Entities with industrial management programs (ICS) related to bulk electrical system (BES) operations should develop and implement plans that embrace safety controls for provide chain administration, the Federal Energy Regulatory Commission (FERC) ordered in a ultimate rule that formally adopts three new vital infrastructure safety (CIP) reliability requirements.
FERC on October 18 issued Order No. 850, approving CIP-013-1 (Cyber Security—Supply Chain Risk Management), CIP-005-6 (Cyber Security—Electronic Security Perimeters), and CIP-010-Three (Cyber Security—Configuration Change Management and Vulnerability Assessments). The new provide chain danger administration reliability requirements had been proposed by the North American Reliability Corp. (NERC) in response to FERC’s July 2016-issued Order No. 829. NERC will implement the requirements.
Though the worldwide provide chain provides important advantages to clients—together with low price, interoperability, fast innovation, and product and have selection—it additionally creates “alternatives for adversaries to straight or not directly have an effect on the administration of operations of firms with potential dangers to finish customers,” FERC mentioned in its order.
Supply chain dangers embrace insertion of counterfeits or malicious software program, unauthorized manufacturing, tampering, or theft, in addition to poor manufacturing and improvement practices.
The new CIP requirements concentrate on 4 safety aims: (1) software program integrity and authenticity; (2) vendor distant entry protections; (Three) info system planning; and (four) vendor danger administration and procurement controls.
CIP-013-1 seeks to deal with dangers related to info system planning, in addition to vendor danger administration and procurement controls. However, entities that have already got contracts—or are in the course of procurement actions—for vendor services or products earlier than the efficient date of the reliability commonplace is not going to must adjust to the usual.
CIP-005-6 contains two new elements (2.four and a pair of.5) to supply extra consciousness of energetic vendor distant entry periods. The commonplace would require a number of strategies for figuring out and disabling energetic vendor distant entry periods, together with interactive distant entry and system-to-system distant entry.
CIP-010-Three is designed to make sure that software program being put in within the BES cyber system will not be modified with out consciousness of software program suppliers and isn’t counterfeit. The newly added Part 1.6, particularly, would require entities to confirm software program integrity and authenticity earlier than putting in software program that adjustments established baseline configurations.
Among different issues, it’s going to additionally require entities with BES cyber property—services, programs, or gear which may have an effect on dependable operations of the BES if destroyed or rendered unavailable—to develop and implement plans that embrace safety controls for provide chain administration for ICS , software program, and companies related to BES operations.
The documented provide chain cybersecurity danger administration plans ought to deal with six safety ideas: (1) vendor safety occasion notification; (2) coordinated incident response; (Three) vendor personnel termination notification; (four) product/companies vulnerability disclosures; (5) verification of software program integrity and authenticity; and (6) coordination of vendor distant entry controls.
Compliance Timeline and Costs
Entities should implement plans inside 18 months following the efficient date of FERC’s order—a interval that’s for much longer than the 12 months initially proposed in FERC’s 2015-issued discover of proposed rulemaking related to the ultimate rule. FERC mentioned it elevated the implementation interval owing to stakeholder issues. Several commenters clarified that technical upgrades have been probably needed to fulfill the CIP requirements’ safety aims, which they famous may contain longer…