How to Prepare for a NERC CIP-013-1 Audit for Supply Chain Security

The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard (CIP-013-1) establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). Enforceable starting on July 1, 2020, responsible entities have 18 months to comply in order to avoid penalties. NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation.

Third-party risk management plays a pivotal role in ensuring supply chain security through the regular assessment of supply chain partners’ internal security controls and the ongoing monitoring of vendor risks in real time. Taken together, this inside-out, outside-in view provides more complete visibility in supply chain risks.

This blog reviews the requirements in CIP-013-1 and maps capabilities available in the Prevalent Third-Party Risk Management platform to these requirements.

Meeting NERC CIP-013-1 Requirements

This blog focuses on the core requirements for CIP-013-1 compliance, specifically in the areas of cybersecurity notifications; asset, change and configuration management; and governance. Each of these areas is easily assessed using capabilities available in the Prevalent platform.

NERC CIP-013 Cyber Security Criteria

At a minimum, entities assess whether their vendor(s) can meet basic security criteria:

1.2.1 Notification/Recognition of Cyber Security Incidents

Vendors need to be able to identify when an incident occurred to ensure that the vendor can notify the entity in the case of such an incident. Prevalent enables responsible entities to regularly assess their vendors’ incident response plans, requiring upload of plans to the platform for validation. With this level of review, entities have visibility into how a supply chain partner would respond to a breach or cyber incident. Monitoring and scoring tools along cannot provide this level of internal controls or process visibility, however these tools can complement assessments to trigger on public disclosure of an incident.

1.2.2 Coordination of Responses to Cyber Security Incidents

Vendors should coordinate with the entity their responses to incidents related to the products or services provided to the entity that pose cyber security risk to the entity. Prevalent provides a central platform for the review of evidence supporting incident response and communications plans, with the flexibility to build custom workflow, tasks and escalation paths to enable rapid response.

1.2.3 Notification when Remote or Onsite Access is No Longer Needed or Should No Longer be Available to Vendor Representatives

Vendors should respond accordingly to personnel changes. A vendor should be able to tell the entity when a personnel change occurs that could impact whether or not remote access should still be available to vendor representatives. The Prevalent platform includes a custom survey creation wizard that enables organizations to create and issue a customizable survey for off-boarding asking specific questions of the vendor and internal team regarding system access, data destruction, and final payments, with built-in workflows to ensure that the separation process is seamless.

1.2.4 Vulnerability Identification Vendors are to notify an entity when a vulnerability related to a product or service is identified

In order to meet this obligation, a vendor needs to know when a vulnerability exists in their environment. The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. Built-in continuous monitoring capabilities complement assessments by performing external vulnerability scanning for web facing service interfaces, with results integrated into a single risk register.

1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System

The Prevalent platform includes more than 50 built-in industry standard questionnaires (such as those for CIP, NIST, ISO and others), many of which ask specific questions around patching cadence and software integrity checks for internal systems. Answers to these questions are escalated into risks if proper patching thresholds are not met, informing responsible entities of potential risks.

1.2.6 Coordination of Controls for Vendor-Initiated Interactive Remote Access and System-to-System Remote Access with a Vendor

Vendors must coordinate with entities to control vendor-initiated interactive remote access and ensure system-to-system remote access with a vendor is appropriately managed. The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence.

NERC Asset, Change, and Configuration Management Requirements

As an entity performs a risk assessment and considers risk exposure of products or services to be procured in its environment, additional cyber security controls may be necessary to protect the entity’s operating environment. An entity may consider obtaining and evaluating additional information regarding the vendor’s capabilities with respect to the following security areas.

Asset, Change, & Configuration Management Inventory of Authorized & Unauthorized Devices & Change Control and Configuration Management Considerations

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

• Physical devices and systems within the organization are inventoried
• Software platforms and applications within the organization are inventoried
• Organizational communication and data flows are mapped
• External information systems are catalogued
• Uses a recognized framework for its information technology processes (e.g., ITIL)
• Includes security in its system development life cycle
• Has a mature change-control process
• Maintains separate development and production environments
• Maintains separate environments for different customers
• Has mechanism for software integrity (e.g., PKI with encryption, digital signature)
• Product allows for hardening to minimize attack surface
• Processes to identify, discover, inventory, classify, and manage information assets (hardware and software
• Processes to detect unauthorized changes to software and configuration parameters
• Able to identify whether hardware, software, or components are U.S. and/or internationally sourced

NERC Governance Requirements

As an entity performs a risk assessment and considers risk exposure of products or services to be procured in its environment, additional cyber security controls may be necessary to protect the entity’s operating environment. An entity may consider obtaining and evaluating additional information regarding the vendor’s capabilities with respect to the following security areas.

Establish and Implement Security Awareness Program; Logging and Monitoring Considerations; & Information Protection Considerations

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

• Documented and implemented security policy and procedures
• All users are informed and trained on cybersecurity policies and procedures
• Third-party stakeholders understand roles and responsibilities and are accountable to same requirements
• Senior executives understand roles and responsibilities
• Physical and information security personnel understand roles and responsibilities
• Ability to provide ongoing support for software and hardware
• Personnel background checks
• Ability to retain data for events such as litigation holds, cyber security incidents
• Has sufficient segregation of duties to ensure logging and monitoring are effective to detect anomalies
• Supplier location of data centers (U.S./Canada-based vs international)
• Maintains a program to perform continuous logging, monitoring, and analysis of its systems to identify events of significance
• Uses appropriate controls to manage data at rest (vendor or entity data)
• Ability to provide additional hardware for failures
• Encrypts credentials in transit, internal and externally
• Encrypts credentials at rest
• Uses strongest standard encryption algorithms (e.g., AES or SHA-2)
• Supplier physical access controls to hardware, software, and manufacturing centers
• Physical devices and systems within the organization are inventoried

Prevalent Can Help with NERC Compliance

The Prevalent Third-Party Risk Management (TPRM) Platform helps with NERC CIP compliance by enabling electric utilities to centralize the assessment of their supply chain partners’ internal controls, providing a repository of supporting evidence and documentation that can be used to audit and validate the presence of the proper supply chain security measure. With built-in continuous cyber security and business monitoring that can inform the issuing of secondary assessments based on triggered criteria, the Prevalent platform provides a more complete solution for supply chain risk management than what is offered by scoring-only tools.

As well, the Prevalent assessment platform supports questionnaires, risk registers and reporting against multiple industry standard frameworks, including the NIST CSF, PCI DSS 3.2, HIPAA, and SOC 2, using the Prevalent Compliance Framework. Organizations need only ask a single set of questions and then map the results back to any number of these regulations, which simplifies and accelerates compliance reporting.

For more on how Prevalent can help address the compliance requirements of multiple regulations, download our white paper: The Third-Party Risk Management Compliance Handbook.