Attacks on our electrical grid aren’t just the stuff of doomsday movies and war games. Hackers dreaming of taking down our economy and national security know that few offensives could be more devastating than pulling our collective plug. And the grid’s risk factor just keeps climbing as the number of Internet of Things (IoT) devices in the grid keeps growing, presenting an ever-expanding selection of potential doorways.
To protect this centerpiece of national security, the power industry and the government are creating new teams and regulations to step up security. In December 2020, the Department of Energy announced the creation of a new subcommittee focused on grid security.
The North American Electric Reliability Corporation (NERC) implemented new standards on July 1, 2020, establishing revised guidelines for companies throughout the electrical system’s supply chain. NERC, in case you don’t recognize the acronym, is a non-profit regulatory authority that issues reliability standards to protect the bulk power system in the United States, Canada and part of Mexico. While you may not think of your company as part of the power supply industry, NERC’s guidelines may impact you more than you think. If your company provides parts, materials, or services anywhere in an energy company’s supply chain, NERC guidelines and other standards probably apply to you. Two recent developments may affect how you do business—and provide resources you need to improve security:
- The updated NERC CIP-013 standard deserves a careful review for how it impacts your business. Most companies in this industry already have basic CIP plans but will require significant improvement to meet CIP-013.
- The recently expanded CRISP (Cybersecurity Risk Information-sharing Program) provides companies with the latest threat information through a partnership of NERC and Department of Energy.
How CIP-013 Affects You
In 2020, President Trump issued an executive order for the bulk power system (BPS), which applies to any company or equipment that generates or distributes major power within the United States. That order restricted the use of foreign components in order to reduce the risk of “built-in” entry points. Think of it as an “offensive” order. On the “defensive” side, NERC CIP-013 standard focuses on the supply chain risk within the BPS' electric components (known as the BES). The goal is to reduce overall risk in the supply chain. (This document describes how CIP-013-1 should be implemented.)
The NERC update defines affected companies (“responsible entities”) as those with medium to high risk, according to the CIP-002-5 categorization process. The key takeaway is that NERC guidelines affect companies well beyond those that actually supply energy. If you have contracts anywhere within the energy supply chain, renewing them may depend on your compliance with CIP-013. Energy companies will be enforcing the standards on all of their suppliers because NERC slaps a “high risk” label on any energy company with 10-15% of their BES assets failing to meet the requirements.
- Requirement 1 (R1) focuses on proactively analyzing, monitoring and disclosing the risks involved with your products, services and system. This includes knowing the risks your own vendors might pose. NERC will require responsible entities to create a plan that addresses these issues and highlights the steps taken to reduce threats.
- R2 is the implementation of the plan you came up with in R1. It requires that you follow through with your “supply chain cybersecurity risk management plan.” Failing to meet the standards could produce a fine up to $1 million.
- R3 requires a designated CIP senior manager in your company to approve the plan, and it should be reevaluated every 15 months. These evaluations guarantee that your program is working and keeping the threats to your system at a minimum.
What CRISP Expansion Means for You
In late 2020, NERC also announced the expansion of CRISP, which is dedicated to sharing data on system traffic and cyber threats among energy sector stakeholders. CRISP, which started in 2014, is a voluntary program managed by a division of NERC: The Electricity Information Sharing and Analysis Center (E-ISAC). This expansion is a massive step in the cybersecurity/energy intersection as CRISP is now partnering with the U.S. Department of Energy to grow awareness of grid safety in the coming years.
CRISP’s partnership with DOE aims to use operational technology to identify potential threats to the grid. Two newly announced pilot steps will use sensor systems already installed across the United States to recognize any risks. DOE will use operational and information technology data to identify patterns and understand the grid state and then share that with CRISP participants.
The CRISP expansion closes the information-sharing gap between private companies and federal US intelligence. Participating companies will use information gained from the program to better defend the grid against hackers. Membership is free, and members receive insightful resources, like reports of cyberattacks or guidance on the latest CIP updates.
Although the core concept behind NERC has a strong bipartisan history, a new presidential administration could obviously create changes. Some observers believe that while the Trump administration focused on targeting foreign countries with aggressive orders, such as limiting foreign components for the BPS, Biden’s team may issue more system regulations like CIP-013, especially in the private sector.
For help understanding exactly how the current regulatory environment affects your business and how you can comply efficiently, contact a Pratum advisor.