CIP Compliance: Don’t ‘Boil the Ocean’

Nov 13, 2020

After a three-month delay because of the pandemic, CIP-013-1 took effect, starting the 18-month compliance period for stakeholders.

The clock is ticking for compliance with NERC’s cybersecurity supply chain risk management standard.

After a three-month delay because of the coronavirus pandemic, CIP-013-1 took effect on Oct. 1, starting the 18-month compliance period for balancing authorities, reliability coordinators, generator owners and operators, transmission owners and operators, and some distribution providers.

The standard, prompted by FERC Order 829 in 2016, requires those registered entities to implement supply chain risk management plans for high- and medium-impact bulk electric system cyber systems.

It also requires them to vet not just third-party suppliers, but also “fourth parties” — the suppliers’ suppliers — to identify any foreign ownership, Dario Lobozzo, Fortress Information Security’s global vice president for supply chain and vulnerability risk, told the Edison Electric Institute’s annual Financial Conference on Tuesday.

CIP Compliance — Dario Lobozzo, Fortress Information Security | *Edison Electric Institute*

“How do you accomplish that? It requires a pretty broad set of assessments across all of your different vendors that you buy from as well as [individual] products,” Lobozzo said.

But he cautioned entities “not to boil the ocean” to achieve compliance.

“First you want to get a high-level idea of who’s risky, who’s not risky,” Lobozzo said. “From your 1,000- or 2,000-vendor portfolio, which 50 to 200 of them are really CIP-critical vendors and products that you need to move into the next phase?”

“Onboarding” vendors and performing risk assessments on them “can run a tremendous amount of man-hours, or it can be quite simple,” he said. “It really depends on how responsive the vendors are; how precise the [vendor] questionnaire is. And then you’ll need to map all of that and [transmit the results] to your security team, to your procurement team, to your third-party risk management team.”

If an issue is identified and a vendor promises to remediate it in 90 days, “you’ll need to call them back in 90 days and ask for proof of that remediation,” he continued.

In addition to responding to FERC’s directive, CIP-013-1 builds on President Trump’s May 1 Executive Order 13920 on “Securing the U.S. Bulk-Power System,” which prohibits use on the system of equipment that was designed, developed, manufactured or supplied by companies under the control of jurisdiction of U.S. foreign adversaries.

Asset owners with a service territory including military bases or other government facilities may also be subject to Section 889 of the fiscal year 2019 National Defense Authorization Act, which prohibits U.S. government agencies from entering into some contracts involving telecommunications equipment or services from Chinese entities, Lobozzo said.

Identifying foreign ownership, control or influence (FOCI) is “particularly onerous,” Lobozzo said, requiring identification of corporate families that may have acquired vendors and continuously monitoring each vendor for new foreign ownership.

The need for a centralized repository for all that information is what led Fortress to team with American Electric Power in 2019 to create the Asset to Vendor Network (A2V), which Southern Co. joined in June. Hitachi ABB joined in August. (See Hitachi ABB Joins Supply Chain Security Network.)

By taking a “community approach” to compliance, in which members of the network share their assessments with others, the sponsors say they can improve compliance and reduce compliance costs. Assessments are shared at 50% of the original development cost, with contributors earning royalties that allow them to recover a share of their compliance costs.

“Utilities have a long history of working together to overcome challenges and securing our mutual supply chain through A2V is just the latest example,” Tom Wilson, Southern’s chief information security officer, said in a statement when the company joined the network. “A2V offers the opportunity for companies to collaborate and help share expertise and best practices.”

A2V, which has assessed about 350 vendors and products to date, can complete an assessment within three days, compared with three to six weeks under traditional assessments, Lobozzo said.

Fortress polled 150 vendors and found virtually all of them had some kind of security program in place, “which sounds great on the surface, but then when we dove a little bit deeper, we ended up finding that only about 15 to 30% of them actually had a security program that mapped back to a particular standard or that included common best security practices, like multifactor authentication,” Lobozzo said.

Like prior CIP standards, CIP-013-1 is purposely vague, he said. “They’re really designed to help you as an organization implement some forward-thinking,” he said. It is “not prescriptive as to what you need to do but is prescriptive on what you need to accomplish with your actions.”

“If you read between the lines, it’s clear to me that products are a component that could potentially add a risk to the BES,” he said. “As someone who might be audited, you should be concerned that they might point at a particular product, not just a vendor — and say this particular product is exhibiting vulnerabilities that are now known.”

CIP FERC & Federal