Three Newly Approved CIP Reliability Standards for Cybersecurity Will Be Costly

Entities with industrial control systems (ICS) associated with bulk electric system (BES) operations must develop and implement plans that include security controls for supply chain management, the Federal Energy Regulatory Commission (FERC) ordered in a final rule that formally adopts three new critical infrastructure protection (CIP) reliability standards. 

FERC on October 18 issued Order No. 850, approving CIP-013-1 (Cyber Security—Supply Chain Risk Management), CIP-005-6 (Cyber Security—Electronic Security Perimeters), and CIP-010-3 (Cyber Security—Configuration Change Management and Vulnerability Assessments). The new supply chain risk management reliability standards had been proposed by the North American Reliability Corp. (NERC) in response to FERC’s July 2016-issued Order No. 829. NERC will enforce the standards.

Though the global supply chain offers significant benefits to customers—including low cost, interoperability, rapid innovation, and product and feature variety—it also creates “opportunities for adversaries to directly or indirectly affect the management of operations of companies with potential risks to end users,” FERC said in its order. 

Supply chain risks include insertion of counterfeits or malicious software, unauthorized production, tampering, or theft, as well as poor manufacturing and development practices. 

The new CIP standards focus on four security objectives: (1) software integrity and authenticity;  (2) vendor remote access protections;  (3) information system planning; and (4) vendor risk management and procurement controls. 

CIP-013-1 seeks to address risks associated with information system planning, as well as vendor risk management and procurement controls. However, entities that already have contracts—or are in the middle of procurement activities—for vendor products or services before the effective date of the reliability standard will not have to comply with the standard. 

CIP-005-6 includes two new parts (2.4 and 2.5) to provide more awareness of active vendor remote access sessions. The standard will require one or more methods for determining and disabling active vendor remote access sessions, including interactive remote access and system-to-system remote access. 

CIP-010-3 is designed to ensure that software being installed in the BES cyber system is not modified without awareness of software suppliers and is not counterfeit. The newly added Part 1.6, specifically, will require entities to verify software integrity and authenticity before installing software that changes established baseline configurations. 

Among other things, it will also require entities with BES cyber assets—facilities, systems, or equipment which could affect reliable operations of the BES if destroyed or rendered unavailable—to develop and implement plans that include security controls for supply chain management for ICS hardware, software, and services associated with BES operations. 

The documented supply chain cybersecurity risk management plans should address six security concepts: (1) vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls.

Compliance Timeline and Costs

Entities must implement plans within 18 months following the effective date of FERC’s order—a period that is much longer than the 12 months originally proposed in FERC’s 2015-issued notice of proposed rulemaking associated with the final rule. FERC said it increased the implementation period owing to stakeholder concerns. Several commenters clarified that technical upgrades were likely necessary to meet the CIP standards’ security objectives, which they noted could involve longer time-horizon capital budgets and planning cycles. 

According to NERC’s Compliance Registry, more than 1,250 unique U.S. entities must comply with its growing list of CIP reliability standards. Of these entities, about 288 will face “an increased paperwork burden” owing to the three new CIP standards. The reporting burden may be steep: the average response could require 546 hours and $44,226. In total, FERC anticipates compliance with the rule could cost the industry about $13 million.

Cost will stem from initial development of a policy to address requirements related to developing the supply chain risk management plan, updating procedures related to remote access requirements, and developing procedures related to software integrity and authenticity. Entities will also incur future costs as they maintain the management plan and modify it as required every 15 months.  

FERC: More Measures Needed

But the new standards only address FERC’s directive in Order No. 829, and FERC still needs to deal with a “significant cybersecurity risk” associated with the supply chain for BES cyber systems because the new CIP standards do not address Electronic Access Control and Monitoring Systems (EACMS). 

Those cyber assets—which include firewalls, authentication servers, security event monitoring systems, intrusion detection systems, and alerting systems—perform integral electronic access control or monitoring of the electronic security perimeters or BES cyber systems, and play a “significant role in the protection of high and medium impact BES Cyber Systems,” FERC said. “Accordingly, if EACMS are compromised, that could adversely affect the reliable operation of associated BES Cyber Systems,” it said.  

That’s why in its order last week, FERC directed NERC to develop modifications to to the CIP standards to include EACMS associated with “medium and high impact BES Cyber Systems” within the scope of the supply chain risk management reliability standards NERC must now submit the modifications to FERC within two years after the final rule becomes effective.

FERC also noted the NERC proposal does not address physical access control systems (PACS)—such as authentication servers, card systems, and badge control systems—and it only addresses protected cyber assets (PCA)—for example, file servers, FTP servers, time servers, LAN switches, networked printers, and emission monitoring systems—in a limited way. “We remain concerned that the exclusion of these components may leave a gap in the supply chain risk management Reliability Standards. Nevertheless, in contrast to EACMS, we believe that more study is necessary to determine the impact of PACS and PCAs in the context of the supply chain risk management Reliability Standards,” it said. 

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)