The upcoming NERC CIP-013 regulation is very important and long overdue for the Power and Utilities sector. There have been pushes and concerns around the supply chain throughout the world. With stories from the US government and other countries preventing organizations from engaging with vendors that have tampered, intercepted or somehow put the supply chain components at risk.
A new regulation will provide organizations with more comfort in knowing that they are doing things better and understanding the elements of their supply chain.
- Who are you doing business with?
- Was the component you purchased manufactured up to standard?
- Has it been intercepted in some way?
There is risk associated at many levels in Utilities, and organizations often engage with small providers who may not have the right security standards. A regulation like NERC CIP-013 will make it more imperative to understand that doing business with “two guys in a garage” is high risk unless the appropriate controls and processes are in place.
Safety is Everybody’s Business
In Utilities, there’s a saying that “Safety is everybody’s business”. At some level, cybersecurity is becoming a part of everyone’s job too. This goes beyond phishing emails and targeted campaigns, which have been around for sometime now. This is about involving supply chain buyers, who traditionally haven’t had a major role in cybersecurity. They are going to need to ask some questions to ensure their third-party relationships are secure, and be more actively involved than before.
It requires a new level of engagement from legal, corporate insurance, compliance, security, as well as the entire supply chain and the actual business stakeholder. So there’s a whole new level of communication that has to become the norm.
Read more: How to Get Legal, Procurement and Business Owners Onboard with Security
Do more regulations have a positive impact?
It’s fair to say that new regulations are not exactly exciting, as nobody wants to be regulated and constantly audited. That said, more regulation and higher standards push the industry to do more and therefore can have a positive impact on its security posture.
If it was up to each and every Utility to decide what’s their risk threshold, we would have a very different scenario. Especially in small organizations with resource constraints, where third-party risk assessment, monitoring and mitigation isn’t usually a big priority. More importantly, a new regulation forces everyone to pay attention to security and provides a structured approach.
Luckily, Utilities are ahead of the game in some areas, as they’re one of the highest regulated industries, along with Healthcare and Finance. Their leadership understands security is non negotiable.
Conclusion
NERC CIP-013 makes it necessary to conduct thorough risk assessments and have a repeatable process to measure, document and track third-party risk. As we move forward, we are likely to see more regulations, so it’s important to make sure we have the right tools in place.
The ThirdPartyTrust platform can help Power and Utilities organizations build a process to communicate with their third-parties in a timely fashion, in order to get them to complete security questionnaires instead of chasing them down via email or phone calls. With ThirdPartyTrust, you control who gets what questionnaire (full SIG or custom), what documentation is pending, what parts of the supply chain need more attention and its overall health.
If you’re worried about compliance, the North American Transmission Forum has issued some guidelines and resources that can serve as a starting point. They’re not official, and they don’t guarantee NERC CIP-013 compliance, but they were developed by a consortium of Utilities, then reviewed thoroughly by an even bigger consortium of Utilities, and they have been validated against the standards.
Many organizations were probably ready to comply as of July 1st, 2020 which was the initial enforcement date for NERC CIP-013; and many others will enjoy the extra breathing room to prepare for the new date, on October 1st. But all of them are aware of the fact that this is auditable and they can be questioned or fined about it.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program and comply with industry standards, request your free trial now:
