NERC language in both documents, which you might or might not care to read (the Preface and Preamble sections at the beginning of both documents, and the Metrics section at the end).

I hope you enjoy these documents, and I’d love to hear any comments you have on either one.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] North American Electric Reliability Corporation, the organization that develops and audits the NERC Reliability and Security standards, including the NERC CIP (Critical Infrastructure Protection) standards. NERC is the Electric Reliability Organization chosen by FERC, the Federal Energy Regulatory Commission, in accordance with Section 215 of the Electric Power Act of 2005. FERC provides the regulatory “muscle” behind the NERC standards.

No comments:

Post a Comment