With NERC’s newest critical infrastructure protection (CIP) reliability standards set to take effect later this year, staff at the Texas Reliability Entity on Thursday warned that utilities should already have a plan in place for implementing their new cyber supply chain security requirements.
FERC approved the three standards in March 2021 after they were developed as part of Project 2019-03 (Cybersecurity supply chain risks). (See FERC OKs Updated Supply Chain Standards.) The following standards were affected:
- CIP-005-7: Cybersecurity — Electronic security perimeter(s)
- CIP-010-4: Cybersecurity — Configuration change management and vulnerability assessments
- CIP-013-2: Cybersecurity — Supply chain risk management
The biggest change from the currently effective standards — CIP-005-6, CIP-010-3 and CIP-013-1 — is the inclusion of electronic access control or monitoring systems (EACMS) and physical access control systems (PACS). FERC ordered the EACMS revisions when it approved the previous standards in 2018, and NERC subsequently added PACS to the project’s scope. (See FERC Finalizes Supply Chain Standards.)
In a webinar on the new standards, Kenath Carver, Texas RE’s director of cybersecurity outreach and CIP compliance, noted that they represent a minimum with which some entities are already compliant, either because they proactively implemented the EACMS and PACS requirements when the standards were approved or because they have always considered these systems vulnerable and took precautions independently of the CIP standards. But he warned listeners who haven’t yet taken the necessary steps not to wait.
“For some of you, we’ve seen in our small group advisory sessions or in our one-on-one sessions, that folks have [applied] the supply chain requirements to some of these things, even though the effective date is not here yet. For others, maybe you haven’t,” Carver said. “So this is going to be a pretty big lift because this is a lot more applicable cyber assets that you now have to worry about.”
Carver reminded attendees that both EACMS and PACS “by their nature … are an attack vector” because they grant direct access to a utility’s control systems, through which a malicious actor could potentially carry out a disruption to service. He also pointed out that the standards intentionally cast a “very broad web,” leaving the definitions of pertinent assets intentionally vague in order to ensure they are applied widely and have as large an effect as possible.
As an example of the standards’ wide applicability, Carver observed that under CIP-005-7’s new supply chain requirement a utility must “implement one or more documented practices” for determining whether a vendor’s attempt to connect to its systems remotely is authentic, and to terminate such connections and control their ability to reconnect. This might not sound like a big ask, but utilities may soon need to be able to provide such documentation for potentially hundreds of interactions per day from multiple vendors.
“If you have what you feel is authenticated vendor-initiated remote connection … you really have to be able to explain your definition and how that meets the security objective of this piece here, especially if a vendor is somehow connecting to a PACS or EACMS,” he said.
The standards will take effect Oct. 1.
