NERC's CIP-013 in Mitigating Utility Supply Chain Cyberattacks

With electric vehicles, the smart grid, and the internet of things, a utility’s attack surface is broad and complex - and cyber criminals are innovating.

While organizations secure their perimeters, hackers are moving “upstream”: targeting the software supply chain, hoping to hijack a third party software before it’s installed by a company.

High-profile supply chain attacks - SolarWinds, NotPetya, or WannaCry - have spurred the federal government to secure software procurement and third-party services.

In addition to President Biden’s executive orders prioritizing the supply chain, NERC introduced a significant new Critical Infrastructure Protection (CIP) standard: CIP-013.

CIP-013 requires cyber supply chain risk management for moderate and high-impact bulk electric cyber systems (BCS). 

For many utilities, understanding CIP-013 and developing cyber supply chain risk management is key to staying in compliance and avoiding fines.

But an obsession with compliance obscures two key problems: 1) CIP-013 is limited and 2) supply chain attacks pose a greater threat than non-compliance.

Ultimately, utility providers - including those that aren’t required to comply - must understand the CIP-013’s requirements so they can move beyond it in protecting the software supply chain.

What are NERC’s CIP Standards?

Over the last twenty years, the federal government has taken a more active role in regulating critical infrastructure and supply chain cybersecurity.

Notably, the Energy Policy Act of 2005 empowered the North American Electric Reliability Corporation (NERC) to enforce reliability standards and penalize infractions for the bulk-power system.

NERC’s reliability standards cover fourteen areas, from Communications (COM) to Transmission Planning (TPL), and NERC developed the Critical Infrastructure Protection (CIP) standards for grid cybersecurity.

NERC’s first CIP standards - CIP-002 through CIP-009 - were approved by the Federal Energy Regulatory Commission (FERC) in 2008. As a result, energy became the only industry with mandatory and enforceable cybersecurity standards.

Currently, there are 11 CIP standards:

And though CIP standards only apply to the bulk-power system, their emphasis on basic cyber hygiene, network perimeters, and physical security, among other things, are vital for any organization.

This goes for NERC’s recent additions to the CIP standards as well - supply chain cybersecurity is crucial.

In 2020, NERC added items to CIP-005 and CIP-010 concerning vendor remote access and software integrity and validity - and implemented CIP-013, an entirely new standard.

Though NERC’s CIP-013 isn’t perfect, it highlights an important area where all utilities can take the lead: cyber supply chain risk management.

What is NERC CIP-013?

CIP-013 requires moderate or high-impact BCS operators to create a cyber supply chain risk management (C-SCRM) plan.

Tom Alrich, a consultant for CIP compliance, has identified “five categories of supply chain risk” that must be addressed in an organization’s plan:

  1. Product risks from equipment and software procurement
  1. Risks from procurement of services applying to BCS equipment and software
  1. Product risks from equipment and software installation
  1. Risks from use of services for BCS
  1. Transitions between vendors

Simply put, NERC’s new standard requires moving beyond simple cyber hygiene.

Instead of obsessing over a security perimeter, CIP-013 looks upstream to counter cyber criminals in its emphasis on procurement, installations, and services.

However, utilities can’t stop here; there are limitations to mere compliance.

Moving Beyond NERC CIP-013 in Cyber Supply Chain Security

CIP-013’s Limitations

While CIP-013 is an excellent step forward in securing the software supply chain, utilities need a more robust risk management plan than that required in the standard.

CIP-013 requires entities to develop, implement, and submit a risk management plan, but there’s little information on the risks that should be included in the plan or how to rank and mitigate these risks. Actually, this is the first CIP standard that doesn’t prescribe very clear and specific actions.

Though there are National Institute of Standards and Technology (NIST) best practices for supply chain risk management, these recommendations go above and beyond the requirements in CIP-013.

In a 2019 report on critical infrastructure protection, GAO recognized CIP-013 is a starting point, not the end goal. 

Even FERC acknowledges the moderate pace of federal regulation can’t keep up as cybercrime evolves. FERC is proposing a plan to offer incentives for utilities that exceed the CIP standards and follow NIST best practices.

That said, utilities shouldn’t wait for financial incentives or new regulation - a carrot or stick - to move beyond CIP-013 compliance.

The Immediate Threat of a Supply Chain Attack

Utilities should pursue a more robust C-SCRM plan than that detailed in CIP-013 because supply chain attacks pose a significant risk to utilities and the U.S. government:

  • SolarWinds compromised the U.S. Treasury Department and Department of Homeland Security, among other agencies.

Though NERC can penalize electric utilities $1 million per day for a violation of its standards, a supply chain cyber attack may cost a utility even more than a CIP violation. And this doesn’t include the potential environmental, human, or reputational risk of an attack on critical infrastructure.

Much has been written on CIP compliance, as organizations scramble to meet requirements and pass audits, but an obsession with compliance is shortsighted.

Instead of compliance, utilities should prioritize surpassing these standards and adopting best practices due to the prohibitive cost and inevitability of a supply chain attack.

Cybersecurity, Not Mere Compliance

While federal regulation is instrumental in safeguarding critical infrastructure and its supply chain, regulation is also limited. It’s the floor, not the ceiling.

Other federal entities, like NIST or CISA, offer resources and best practices that exceed current standards and are more responsive to developments in cybercrime.

Cybercriminals will be probing your supply chain for vulnerabilities. Are you doing the same?

In 2020 alone, according to public reports, 694 entities and over 42 million individuals were affected by supply chain attacks. And considering how often attacks go unreported, the number is certainly much higher.

Whether or not CIP-013 is relevant to your organization, you need to invest in thorough C-SCRM.

Don’t wait to adopt a robust C-SCRM plan until it’s too late.

Interested in C-SCRM? Learn steps utilities can take in securing the cyber supply chain by downloading our white paper:

cyber supply chain white paper

Get the latest in infrastructure news. Sign up for our newsletter.