Navigating NERC CIP-013-1

October 1, 2020, marked the end of COVID-19-related extensions for NERC standard, Cybersecurity – Supply Chain Risk Management (CIP-013-1).  

The Federal Energy Regulatory Commission (FERC) has implemented a new regulatory requirement, NERC CIP-013-1, which places increased responsibility on Power & Utility (P&U) companies to evaluate the cybersecurity of their third-party vendors and partners. Failures carry significant financial penalties.

The supply chain risk management reliability standards are forward-looking and objective, requiring each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with system operations.

At the moment, this standard applies to the energy industry, but based on prior regulatory trends, will also be expanded to cover other utility-based sectors.

Key considerations

• Are you able to identify and leverage any overlaps within your current security audits or reviews to comply with the NERC standard, Cybersecurity - Supply Chain Risk Management (CIP-013-1)?
• Do you have an integrated cybersecurity and supply chain policy, procedures, and controls effectively designed and implemented to mitigate risk?
• Have you identified mission-critical vendors and tailored your vendor lifecycle procedures using a risk-based approach?
• Do you have management reporting tools to communicate and manage how external parties are impacting your supply chain cybersecurity risk, internally in accordance with your enterprise risk management framework, and externally to investors and regulators?

How we can help

Contact us