The electricity sector is forging ahead with efforts to maintain a highly reliable and secure power grid in a complex and challenging operating environment. New and emerging tools and technologies that help system operators adapt to changes like the evolving resource mix can also bring forth new risks and vulnerabilities. Supply chain cyber security is a great example. Industry must be more vigilant now than ever before in knowing what is accessing critical environments as new technology is deployed. MROs 2024 Regional Risk Assessment highlighted supply chain compromise as a high priority risk to the MRO region.
This article takes a closer look at what MRO staff has observed through its compliance oversight engagements of Reliability Standard CIP-013-2 Supply Chain Risk Management (SCRM) plan development and implementation.
Procurements and how we plan for them
A fundamental aspect of SCRM plans is to ensure that all applicable procurements are captured. The processes documented in CIP-013-2 R1 should guide the implementor(s) in ensuring all applicable procurements are being implemented as instructed by the plan.
The processes need to include details to ensure that when planning procurements of vendor equipment, software, and services, and/or transitions from one vendor to another, triggers the implementation of the plan and the risk assessment process. Although not exclusive, the following set of questions can be used by registered entities to assess the effectiveness of implemented plans as well as controls to ensure all applicable procurements are captured.
- Does the process capture procurements of vendor equipment or software from an existing vendor?
- Regardless of prior relationships or risk assessments of vendors and products, equipment or software that is planned to enter applicable system environments require a risk assessment.
- Further, if a registered entity defines what a procurement is, ensure the definition does not limit applicable procurements such that a risk assessment would not be conducted for equipment that becomes an applicable system.
- Does the process capture procurements of services resulting from transitions from one vendor to another?
- There could be scenarios where a transition occurs from one vendor to another vendor that was not initiated by the registered entity (i.e., vendor merger or acquisition) that could impact software, services, or equipment. The SCRM plan should include processes that ensure the supply chain cyber security risks resulting from such a transition are assessed and addressed.
- Does the process capture emergency procurements?
- The plan should include details for utilizing emergency processes, if applicable, and how procurement risks will be assessed and addressed.
Below are questions MRO staff might ask during compliance oversight engagements to gain further insight into a registered entity’s SCRM plan. Please note that this list is not comprehensive and is provided as an example. These questions might also be helpful when performing mandatory reviews or periodic maturity reviews of SCRM plans to ensure departments, people, and processes consider important aspects of the plan.
- Who or what process triggers the implementation of the plan?
- Who is responsible for identifying the procurements that require risk assessments?
- Who or what is responsible for performing the assessment?
- Are there controls implemented to ensure the assessment was completed?
- Are the individuals responsible for performing the assessment appropriate to assess the risk and mitigating measures?
- Are there any internal controls that would detect a procurement that did not get captured by the SCRM plan?
- Are there any internal controls in place that detect transitions from one vendor to another?
- Tabletop exercises for potential procurements:
- Procuring and commissioning a new firewall from a new vendor.
- Procuring and installing new software on a server connected to the ESP.
- Installing an EMS workstation replacement unit (due to a CIP-009 failure.
Conducting the risk assessment
Implementation of the SCRM plan and processes should include documentation or evidence that the process steps were followed per the SCRM plan related to planning, assessing, and addressing supply chain cyber security risk for applicable procurements.
In reviewing an entity’s implementation, MRO staff will seek to understand the practices that were implemented as part of the SCRM plan. Thus, appropriate evidence substantiating the completion of processes is necessary. Evidence may include the identification of risks, information gathered to assess the risks, and further demonstration that the information gathered was assessed. A plan may separate the processes and demonstrate each process differently, but it needs to show that the activity was conducted. Once an entity has captured information related to the risk and mitigation, it must perform the assessment of this information. The assessment activity should be memorialized in evidence to substantiate the activity was conducted. The entity may choose the details it includes in the assessment, but MRO recommends the information include enough detail that would properly inform a future reviewer of how the risks have been addressed.
Specifically, for the risks in CIP-013-2 R1.2, which are required to be addressed, details of how each risk is being addressed should be included in the assessment. Documenting these details can be valuable if a control changes or the landscape changes that may impact a control.
Prior risk assessment information
For each procurement CIP-013-2 Part 1.1 and 1.2 would apply, thus information from an existing risk assessment may be appropriate for a future procurement. However, the assessment utilizing the existing risk assessment must be demonstrated. Information identified and assessed from the prior risk assessment can be input to the new planned procurement and risk assessment. An entity would be required to demonstrate the performance of the risk assessment regardless of whether the information used was from a prior risk assessment. Vendor postures and product risks can change, and controls that address CIP-013-2 1.2 risks could be impacted in the time since the prior risk assessment was completed. Diligence in assessing the risks of each procurement can be a vital activity in addressing evolving supply chain security risks and threats as procurements occur.
Additional outreach can be found in the following MRO Presentation: https://vimeo.com/showcase/7240022/video/429470104
Michael Spangenberg, Senior Risk Assessment Engineer, CIP, Midwest Reliability Organization