ICS/IoT Upgrade Management Regulatory Requirements Supply Chain Management

3 Month Reprieve for Utilities on Cybersecurity Supply Chain Standards

By Eric Byres on April, 21 2020

Back

Earlier this month, as the coronavirus accelerated its alarming sprint across North America, NERC requested that FERC defer a number of looming deadlines for Reliability Standards. For the cybersecurity-related standards (CIP-005-6, CIP-010-3, and CIP-013-1), NERC requested a 3-month delay to “help ensure grid reliability amid the impacts posed by the coronavirus outbreak, a public health emergency that is unprecedented in modern times.”

It certainly sounds like a sensible proposal, and last Friday FERC granted the request, stating it was “... reasonable to provide them additional flexibility to properly allocate resources to address the impacts of COVID-19.” The “them” in this case are the utilities involved in the operation of our electric power grid.

We have a particular interest in the CIP-013-1 standard that focuses on supply chain risk management. It’s kind of our bread and butter here at aDolus. In fact, we delivered a training session to a great group at the last NERC CIPC meeting in early March on how to use our FACT platform to help with CIP-013 compliance without introducing onerous internal processes. (Back in the day, when people could actually sit within 6 feet of each other.)

While the need for these standards is overwhelming, I think we can all agree that the current COVID-19 emergency is an unprecedented, added strain on the operators of the electric grid. In their joint news release, FERC and NERC note the goal of helping utilities to “...focus their resources on keeping people safe and the lights on during this unprecedented public health emergency” and they specifically recognize the need to “focus on keeping their own people safe.”

I can only imagine the additional steps and processes each utility is having to develop and implement — practically overnight. Keeping their workforce adequately distanced and protected, disinfecting control equipment, vehicles, and entire substations… the list goes on. The necessary precautions will take immense planning and effort. These aren’t the kinds of jobs you can do from home and keeping this particular workforce safe, healthy, and focused is critical.

We can wait a few months to comply with the upcoming CIP standards.

Here’s a list of the cybersecurity-specific standards that have been delayed (courtesy of John Hoffman at NERC):

CIP-005-6 – Cyber Security – Electronic Security Perimeter(s)	delayed to October 1, 2020
CIP-010-3 – Cyber Security – Configuration Change Management and Vulnerability Assessments	delayed to October 1, 2020
CIP-013-1 – Cyber Security – Supply Chain Risk Management	delayed to October 1, 2020

You can read the full order here.

Stay safe and wash your hands!

Eric Byres

Eric is widely recognized as one of the world’s leading experts in the field of OT, IT and IoT software supply chain security. He is the inventor of the Tofino Security technology – the most widely deployed OT-specific firewall in the world. When not setting the product vision, or speaking at a conference, Eric can be found cranking away on his gravel bike.