A major cyberattack on a bulk electric system (BES) would have far reaching, negative effects across multiple industries and could pose a threat to regional and national security. Cybersecurity matters affecting energy facilities have garnered particular attention in recent years as increasingly complex “smart grid” technologies are adopted. As the technology and regulation become more complex, owners and operators of regulated energy generation or transmission facilities in the United States must look to good industry practice in the outsourcing sector as a basis for a rigorous cybersecurity compliance program.
To address technology’s evolution and its associated cybersecurity risks, the Federal Energy Regulatory Commission (FERC), acting through the North American Electric Reliability Corporation (NERC), continues to promulgate mandatory standards for the management of cybersecurity risks in bulk electric systems. These standards, known as Critical Infrastructure Protection (CIP), include requirements for personnel and training, security management, and disaster recovery planning, as well as for the security of electronic perimeters and the protection of critical cyber assets. Two recent proposed changes to CIP indicate that the issue of cybersecurity is an ongoing priority to US federal officials.
CHANGES TO CRITICAL INFRASTRUCTURE PROTECTION
In 2018, NERC announced CIP-012, which is currently under review by FERC. If approved, it would require a BES entity to implement a documented plan that mitigates the risks posed by unauthorized disclosure and modification of real-time assessment and monitoring data transmitted between control centers. The plan must (1) identify security protection; (2) identify where the security protec- tion is applied; and (3) in the event that third parties own or operate the control centers, determine allocation of responsibilities between each account- able entity for applying security protections. In addition to these requirements, FERC recently requested that NERC include a refined definition of real-time monitoring and clarify the types of data that must be safeguarded by this security protection.
As in other technology sectors, outsourcing offers a framework to adopt and implement best practices around governance, change management, vendor management and end-to-end monitoring
NERC also proposed CIP-013 in 2018, which has since been approved by FERC and will be enforced starting in July 2020. CIP-013 sets out three main requirements: (1) that the BES entity develop a supply-chain cybersecurity risk management plan for high and medium impact BES cyber systems; (2) that the BES entity implements the developed plan; and (3) that the BES entity review and obtain CIP senior manager or delegate approval of its plan. CIP-013 also mandates the devel- opment of a process that addresses notifications relating to cybersecurity incidents, coordination of incident response, verification of software integ- rity and authenticity, and the controls governing remote access.
For the purposes of CIP-013, the BES entity is responsible for a broad scope of vendors within a supply-chain, including “(i) developers or manufacturers of information systems, systems components, or information system services; (ii) product resellers; [and] (iii) system integrators.” NERC also recommends that BES entities include applicable procurement items in their contract negotiations with vendors and has indicated that CIP-013 does not require BES entities to renegotiate or rescind their existing contracts. NERC has reassured BES entities that vendor performance and adherence to contracted terms is not subject to the standard created by CIP-013.
The goals of CIP-013’s second and third requirements are to ensure effective oversight and to guarantee that a BES entity is periodically reassessing its supply-chain cybersecurity risk management controls. To comply with CIP-013, a BES entity may keep track of policy documents, archive the revisions to its supply-chain risk management plan or preserve records demonstrating that a review of its plan goes through the appropriate approval process at least once every fifteen months.
THE FUTURE OF CIP COMPLIANCE
Compliance with CIP-012 and CIP-013 will take time. Bulk electric systems and the technology and operations that enable them are complex, each with its own set of security risks to address. This reality demands a considered, strategic approach across the BES entities’ operations and third-party relationships. As in other technology sectors, outsourcing offers a framework to adopt and implement best practices around governance, change management, vendor management and end-to-end monitoring. The best solutions to prevent or contain harm from cyberattacks at regulated energy facilities will combine technical knowledge of cybersecurity with legal expertise in both CIP compliance and contractual risk allocation through outsourcing.