Risk Overview
Malicious manipulation of a vendor’s products including hardware, software, services, or delivery could impact multiple utilities and disrupt grid operations. The limited number of industrial control system vendors that are used to protect and control the bulk power system creates a broad threat to grid reliability. Understanding the inherent risk of using third-party products, utilities should require vendors to improve their respective controls and operating environments. This includes vetting vendors for foreign connections with known hostile nations.
Key Drivers and Trends
- Complex and interconnected supply chains for bulk power system software and equipment, with inherited trust relationships from suppliers.
- Growing reliance on common third-party providers across the industry.
- Adversaries exploiting supply chain complexity, with vendors being potential vectors of compromise at various stages of the product and service lifecycle.
- Increasing use of inverter-based resources connected to the bulk power system at lower voltage distribution levels, with rising reliance on third-party services.
Actions to Reduce Risk
- Assess the inherent risk of third-party vendors, including the impact of their cyber systems being compromised.
- Require vendors to improve controls and reduce risk through contractual agreements.
- Enhance equipment specifications and system architecture to make control systems more resilient to attacks.
- Vet vendors for foreign involvement and monitor changes in control, management, and financial health.
- Comply with NERC’s standards CIP-013-2 (Supply Chain Risk Management) and CIP-005-7 (Electronic Security Perimeter) which require that organizations develop supply chain risk management plans and manage vendor remote access. Consider changes under future standard CIP-013-3 that brings virtual cyber assets into scope.
- Review NERC-filed comments on FERC Notice of Potential Rule Making RM-24-4-000. In the filing, NERC supports identifying, assessing, and responding to supply chain risk, and require that all cyber equipment within a protected network be subject to supply chain security requirements.
Related Resources
The following NERC guidelines provide valuable information on different approaches for both entity and vendor risk management, the risks of using open-source software, and security measures for shipped equipment:
- Security Guideline Product Security Sourcing Guide provides recommendations for managing risks associated with vendors, including governance practices and risk mitigation strategies. The guide also addresses the importance of product vulnerability disclosure, considers geopolitical and product scarcity risks, and cloud connectivity product risks.
- Cyber Security Risk Management Lifecycle discusses an approach to managing risks to OT systems that operate the Bulk Electric System that originate in the supply chain. It covers key steps such as identifying, assessing, and mitigating risks, as well as procurement and installation practices. The guideline also emphasizes the importance of updating risk management plans regularly to adapt to evolving threats.
- Risk Considerations for Open Source Software provides information about risk factors of open-source software. It highlights issues such as the trustworthiness of software, the risk of malicious changes, and the challenges of maintaining and updating open-source components. Several case studies are presented to help understand the risks and illustrate how defensive principles can be applied. The guideline also provides recommendations for evaluating and mitigating these risks.
- Electricity Sector – Supply Chain Secure Equipment Delivery summarizes best practices to address supply chain risks that could occur to equipment during its shipment, handling, delivery, and storage. Choosing security measures shipped equipment is a risk informed decision based on likelihood of compromise, criticality of the equipment, and probability of detecting tampering.
- Supply Chain Procurement Language highlights considerations for developing risk based procurement language for contracts, one of the means an organization can formalize risk mitigation for the relationship between the organization and a vendor. The document aggregates procurement language examples.
- Vendor Incident Response provides recommendations to define what potential incidents are and discuss the definition with the vendor to ensure there is a common understanding, along with recommendations for coordinating responses to vendor-identified incidents, security controls improvements, and lifecycle considerations.
- Vendor Risk Management Lifecycle describes how an organization can identify, assess, and mitigate vendor cyber security risks as well as document their vendor risk management program.
- Supply Chain Provenance refers to knowing a computer system’s heritage or that of its components. By knowing the system’s origin, development, ownership, location, changes to components, and accompanying data, the user is better able to identify and defend against cyber security threats that could have an adverse impact on the bulk power system. Provenance considerations are important for all stages of a system’s life cycle.
Defending Against Software Supply Chain Attacks by CISA and NIST explains how cybercriminals can infiltrate software vendors’ networks and insert malicious code into software before it reaches customers. The report provides recommendations for both software vendors and customers on how to identify, assess, and mitigate these risks using publically available frameworks.
