New cybersecurity controls for vendor access to low impact NERC CIP assets
FERC has approved new cybersecurity standards to improve risk management practices and supply chain risk management for low impact assets. The new standards, designated CIP-003-9, require utilities to establish and maintain a documented supply chain cyber risk management plan and implement vendor-focused cybersecurity protections for their low impact BES Cyber Systems.
What Happened?
On March 16, the Federal Energy Regulatory Commission (FERC) approved the latest in their efforts to enhance and improve the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. This was in response to NERC’s 2019 NERC Supply Chain Risk Assessment study where NERC staff recommended “modification of the Supply Chain Standards to include low impact Bulk Electric System (BES) Cyber Systems with remote electronic access connectivity.”
The FERC order approved the proposed CIP-003-9, along with all of the accompanying parts including the implementation plan, violation severity levels, violation risk factors and retirement of the previous CIP-003-8 version of the standard.
Much of the communication surrounding these changes was branded as “supply chain” security enhancements. For those following the NERC CIP updates, you may notice that this wasn’t an update to the supply chain security standard CIP-013. Nor was it a change to CIP-005, which has almost exactly matching language to what was approved specific to vendor remote access. Both CIP-013 and CIP-005 are not applicable to low impact BES Cyber Systems. Therefore, this was a change to the CIP-003 standard where all of the low impact requirements are maintained.
What’s New?
The changes are centered on vendor remote access (supply chain risk management) to low impact BES Cyber Systems and enhancing reliability controls that grant utilities (responsible entities) additional visibility into threats through the following:
requiring responsible entities to include the topic of "vendor electronic remote access security controls" in their cyber security policies (new R1.2.6)
requiring responsible entities with assets containing low-impact BES cyber systems to have methods for determining and disabling vendor electronic remote access; and (new Attachment 1, Section 6)
requiring responsible entities with assets containing low-impact BES cyber systems to have methods for detecting malicious communications for vendor electronic remote access (new Attachment 1, Section 6)
Interestingly timed (released a just under week later), additional guidance was issued from the Supply Chain Working Group (SCWG) and the Real Time Operating Subcommittee (RTOS) which feels somewhat tangentially related to the subject:
Why the new requirements?
“The vast majority of BES assets today are considered low-impact and that number is only expected to grow,” Chairman Phillips said. “To not protect these BES assets against one of the most frequent attack scenarios – supply chain – would be a big mistake.”
The new standard is essentially FERC’s agreement with the 2019 NERC study, recognizing that low-impact assets may serve as a path for attacks on other assets and or even possibly aid reconnaissance by adversaries where comprehensive security is not applied across the full spectrum of the responsible entity's covered/regulated operations and supporting supply chain.
The 2019 study also highlighted that most low-impact BES assets are owned and/or operated within organizations that also have higher-impact assets. However, the low impact assets do not often receive the same protections - especially where the low-impact assets use separate vendors. Further, the study concluded that the risk of a coordinated attack on multiple low-impact assets with remote electronic access connectivity could result in a possible event with interconnection-wide impact on the BES.
“NERC states that assets associated with low impact BES Cyber Systems pose a lower risk to the bulk electric system if compromised than assets associated with medium or high impact BES Cyber Systems. However, NERC observed that there is the potential for a greater impact if multiple low impact assets are simultaneously compromised through remote access or if a medium or high impact asset is accessed through a low impact asset.”
When do you need to comply?
The new Reliability Standard CIP-003-9 would become effective on the first day of the first calendar quarter that is 36 months after FERC approval.
What should you do next?
First, there are a very high number of low-impact BES cyber systems out there. With everyone in the industry moving at the same time, expect delays, given high demand and probable supply chain issues (hardware and services in particular). Utilities will need time to plan for, procure and install equipment. New network designs or architectures may even be needed, depending on where you are now. But don’t think that you have time to spare – start now.
The new standard will probably require revisions to contracts with vendors and third parties. Updates to cybersecurity controls for service providers that were previously not the subject of NERC CIP requirements because they did not impact medium- or high-risk BES assets will also be needed.
Finally, updating policies, procedures, and evidence capture for the upcoming Compliance Monitoring and Enforcement (CMEP; read – audit) activities will also need to happen. This may involve parts of the organization from similar medium- or high-risk program efforts. You will want to be compliant ahead of the deadline to make sure your controls are working as expected.
See Ampere’s upcoming webinar on this topic on April 6th at 10:00am Pacific.