Supply Chain Risk Management Howard Gugel, Senior Director of Standards and Education Member Representatives Committee Meeting August 9, 2017
Cyber Security Supply Chain Standard • Background FERC issued Order No. 829 on July 21, 2016 Standard must be filed by September 2017 • Status Final ballot ended July 20, 2017 o CIP-013-1 – 84.2% o CIP-005-6 – 88.8% o CIP-010-3 – 81.4% Present at August Board of Trustees meeting FERC filing deadline of September 27, 2017 2 RELI ABI LI TY | ACCOUNTABI LI TY
FERC Order No. 829 [the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. - Order No. 829, July 2016 3 RELI ABI LI TY | ACCOUNTABI LI TY
Focus • High and medium impact Bulk Electric System (BES) Cyber Systems • No requirements for low impact BES Cyber Systems • NERC committed to addressing risks appropriately Identify best practices Develop guidance resources Support common understanding of compliance obligations 4 RELI ABI LI TY | ACCOUNTABI LI TY
CI P-013-1 Requirements Summary • R1 requires entities to develop supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems Planning processes to identify and assess cyber security risks from vendor equipment and software; Procurement processes to address specific cyber security risks • R2 requires entities to implement the plan • R3 requires periodic review and approval of the plan 5 RELI ABI LI TY | ACCOUNTABI LI TY
CI P-013-1 I mplementation Guidance • Standard Drafting Team developed Implementation Guidance to provide examples of approaches for complying with CIP-013-1 • This Implementation Guidance has been endorsed by the ERO per NERC’s Compliance Guidance Policy 6 RELI ABI LI TY | ACCOUNTABI LI TY
CI P-005-6 Modifications • Added operational requirements for vendor remote access • Address risks from compromised vendor remote access Part 2.4 – Determining active vendor remote access sessions Part 2.5 – Ability to disable active vendor remote access 7 RELI ABI LI TY | ACCOUNTABI LI TY
CI P-010-3 Modifications • Added operational requirements for software integrity and authenticity • Address risks from compromised vendor software Part 1.6.1 – Verify the identity of the software source Part 1.6.2 – Verify the integrity of the software 8 RELI ABI LI TY | ACCOUNTABI LI TY
I mplementation Plan • All requirements become effective 18 months following regulatory approval 9 RELI ABI LI TY | ACCOUNTABI LI TY
Question 1 How should NERC support effective implementation? Themes: • Additional implementation guidance • Communication through webinars • Vendors must be included • Consistent audit guidelines • Engage Critical Infrastructure Protection Committee 10 RELI ABI LI TY | ACCOUNTABI LI TY
Question 2 How should NERC evaluate effectiveness of the standards going forward? Themes: • Allow implementation time prior to evaluation • Establish expert group for feedback on success • Engage technical committees in evaluation effort • Use E-ISAC to track incidents • Integrate supply chain compromise into GridEx exercise 11 RELI ABI LI TY | ACCOUNTABI LI TY
Question 3 What risks and related issues should NERC study, including risks related to low impact BES Cyber Systems not covered by the standards? Themes: • Legacy support (including resellers) • Mapping to non-ERO standards • Low impact risks mitigated by implementation for medium and high impact BES Cyber Systems • Review standards in other sectors 12 RELI ABI LI TY | ACCOUNTABI LI TY
Question 4 Are there actions NERC should take to address additional potential supply chain risks? Themes: • Use webinars effectively • Facilitate secure reporting • Engage vendors and suppliers • Participate in cross-industry forums • Post and share lessons learned 13 RELI ABI LI TY | ACCOUNTABI LI TY
Standards Deployment Activities • Leverage industry experience by forming an industry advisory group to support deployment • ERO Enterprise auditor training • Industry webinars and workshops • Vendors outreach on controls • Engage Critical Infrastructure Protection Committee, forums, and trades to develop additional Implementation Guidance • Evaluate effectiveness within two years of implementation • Keep efficiency and effectiveness a priority 14 RELI ABI LI TY | ACCOUNTABI LI TY
Addressing Residual Risks • Technical committees to develop reliability guidelines • Form vendor/industry working groups on supply chain risks • Review supply chain risk practices in other industries and communicate effective strategies • Ensure BES supply chain risks are addressed by product manufacturing standards • Provide latest government intelligence to industry • Partner with Department of Energy’s Idaho National Laboratory to test legacy and planned equipment on supply chain vulnerabilities • E-ISAC will issue bulletins as supply chain risks are identified 15 RELI ABI LI TY | ACCOUNTABI LI TY
16 RELI ABI LI TY | ACCOUNTABI LI TY
ERO Enterprise Long-Term Strategy, Operating Plan, & 2018 Metrics Michael Walker, Senior Vice President and Chief Financial and Strategic Development Officer Member Representatives Committee Meeting August 9, 2017
Background • Development of Long-Term Strategy Opportunity to step back, recognize emerging risks and the changing bulk power system (BPS) ecosystem Informs operational planning—ensure nothing big is overlooked Initiative supported by NERC and Regional Entity boards • ERO Enterprise Strategic Plan rebranded as Operating Plan Focuses on operations for a three-year horizon Incorporates recommendations from the Reliability Issues Steering Committee’s (RISC’s) ERO Reliability Risk Priorities report (RISC report) Informs annual business plans and budgets 2 RELI ABI LI TY | ACCOUNTABI LI TY
2017 Strategic and Operational Planning • First drafts posted for stakeholder review and comment: ERO Enterprise Long-Term Strategy ERO Enterprise Operating Plan 2018 ERO Enterprise Metrics • Draft Long-Term Strategy reflects input from: March 2017 RISC Reliability Leadership Summit (RISC Summit) FERC Technical Conference NERC and Regional Entity board members ERO Enterprise senior leadership • Updates to operating plan and metrics developed by ERO Enterprise senior leadership team 3 RELI ABI LI TY | ACCOUNTABI LI TY
Strategic and Operational Planning Overview 4 RELI ABI LI TY | ACCOUNTABI LI TY
ERO Enterprise Long-Term Strategy • Discusses emerging risks and potential reliability impacts • Recommends six long-term focus areas: Risk-based compliance, enforcement, and assessments Technical resources and capabilities Security Communication ERO Enterprise-wide operating effectiveness and efficiency International engagement 5 RELI ABI LI TY | ACCOUNTABI LI TY
ERO Enterprise Operating Plan • Guided by Long-Term Strategy • Changes from last approved version (formerly ERO Enterprise Strategic Plan and Metrics ): Refinement of vision, mission, and core principles Existing goals continued with addition of a goal focused on security Updates to contributing activities in support of Long-Term Strategy Addition of Regional Entity-specific contributing activities Removal of metrics as an appendix (now provided separately) • Mapping to recommendations from the most recent RISC report will appear in future draft 6 RELI ABI LI TY | ACCOUNTABI LI TY
ERO Enterprise Operating Plan • Vision: A highly reliable and secure North American bulk power system (BPS) • Mission: To assure effective and efficient reduction of risks to the reliability and security of the BPS • Core principles: Accountability Independence Inclusiveness and Transparency Innovation Excellence Integrity 7 RELI ABI LI TY | ACCOUNTABI LI TY
ERO Enterprise Operating Plan • Goal 1: Risk-responsive Reliability Standards • Goal 2: Objective, risk-informed compliance monitoring, mitigation, enforcement, and entity registration • Goal 3: Reduction of known reliability risks • Goal 4: Identification and assessment of emerging reliability risks • Goal 5: Identification and reduction of cyber and physical security risks • Goal 6: Effective and efficient ERO Enterprise Operations 8 RELI ABI LI TY | ACCOUNTABI LI TY
2018 ERO Enterprise Metrics • Continues focus of 2017 metrics with six metrics focused on BPS reliability and security and one metric focused on efficiency and effectiveness NERC and the Regional Entities also maintain additional internal metrics governing individual, departmental, and corporate performance • Notable changes from 2017 metrics: Removal of compliance severity index in Metric 5; now measures the percentage of serious risk violations Removal of Metric 6 sub-metric related to cold weather Greater focus on ERO Enterprise efficiency and effectiveness in Metric 7 Historical data for each metric included 9 RELI ABI LI TY | ACCOUNTABI LI TY
Recommend
More recommend