The North American Electric Reliability Corporation (NERC) recently petitioned the Federal Energy Regulatory Commission (FERC) to approve its proposed “Reliability Standards” addressing cybersecurity risks in critical infrastructure protection (CIP) supply chains. In a LawFlash from October 5, Morgan Lewis partner J. Daniel Skees provides detailed background and analysis on the proposed Reliability Standards.
If the proposed Reliability Standards are approved, “Registered Entities” would be required to develop a plan to mitigate cybersecurity vulnerabilities posed by products and services in the procurement process. The resulting impact would likely be felt by vendors providing IT equipment or related services to electric utilities, as electric utilities would need to account for these standards in their contracting processes.
NERC’s proposal includes new Reliability Standard CIP-013-1 (Supply Chain Risk Management) and modifications to CIP-005-5 (Vendor Remote Access) and CIP-010-2 (Software Integrity and Authenticity). The Standards describe certain risk mitigation concepts that utilities should include in their processes, such as
- identifying and assessing cybersecurity risks posed by products and services to the Bulk Electric System (BES);
- requiring security event notifications from vendors and coordinating incident response activities with the events identified by vendors;
- requiring vendors to provide notice of terminated personnel with access to remote and onsite systems;
- coordinating remote access controls and requiring vulnerability disclosures from vendors;
- verifying the integrity and authenticity of software and patches to be used in the BES cyber system; and
- performing periodic reassessments of risk mitigation processes.
Mr. Skees points out in his LawFlash that the new CIP-013-1 “does not require any specific controls or contract requirements.” Instead, it is “process” focused and would obligate Registered Entities to “establish and implement organizationally defined processes that integrate a cybersecurity risk management framework.” As NERC explained, while it expects its members to implement the above risk mitigation and management concepts into their procurement processes, the failure to obtain a specific contract provision for any one concept would not automatically result in a violation. Compliance with the standard is intended to be flexible, so if processes are implemented “in good faith,” a Registered Entity is likely to be compliant. More specifically, compliance would be evaluated based on the Registered Entity’s assessment of the risks and the steps taken to mitigate such risks, including if appropriate security provisions were negotiated in vendor contracts.
The LawFlash contains further information and analysis on the proposed new CIP-013-1 and modifications to CIP-005-5 and CIP-010-2.