Supply chain compromise is a manipulation of hardware, software, or related delivery mechanisms by a malicious actor before the end user receives the product. It can also signify a malicious vendor employee acting in the capacity of an employee of the end-use organization (Malicious Insider Threat crossover). Supply chain compromises can impact both information technology (IT) and/or operational technology (OT) systems depending on the vendor or manufacturer. Supply chain compromise brings third-party risk to the organization as it is not possible to extend security controls all the way to the vendor’s development environment.
NERC’s CIP-013-2 standard requires registered entities to develop and implement supply chain security risk management plans for high and medium impact Bulk Electric System (BES) Cyber Systems and the associated physical and electronic access controls. Additionally, NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) reduces cyber and physical security risks to the North American bulk power system by sharing information on threats and vulnerabilities and helping to coordinate industry’s response. The E-ISAC hosts a Grid Security Conference (GridSecCon) annually and a coordinated grid security exercise/attack simulation (GridEx) every other year.
MRO formed a Security Advisory Council to help raise awareness of and mitigate regional security risks. The council hosts a weekly Security Threat Forum that provides a confidential mechanism for security experts across the region to meet to discuss new and emerging threats they are seeing on the system. The Security Advisory Council hosts several events throughout the year and publishes newsletter articles on emerging cyber and physical security risks.
The following NERC guidelines provide valuable information on different approaches for both entity and vendor risk management, the risks of using open-source software, and security measures for shipped equipment: