Gearing Up in 2019 to Comply with Updated CIP Reliability Standards
Photo owned by Reed Smith LLP.
- January 29, 2019
- 622 views
Additional, more rigorous requirements apply to electric industry participants under the Critical Infrastructure Protection (CIP) Reliability Standards. Organizations in the supply chain should expect to see the requirements flow down to them through agreements.
The new requirements are intended to improve the electric industry’s cybersecurity posture by addressing certain cybersecurity risks associated with the supply chain. Electric industry participants, (including providers of software, systems, or services to the electric industry), should take a proactive approach to ensure their current software, systems, policies, and procedures are consistent with these new requirements.
Compliance with the Updated Standards
The Federal Energy Regulatory Commission (FERC) recently published a final rule updating and adding to the CIP Reliability Standards, which are intended to help protect the bulk electric system (BES) in the United States. The final rule, issued in late 2018, approves submissions by the North American Electric Reliability Corporation (NERC) to:
- create a new Supply Chain Risk Management Reliability Standard (CIP-013-1);
- update the Electronic Security Perimeter(s) Reliability Standard (CIP-005-6); and
- update the Configuration Change Management and Vulnerability Assessments Reliability Standard (CIP-010-3).
Responsible entities have until July 1, 2020, to develop and implement policies, procedures, and systems necessary to comply. Responsible entities include all bulk power system owners, operators, and users. According to FERC, responsible entities are responsible for complying with their own obligations under the reliability standards and they also have a duty to mitigate any risk associated with their procurement and use of services and products from suppliers and vendors. While NERC and FERC will not hold suppliers and vendors directly responsible for their non-compliance under the reliability standards, responsible entities may hold them accountable by contract.
1. New CIP Supply Chain Risk Management Reliability Standard
The new Supply Chain Risk Management Reliability Standard requires responsible entities to “develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations,” which can help mitigate the risks from the “insertion of counterfeit or malicious software, unauthorized production, tampering, or theft, as well as poor manufacturing and development practices.” In other words, under the new standard, responsible entities must implement, as part of their procurement process, good vendor management practices with respect to information and systems security as to industrial control systems. Unsurprisingly, this must include an assessment of applicable cybersecurity-related risks.
The specific, stated security objectives for the new standard are:
- software integrity and authenticity;
- vendor remote access protections;
- information system planning; and
- vendor risk management procurement controls.
FERC intended the Reliability Standards to address the following risks:
- “that responsible entities could unintentionally plan to procure and install unsecure equipment or software within their information systems, or could unintentionally fail to anticipate security issues that may arise due to their network architecture or during technology and vendor transitions”;
- “that responsible entities could enter into contracts with vendors that pose significant risks to the responsible entities’ information systems, as well as the risk that products procured by a responsibly entity fail to meet minimum security criteria”; and
- “that a compromised vendor would not provide adequate notice and related incident response to responsible entities with whom that vendor is connected.”
FERC recognizes that the new Supply Chain Risk Management Reliability Standard focuses on only certain aspects of information security, and is not yet a complete standard. Accordingly, FERC has directed NERC to propose an update that covers Electronic Access Control and Monitoring Systems (EACMS) (e.g., firewalls, intrusion detection systems, etc.) associated with medium and high impact “BES Cyber Systems.” BES Cyber Systems are cyber assets “that if rendered unavailable, degraded, or misused would, within 15 minutes of the asset’s required operation, mis-operation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, or otherwise rendered unavailable when needed, would affect the reliable operation of the BES.” FERC noted that “EACMS represent the most likely route an attacker would take to access a BES Cyber System . . . based on the functions they perform,” because they enable and secure the communications capability on which BES Cyber Systems depend.
2. Update to Electronic Security Perimeter Reliability Standard
The update to the Electronic Security Perimeter(s) (ESP) Reliability Standard focuses on vendor remote access. It requires the implementation of at least one method for identifying “active vendor remote access sessions” to raise the responsible entity’s awareness of vendor activity on the responsible entity’s systems. The standard also requires at least one method for terminating vendor remote access sessions when no longer needed.
3. Updated to Configuration Security Perimeter Reliability Standard
The Configuration Change Management and Vulnerability Assessments Reliability Standard was updated to address managing updates to software installed in BES Cyber Systems. Under the updated standard, responsible entities are expected to verify the identity of the source and the integrity of any update that will change baseline configurations of existing software, and to do so before installing software patches or other updates to a BES Cyber System.
Anticipated Update to Incident Reporting and Response Reliability Standard
FERC has mandated that, by April 1, 2019, NERC must develop and submit for FERC approval an enhancement of the Cyber Security – Incident Reporting and Response Planning Reliability Standard (CIP-008-5) to reflect a more extensive baseline and understanding of the nature of cybersecurity threats and vulnerabilities.
The update to the Cyber Security – Incident Reporting and Response Planning Reliability Standard is to include the following:
- a requirement to report cybersecurity incidents to the Electricity Information Sharing and Analysis Center (E-ISAC) and also to the Department of Homeland Security, for incidents that “compromise, or attempt to compromise a responsible entity’s [ESP] or [EACMS]”;
- a requirement that cybersecurity incident reports “include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specific fields of information”; and
- filing deadlines for cybersecurity incident reports associated with “a compromise or disruption to reliable BES operation, or an attempted compromise or disruption”.
Even though this Reliability Standard has not yet been updated, responsible entities can use this roadmap now to guide updates to their incident response plans and procedures.
By July 2020, responsible entities should: (1) implement supply chain risk management procedures; (2) update procedures relating to remote access requirements; and (3) implement appropriate software integrity and authenticity measures that meet the requirements prescribed in the new and updated Reliability Standards. Suppliers of goods and services to the electrical industry will need to evaluate their risk profiles as well, including with respect to their software controls, in part because electrical industry participants are likely to push for contractual requirements in supplier agreements to help meet their compliance obligations and assign risk from cybersecurity failures. Separately, responsible entities should think about reviewing their incident response plans and procedures in light of forthcoming updates to the Reliability Standard governing cybersecurity incident reporting requirements.
NERC has the power to enforce the Reliability Standards under Section 215 of the Federal Power Act. According to NERC, approximately 2,500 organizations are subject to these mandatory Reliability Standards in the North America. Non-compliance may result in penalties, sanctions, and directives from NERC, which has authority over North America subject to oversight by FERC and governmental authorities in Canada.
Authored by Reed Smith LLP attorneys Bart Huffman, Wendell Bartnick, and Haylie Treas