The Impact of NERC and FERC on Third-Party Risk Management in Utilities

Cyber threats and their subsequent attacks are dominating news headlines globally. The recent SolarWinds attack demonstrated the severe danger that cyber-attacks pose to organizations, supply chains and critical infrastructure – especially for utility companies. Regulatory bodies like NERC and FERC are responding to these threats with new third-party risk management guidelines for utilities. 

The SolarWinds attack was known to affect several government agencies, tech firms and other large organizations. Still, a recent report showed that 32% of the victims of the attack were in industrial organizations, such as manufacturing, utilities, construction, transportation, mining and energy.  

Utilities need to be concerned about security in third-party vendor relationships from two perspectives: First, the exposure of private data in general, such as in customer data. Inadvertent exposure of consumer data leads to massive penalties and reputational damage to the organization. Secondly, utilities need to ensure the security of their systems to protect their critical infrastructure. Both the government and the general public alike rely on this infrastructure for day-to-day life. This fact, combined with the increasing vulnerability of utilities, has prompted new regulations from utility regulators NERC and FERC. 

New Standards and Regulations for Utilities 

The U.S. Federal Energy Regulatory Commission (FERC), the federal regulator of utilities, recognized the increased exposure of third-party risks on utility organizations and issued FERC Order 829 to support critical infrastructure protection. In response, the North American Electric Reliability Corporation (NERC) implemented Critical Infrastructure Protection (CIP) standard 13-1 (CIP 13-1). NERC is a non-profit corporation that develops industry standards across North America that promote the reliability of power transmission in electric utilities to support FERC requirements. NERC’s new standard provides a cybersecurity framework of controls for supply chain and third-party risk management for electric power and utility companies. The NERC CIP 13-1 standard was originally approved by FERC on October 18, 2018, and its enforcement began on October 1, 2020. 

Today, energy utility and transmission organizations must focus on specific third-party cybersecurity risks and comply with CIP 13-1 requirements to bolster the organization’s security against increasing attacks that target supply chains and third parties. The new standards from NERC and FERC will assist utility companies in protecting large electric systems by limiting their exposure to malware, tampering, trojan horses/backdoors, and other cyber risks that can originate within a utility’s third-party relationships. 

In fact, research from IBM and the Ponemon Institute has demonstrated that third-party breaches are among the most expensive type of breaches. A breach within the supply chain of a utility company could result in significant downtime and disrupt the operations of organizations of all sizes, even large multinational companies. An attack on a utility could have disastrous consequences for not only the organization but the world at large. 

While attacks within other industries like retail and hospitality are typically directed toward data theft (e.g., credit card information), the motives for attacking a utility can be more nefarious. Data theft is still a target in a utility, but power disruption, destruction of equipment, and even murder can be motives in attacking utilities. The threat environment for a utility is not limited to hackers seeking personal gain. Utilities must also look out for state-sponsored saboteurs, terrorism, and activists. 

To recap, utilities can employ the cybersecurity standards and controls laid out by NERC’s CIP 13-1 to defend their critical infrastructure and the extended enterprise against attacks. These standards can be achieved with the development of a third-party risk management program that addresses cyber risk. 

Developing a Third-Party Risk Management Program with CIP 13-1

CIP 13-1 outlines the process of developing a cybersecurity program plan in three steps:  

1. Develop a plan: Each utility is required to “develop one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact BES [Bulk Electric System] Cyber Systems.” This plan needs to address operations planning with processes and controls for: 

  • Procurement planning of BES Cyber Systems to identify and assess cybersecurity risk(s) to address procurement and installation of vendor equipment and software and transitioning from one vendor to another.  
  • Processes and controls in the procurement of BES Cyber Systems that require a vendor to notify the utility regarding incidents related to products and services provided in the context of cybersecurity risk exposure. This includes coordination of incident response, notification by the vendor when remote and/or onsite access should be terminated that may have been granted, disclosure of vulnerabilities related to products and services, verification of software and patch integrity and authenticity (particularly important after the SolarWinds breach), and coordination of controls for vendor initiated remote access.  

2. Plan implementation: Each utility needs to “implement its supply chain cybersecurity risk management plan(s).” This includes the implementation of the processes, policies, and controls established in the plan. 

3. Management approval of the plan: Each utility needs to “review and obtain CIP Senior Manager or delegate approval of its supply chain cybersecurity risk management plan(s).” This approval needs to happen once every 15 months.   

To achieve plan development requirements, a utility needs a structured plan development process with a robust system of record, an audit trail of changes and organizational accountability. Getting approval will likely require direct collaboration between the program development team and management to establish an agreed-upon plan.  

In a similar sense, the implementation of the plan requires a lot of collaboration between the utility and its third parties. A robust audit trail and system of record are needed to document every interaction, as well as processes, regulations, assessments, and controls. Utility companies that approach plan implementations in manual processes within spreadsheets and emails may find that they lack a robust record of accountability, causing essential information to slip through the cracks. Additionally, manual processes often result in weak program reporting that fails to deliver true clarity. 

Implementing a program plan aligned with NERC and FERC regulations and third-party risk management software can remediate these shortcomings. Utilizing a solution that automates the plan implementation can address the issues inherent to manual processes and eliminate the burden of reconciling information. 

The importance of ensuring compliance cannot be overstated: the CIP standard can bring about harsh penalties if the organization is found non-compliant. NERC can penalize organizations up to $1 million per day for any outstanding violations that are found. It is important to remember third-party risks are the organization’s risks, and the management of these risks requires direct visibility into the extended enterprise. 

As the SolarWinds hack proved, adversaries need only to attack one component of an organization to access the vulnerabilities in other organizations. Considering the growing interdependence of utility systems, it is prudent to safeguard any pathways that may act as backdoors to the utilities’ critical infrastructure systems. 

Today’s third-party risk management teams require powerful solutions to help them identify, manage and remediate risk. ProcessUnity Vendor Risk Management streamlines and automates the vendor lifecycle – from initial onboarding to ongoing monitoring. To learn more, visit https://www.processunity.com/third-party-risk-management/