On October 1st, 2020 the NERC CIP-013-1 cybersecurity supply chain risk management standard will come into effect – with the date recently changed from July 1st. This means power & utility (P&U) companies will have 18 months to prove compliance, increased monitoring and oversight over their global supply chains. Failure to do so can result in fines of up to $1M per day.
Energy organizations should now focus on addressing specific third-party cybersecurity risks, such as the insertion of counterfeit components into cyber assets, vendor remote access vulnerabilities and insecure vendor development practices. This blog looks at some key points of the standard and how TPRM technology can help ensure supply chain compliance.
The CIP-013-1 is an update to the Critical Infrastructure Protection (CIP) standard, which includes a set of regulatory requirements “to mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES)”. Due to the nature of global cyber threats, these types of standards are periodically updated and extended in scope.
The new version was issued by the North American Electric Reliability Corporation (NERC), and approved by the Federal Energy Regulatory Commission (FERC) on October 18, 2018.
Electric power and utilities organizations will now have to comply with new requirements in order to improve security against an increasing number of attacks that target supply chains, particularly those involving third-party providers. The new standards will help utility companies protect bulk electric systems by limiting their exposure to malware, tampering, and other cyber risks that can originate with third-party relationships.
The CIP standard carries severe penalties for noncompliance. In fact, the NERC can penalize registered entities up to $1 million per day per outstanding violation.
It’s important to understand that third-parties themselves will also need to familiarize with the CIP-013-1 in order to preserve business relationships with P&U companies.
You could start by determining ownership of CIP-013-1 within your organization and kick off the dialogue with key stakeholders and suppliers on the impact of the regulation. As with other compliance and strategic projects, the key is communication. And then comes technology.
Electric utilities and other responsible entities need the right tools to not only identify these risks in their supply chain, but also determine the right approach to respond. Our ThirdPartyTrust platform automates third-party risk management throughout the global supply chain, applying comprehensive due diligence and ongoing monitoring to all third-parties and the various geo-political climates in which they operate.
This is especially important in the context of NERC CIP-013-1 because, while internal controls like firewalls and threat detection are important, they don’t always protect the organization from attacks that begin in the systems of third-parties. For this reason, a new focus on assessing, monitoring, and improving the cybersecurity of critical third-parties is required.
By leveraging the security profiles of 8,000+ third-parties already assessed in our network, organizations can speed up assessments and open threads for immediate response. This allows for custom streamlined assessments to ensure both internal policy and industry regulation compliance, such as CIP-013-1.
At ThirdPartyTrust, we offer a reliable third-party risk management (TPRM) system that automates the capture and processing of security issues and non-compliance with the FERC and NERC.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program and comply with industry standards, request your free trial now:
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |