Implementing the supply chain security requirements in NERC’s CIP-013-1 reliability standard has required an unexpected level of outreach across the industry, cybersecurity specialists at several utilities said in a webinar hosted by SERC Reliability on Tuesday.
CIP-013-1 took effect in October 2020, the first NERC security requirements for bulk electric system cybersystems. The new requirements received considerable industry attention in the lead-up to their release, with Chuck Abell, the supervising engineer of technical support for transmission operations at Ameren, calling the standard “the most publicized, socialized CIP [Critical Infrastructure Protection] standard so far.”
Participating in an industry panel during SERC’s “The Scoop on Supply Chain” webinar, Abell observed that implementation was more complicated than with most of NERC’s standards because CIP-013-1 applies to utilities’ processes for sourcing and acquiring new equipment. This requires the participation of significantly larger numbers of people internally than is normally the case, which has spurred a variety of approaches from utilities.
“There’s a lot of different players who get involved with CIP-013 that don’t get involved with the other standards. It’s not just cybersecurity and compliance; it’s sourcing, it’s legal, it’s contract administration,” Abell said. He added that utilities have even begun to include vendors in the process, in hopes of ensuring their equipment is built to the standard’s specifications.
“Last year we sent about 250 people through [our annual supply chain security training], and that was not just internal [staff], but also vendors that do similar contract prep for us,” he said.
Tony Hall, the manager of LG&E and KU’s CIP program and moderator of the panel discussion, agreed with Abell on the importance both of including vendors in the CIP-013-1 compliance process and of coordinating a utility’s internal response to the standard. Instituting a supply chain security standard turned out to be a much bigger job than anyone at his utility expected, he said.
“We found out at LG&E that we [didn’t have just] one department that was responsible for procurement, but we actually had three. They were trying to cross-functionally work together, but they were separate departments,” he said. “So having a cross-functional team develop our program is probably one of the best things that we did.”
Tony Eddleman, director of NERC reliability compliance at the Nebraska Public Power District (NPPD), said his company has implemented a yearly independent risk assessment for components that are subject to the standard, along with the vendors that supply them. The assessment looks for any vulnerabilities that have been announced for the component and any negative news about the supplier, the discovery of which could spur further review and mitigation activities.
Along with his colleagues, Eddleman emphasized that NPPD considers its CIP-013 compliance process a work in progress, with a complete solution likely to remain out of reach.
“I think supply chain [security] is a journey,” he said. “There’s always things that we can learn, that we can tweak, [to] make our processes better.”