Supply Chain Standards Compliance Essentials Lew Folkerth, Principal Reliability Consultant Monthly Compliance Call May 20, 2019
Overview Origin: FERC Order 829 Objectives Standards • Software integrity and authenticity • CIP-013-1 R1, R2, R3 • Vendor remote access ‒ Supply Chain Risk Management • Information system planning • CIP-005-6 R2 Parts 2.4, 2.5 ‒ Vendor Remote Access • Vendor risk management and procurement controls • CIP-010-3 R1 Part 1.6 Applicability ‒ Software Authenticity Effective Date: July 1, 2020 • High/Med BES Cyber Systems • NERC Registered Entities – NOT Vendors 2 Forward Together • ReliabilityFirst
CIP-013-1 R1 - Supply Chain Cyber R2 – Implement SCCSRMP Security Risk Management • By 7/1/2020 Plan (SCCSRMP) R3 – Review & Obtain CIP • Applicability: High/medium BES Senior Manager Approval Cyber Systems (EACMS for SCCSRMP pending per Order 850) • By 7/1/2020 • R1.1 – Planning for Procurement • Every “CIP Year” (15 calendar • R1.2 – Processes for months) thereafter Procurement ‒ Six areas required to be addressed 3 Forward Together • ReliabilityFirst
CIP-005-6 R2 Parts 2.4 & 2.5 Part 2.4 Part 2.5 • Required: “Determine” active • Required: Have methods to vendor remote access sessions “disable” vendor remote access ‒ Interactive • Implied: Near-real-time response ‒ System-to-system in order to prevent unauthorized • Implied: Be able to determine operation of systems sessions in near-real-time 4 Forward Together • ReliabilityFirst
CIP-010-3 R1 Part 1.6 Part 1.6 – Verify Software Authenticity • Applies to: ‒ Operating systems or firmware ‒ Commercially available or open- source software ‒ Security patches • Part 1.6.1 – Identity of software source • Part 1.6.2 – Integrity of software obtained from source 5 Forward Together • ReliabilityFirst
References Origination – FERC Order 829: NIST Special Publications: https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/Order_Suppl • SP800-30 Guide to Conducting Risk Assessments: yChain_20160721_RM15-14.pdf https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80 NERC Filing for Approval: 0-30r1.pdf • SP800-39 Managing Information Security Risk: https://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FER C%20DL/Petition%20Supply%20Chain%20Risk%20Management%20Fi https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80 ling.pdf 0-39.pdf FERC Supply Chain NOPR: • SP800-161 Supply Chain Risk Management Practices: https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/E- 2_NOPR%20on%20Supply%20Chain.pdf https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 161.pdf Approval – FERC Order 850: ERO Implementation Guidance: https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/Order%20No .%20850%20Supply%20Chain%20Risk%20Management%20Reliability https://www.nerc.com/pa/comp/guidance/Pages/default.aspx %20Standards.pdf RF CIP Knowledge Center: CIPC Supply Chain Working Group https://rfirst.org/KnowledgeCenter/Risk%20Analysis/CIP/ • Several guidelines in development: https://rfirst.org/KnowledgeCenter/Risk%20Analysis/CIP/CIP%20Library/0 %20-%20Lighthouse%20Supply%20Chain%2029-31.pdf https://www.nerc.com/comm/Pages/Reliability-and-Security- Guidelines.aspx Assist Visits: • Mailing list: Send request to Tom Hofstetter: https://rfirst.org/ProgramAreas/EntityDev/AssistVisits/Pages/AssistVisits.a spx Tom.Hofstetter@nerc.net 6 Forward Together • ReliabilityFirst
Questions & Answers Forward Together ReliabilityFirst Forward Together • ReliabilityFirst
Recommend
More recommend
