Back

Energy & Utilities Optimize Technology

CIP-013-1 cybersecurity requirements in the electric industry

05/27/2021

by Wayne Tung

Stolen identity. Compromised SSNs. Missing money. Hijacked accounts. Viruses. Malware.

Unfortunately, we hear about cyber security attacks every day in the news, and they impact all of us. These attacks have become more sophisticated with terrorists, state-sponsored hackers, and other bad people looking to hack into the electricity grid to disrupt the flow of power to American homes and businesses.

This is where CIP-013 comes into play

To counteract and prevent such attacks, the North American Electric Reliability Corporation, or NERC, has introduced a new requirement known as CIP-013-1 (Critical Infrastructure Protection) to help electric utility organizations protect against cyber attacks. These requirements became effective October 1, 2020. All electric utility organizations must assess their third party suppliers that provide products and services for critical electric assets (knows as bulk electric systems) and work to include specific cyber security terms and conditions in contracts with such suppliers.

What’s required?

In summary, CIP-013-1 states the supplier must have:

• Cyber security safeguards throughout the supply chain – does the supplier comply with key industry security standards such as ISO 27001 and National Institute of Standards and Technology (NIST)?
• Processes to notify clients of any security breaches – how and when will the supplier notify clients of security breaches? What information will the supplier provide?
• Periodic checks and audit of cyber security practices – does the supplier allow clients to conduct security audits? Does the supplier provide clients with results of independent audits and attestations (e.g. SSAE-18)?

What steps should I take to reach compliance?

To comply with CIP-013-1, electric utilities should consider the following points:

1. Develop and use a cyber security questionnaire for impacted third party suppliers. The questionnaire should require details on key physical and cyber security practices in the areas of Threat and Vulnerability Management, Security Incident Management and Forensics, Infrastructure Security, Identity and Access Management, Procedures and Training, Privacy, Governance, Data Encryption, Data Security, and Audit Assurance.

2. Assess responses to the questionnaire to assess cyber security risk of the suppliers. Utility companies should have a defined process for reviewing responses and have criteria for what security measure responses are acceptable and what are not. Utility companies should have contingency plans if a third party supplier does not meet the required security requirements. It’s best to have multiple, viable third party suppliers to consider and minimize sole sourcing.

3. Create standard cyber security contract language and make it a requirement for supplier contracts. These cyber security contract provisions need to be created jointly with legal, compliance, and cyber security teams to ensure the right cyber security standards are documented. For utility companies with existing well-defined security requirements that meet CIP-013-1 standards, they can simply add them to contracts.

4. Assign ownership of CIP-013-1 compliance to person/team to develop and assess questionnaires, ensure supplier compliance, and manage the on-going cyber security compliance processes. Security standards and requirements are constantly evolving to better protect against new forms of attack so on-going changes and improvements are critical.

Remember, compliance with CIP-013-1 is effective now. Be aware of potential cyber security attacks and be safe!

---