Download:
pdf |
pdfCIP-013-1 – Cyber Security - Supply Chain Risk Management
A. Introduction
1.
Title:
Cyber Security - Supply Chain Risk Management
2.
Number:
CIP-013-1
3.
Purpose: To mitigate cyber security risks to the reliable operation of the Bulk
Electric System (BES) by implementing security controls for supply chain risk
management of BES Cyber Systems.
4.
Applicability:
4.1. Functional Entities: For the purpose of the requirements contained herein, the
following list of functional entities will be collectively referred to as “Responsible
Entities.” For requirements in this standard where a specific functional entity or
subset of functional entities are the applicable entity or entities, the functional
entity or entities are specified explicitly.
4.1.1. Balancing Authority
4.1.2. Distribution Provider that owns one or more of the following Facilities,
systems, and equipment for the protection or restoration of the BES:
4.1.2.1. Each underfrequency Load shedding (UFLS) or undervoltage Load
shedding (UVLS) system that:
4.1.2.1.1. Is part of a Load shedding program that is subject to
one or more requirements in a NERC or Regional
Reliability Standard; and
4.1.2.1.2. Performs automatic Load shedding under a common
control system owned by the Responsible Entity,
without human operator initiation, of 300 MW or
more.
4.1.2.2. Each Remedial Action Scheme (RAS) where the RAS is subject to
one or more requirements in a NERC or Regional Reliability
Standard.
4.1.2.3. Each Protection System (excluding UFLS and UVLS) that applies
to Transmission where the Protection System is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.1.3. Generator Operator
4.1.4. Generator Owner
4.1.5. Reliability Coordinator
4.1.6. Transmission Operator
4.1.7. Transmission Owner
Page 1 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
4.2. Facilities: For the purpose of the requirements contained herein, the following
Facilities, systems, and equipment owned by each Responsible Entity in 4.1
above are those to which these requirements are applicable. For requirements in
this standard where a specific type of Facilities, system, or equipment or subset
of Facilities, systems, and equipment are applicable, these are specified
explicitly.
4.2.1. Distribution Provider: One or more of the following Facilities, systems
and equipment owned by the Distribution Provider for the protection or
restoration of the BES:
4.2.1.1. Each UFLS or UVLS System that:
4.2.1.1.1. Is part of a Load shedding program that is subject to
one or more requirements in a NERC or Regional
Reliability Standard; and
4.2.1.1.2. Performs automatic Load shedding under a common
control system owned by the Responsible Entity,
without human operator initiation, of 300 MW or
more.
4.2.1.2. Each RAS where the RAS is subject to one or more requirements
in a NERC or Regional Reliability Standard.
4.2.1.3. Each Protection System (excluding UFLS and UVLS) that applies
to Transmission where the Protection System is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.2.1.4. Each Cranking Path and group of Elements meeting the initial
switching requirements from a Blackstart Resource up to and
including the first interconnection point of the starting station
service of the next generation unit(s) to be started.
4.2.2. Responsible Entities listed in 4.1 other than Distribution Providers
4.2.2.1. All BES Facilities.
4.2.3. Exemptions: The following are exempt from Standard CIP-013-1:
4.2.3.1. Cyber Assets at Facilities regulated by the Canadian Nuclear
Safety Commission.
4.2.3.2. Cyber Assets associated with communication networks and data
communication links between discrete Electronic Security
Perimeters (ESPs).
4.2.3.3. The systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan
pursuant to 10 C.F.R. Section 73.54.
Page 2 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
4.2.3.4. For Distribution Providers, the systems and equipment that are
not included in section 4.2.1 above.
4.2.3.5. Responsible Entities that identify that they have no BES Cyber
Systems categorized as high impact or medium impact according
to the identification and categorization process required by CIP002-5, or any subsequent version of that Reliability Standard.
5.
Effective Date: See Implementation Plan for Project 2016-03.
B. Requirements and Measures
R1.
Each Responsible Entity shall develop one or more documented supply chain cyber
security risk management plan(s) for high and medium impact BES Cyber Systems. The
plan(s) shall include: [Violation Risk Factor: Medium] [Time Horizon: Operations
Planning]
1.1. One or more process(es) used in planning for the procurement of BES Cyber
Systems to identify and assess cyber security risk(s) to the Bulk Electric System
from vendor products or services resulting from: (i) procuring and installing
vendor equipment and software; and (ii) transitions from one vendor(s) to
another vendor(s).
1.2. One or more process(es) used in procuring BES Cyber Systems that address the
following, as applicable:
1.2.1. Notification by the vendor of vendor-identified incidents related to the
products or services provided to the Responsible Entity that pose cyber
security risk to the Responsible Entity;
1.2.2. Coordination of responses to vendor-identified incidents related to the
products or services provided to the Responsible Entity that pose cyber
security risk to the Responsible Entity;
1.2.3. Notification by vendors when remote or onsite access should no longer
be granted to vendor representatives;
1.2.4. Disclosure by vendors of known vulnerabilities related to the products or
services provided to the Responsible Entity;
1.2.5. Verification of software integrity and authenticity of all software and
patches provided by the vendor for use in the BES Cyber System; and
1.2.6. Coordination of controls for (i) vendor-initiated Interactive Remote
Access, and (ii) system-to-system remote access with a vendor(s).
M1. Evidence shall include one or more documented supply chain cyber security risk
management plan(s) as specified in the Requirement.
Page 3 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
R2.
Each Responsible Entity shall implement its supply chain cyber security risk
management plan(s) specified in Requirement R1. [Violation Risk Factor: Medium]
[Time Horizon: Operations Planning]
Note: Implementation of the plan does not require the Responsible Entity to
renegotiate or abrogate existing contracts (including amendments to master
agreements and purchase orders). Additionally, the following issues are beyond the
scope of Requirement R2: (1) the actual terms and conditions of a procurement
contract; and (2) vendor performance and adherence to a contract.
M2. Evidence shall include documentation to demonstrate implementation of the supply
chain cyber security risk management plan(s), which could include, but is not limited
to, correspondence, policy documents, or working documents that demonstrate use
of the supply chain cyber security risk management plan.
R3.
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate
approval of its supply chain cyber security risk management plan(s) specified in
Requirement R1 at least once every 15 calendar months. [Violation Risk Factor:
Medium] [Time Horizon: Operations Planning]
M3. Evidence shall include the dated supply chain cyber security risk management plan(s)
approved by the CIP Senior Manager or delegate(s) and additional evidence to
demonstrate review of the supply chain cyber security risk management plan(s).
Evidence may include, but is not limited to, policy documents, revision history,
records of review, or workflow evidence from a document management system that
indicate review of supply chain risk management plan(s) at least once every 15
calendar months; and documented approval by the CIP Senior Manager or delegate.
Page 4 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
C. Compliance
1.
Compliance Monitoring Process
1.1. Compliance Enforcement Authority:
“Compliance Enforcement Authority” means NERC or the Regional Entity, or any
entity as otherwise designated by an Applicable Governmental Authority, in
their respective roles of monitoring and/or enforcing compliance with
mandatory and enforceable Reliability Standards in their respective
jurisdictions.
1.2. Evidence Retention:
The following evidence retention period(s) identify the period of time an entity
is required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time
since the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period
since the last audit.
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its Compliance Enforcement Authority to
retain specific evidence for a longer period of time as part of an investigation.
•
Each Responsible Entity shall retain evidence of each requirement in this
standard for three calendar years.
•
If a Responsible Entity is found non-compliant, it shall keep information
related to the non-compliance until mitigation is complete and approved or
for the time specified above, whichever is longer.
The CEA shall keep the last audit records and all requested and submitted
subsequent audit records.
•
1.3. Compliance Monitoring and Enforcement Program
As defined in the NERC Rules of Procedure, “Compliance Monitoring and
Enforcement Program” refers to the identification of the processes that will be
used to evaluate data or information for the purpose of assessing performance
or outcomes with the associated Reliability Standard.
Page 5 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
Violation Severity Levels
R#
R1.
Violation Severity Levels
Lower VSL
Moderate VSL
High VSL
Severe VSL
The Responsible Entity
developed one or more
documented supply chain
cyber security risk
management plan(s) which
include the use of
process(es) in planning for
procurement of BES Cyber
Systems to identify and
assess cyber security risk(s)
to the BES as specified in
Part 1.1, and include the use
of process(es) for procuring
BES Cyber systems as
specified in Part 1.2, but the
plans do not include one of
the parts in Part 1.2.1
through Part 1.2.6.
The Responsible Entity
developed one or more
documented supply chain
cyber security risk
management plan(s) which
include the use of
process(es) in planning for
procurement of BES Cyber
Systems to identify and
assess cyber security risk(s)
to the BES as specified in
Part 1.1, and include the use
of process(es) for procuring
BES Cyber systems as
specified in Part 1.2, but the
plans do not include two or
more of the parts in Part
1.2.1 through Part 1.2.6.
The Responsible Entity
developed one or more
documented supply chain
cyber security risk
management plan(s), but the
plan(s) did not include the
use of process(es) in
planning for procurement of
BES Cyber Systems to
identify and assess cyber
security risk(s) to the BES as
specified in Part 1.1, or the
plan(s) did not include the
use of process(es) for
procuring BES Cyber systems
as specified in Part 1.2.
The Responsible Entity
developed one or more
documented supply chain
cyber security risk
management plan(s), but the
plan(s) did not include the
use of process(es) in
planning for procurement of
BES Cyber Systems to
identify and assess cyber
security risk(s) to the BES as
specified in Part 1.1, and the
plan(s) did not include the
use of process(es) for
procuring BES Cyber systems
as specified in Part 1.2.
OR
The Responsible Entity did
not develop one or more
documented supply chain
cyber security risk
management plan(s) as
specified in the Requirement.
Page 6 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
R2.
R3.
The Responsible Entity
implemented its supply
chain cyber security risk
management plan(s)
including the use of
process(es) in planning for
procurement of BES Cyber
Systems to identify and
assess cyber security risk(s)
to the BES as specified in
Requirement R1 Part 1.1,
and including the use of
process(es) for procuring
BES Cyber systems as
specified in Requirement R1
Part 1.2, but did not
implement one of the parts
in Requirement R1 Part 1.2.1
through Part 1.2.6.
The Responsible Entity
implemented its supply
chain cyber security risk
management plan(s)
including the use of
process(es) in planning for
procurement of BES Cyber
Systems to identify and
assess cyber security risk(s)
to the BES as specified in
Requirement R1 Part 1.1,
and including the use of
process(es) for procuring BES
Cyber systems as specified in
Requirement R1 Part 1.2, but
did not implement two or
more of the parts in
Requirement R1 Part 1.2.1
through Part 1.2.6.
The Responsible Entity
implemented its supply
chain cyber security risk
management plan(s), but did
not implement the use of
process(es) in planning for
procurement of BES Cyber
Systems to identify and
assess cyber security risk(s)
to the BES as specified in
Requirement R1 Part 1.1, or
did not implement the use of
process(es) for procuring
BES Cyber systems as
specified in Requirement R1
Part 1.2.
The Responsible Entity
reviewed and obtained CIP
Senior Manager or delegate
approval of its supply chain
cyber security risk
management plan(s) but did
The Responsible Entity
reviewed and obtained CIP
Senior Manager or delegate
approval of its supply chain
cyber security risk
management plan(s) but did
The Responsible Entity
reviewed and obtained CIP
Senior Manager or delegate
approval of its supply chain
cyber security risk
management plan(s) but did
The Responsible Entity
implemented its supply
chain cyber security risk
management plan(s), but did
not implement the use of
process(es) in planning for
procurement of BES Cyber
Systems to identify and
assess cyber security risk(s)
to the BES as specified in
Requirement R1 Part 1.1,
and did not implement the
use of process(es) for
procuring BES Cyber systems
as specified in Requirement
R1 Part 1.2;
OR
The Responsible Entity did
not implement its supply
chain cyber security risk
management plan(s)
specified in the requirement.
Page 7 of 13
The Responsible Entity did
not review and obtain CIP
Senior Manager or delegate
approval of its supply chain
cyber security risk
management plan(s) within
CIP-013-1 – Cyber Security - Supply Chain Risk Management
so more than 15 calendar
months but less than or
equal to 16 calendar months
since the previous review as
specified in the
Requirement.
so more than 16 calendar
months but less than or
equal to 17 calendar months
since the previous review as
specified in the
Requirement.
so more than 17 calendar
months but less than or
equal to 18 calendar months
since the previous review as
specified in the
Requirement.
Page 8 of 13
18 calendar months of the
previous review as specified
in the Requirement.
CIP-013-1 – Cyber Security - Supply Chain Risk Management
D. Regional Variances
None.
E. Associated Documents
Link to the Implementation Plan and other important associated documents.
Page 9 of 13
CIP-013-1 – Cyber Security - Supply Chain Risk Management
Version History
Version
Date
Action
1
07/20/17
Respond to FERC Order
No. 829.
1
08/10/17
Approved by the NERC
Board of Trustees.
Change Tracking
Page 10 of 13
Supplemental Material
Rationale
Requirement R1:
The proposed Requirement addresses Order No. 829 directives for entities to implement a
plan(s) that includes processes for mitigating cyber security risks in the supply chain. The plan(s)
is required to address the following four objectives (Order No. 829 at P. 45):
(1) Software integrity and authenticity;
(2) Vendor remote access;
(3) Information system planning; and
(4) Vendor risk management and procurement controls.
The cyber security risk management plan(s) specified in Requirement R1 apply to high and
medium impact BES Cyber Systems.
Implementation of the cyber security risk management plan(s) does not require the
Responsible Entity to renegotiate or abrogate existing contracts (including amendments to
master agreements and purchase orders), consistent with Order No. 829 (P. 36).
Requirement R1 Part 1.1 addresses the directive in Order No. 829 for identification and
documentation of cyber security risks in the planning and development processes related to the
procurement of BES Cyber Systems (P. 56). The security objective is to ensure entities consider
cyber security risks to the BES from vendor products or services resulting from: (i) procuring
and installing vendor equipment and software; and (ii) transitions from one vendor(s) to
another vendor(s); and options for mitigating these risks when planning for BES Cyber Systems.
Requirement R1 Part 1.2 addresses the directive in Order No. 829 for procurement controls to
address the provision and verification of security concepts in future contracts for BES Cyber
Systems (P. 59). The objective of Part 1.2 is for entities to include these topics in their plans so
that procurement and contract negotiation processes address the applicable risks.
Implementation of the entity's plan related to Part 1.2 may be accomplished through the
entity's procurement and contract negotiation processes. For example, entities can implement
the plan by including applicable procurement items from their plan in Requests for Proposals
(RFPs), negotiations with vendors, or requests submitted to entities negotiating on behalf of the
Responsible Entity such as in cooperative purchasing agreements. Obtaining specific controls in
the negotiated contract may not be feasible and is not considered failure to implement an
entity's plan. Although the expectation is that Responsible Entities would enforce the securityrelated provisions in the contract based on the terms and conditions of that contract, such
contract enforcement and vendor performance or adherence to the negotiated contract is not
subject to this Reliability Standard.
The objective of verifying software integrity and authenticity (Part 1.2.5) is to help ensure that
software installed on BES Cyber Systems is not modified prior to installation without the
Page 11 of 13
Supplemental Material
awareness of the software supplier and is not counterfeit. Part 1.2.5 is not an operational
requirement for entities to perform such verification; instead, it requires entities to address the
software integrity and authenticity issue in its contracting process to provide the entity the
means by which to perform such verification under CIP-010-3.
The term vendor(s) as used in the standard is limited to those persons, companies, or other
organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES
Cyber Systems and related services. It does not include other NERC registered entities providing
reliability services (e.g., Balancing Authority or Reliability Coordinator services pursuant to
NERC Reliability Standards). A vendor, as used in the standard, may include: (i) developers or
manufacturers of information systems, system components, or information system services; (ii)
product resellers; or (iii) system integrators.
Collectively, the provisions of CIP-013-1 address an entity's controls for managing cyber security
risks to BES Cyber Systems during the planning, acquisition, and deployment phases of the
system life cycle, as shown below.
Notional BES Cyber System Life Cycle
Requirement R2:
The proposed requirement addresses Order No. 829 directives for entities to periodically
reassess selected supply chain cyber security risk management controls (P. 46).
Entities perform periodic assessment to keep plans up-to-date and address current and
emerging supply chain-related concerns and vulnerabilities. Examples of sources of information
that the entity could consider include guidance or information issued by:
•
•
•
NERC or the E-ISAC
ICS-CERT
Canadian Cyber Incident Response Centre (CCIRC)
Page 12 of 13
Supplemental Material
Responsible Entities are not required to renegotiate or abrogate existing contracts (including
amendments to master agreements and purchase orders) when implementing an updated plan
(i.e., the note in Requirement R2 applies to implementation of new plans and updated plans).
Page 13 of 13
File Type | application/octet-stream |
File Title | NERC |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |