Security and Resilience (Cyber and Physical)

Report details cyber supply chain risk management best practices

A new white paper from the American Public Power Association and the National Rural Electric Cooperative Association details best practices for cyber-related supply chain risk management being used by small registered entity members with low-impact bulk electric system cyber systems.


In August 2017, the North American Electric Reliability Corporation’s Board of Trustees approved a set of cybersecurity supply chain standards that were developed in response to a directive from the Federal Energy Regulatory Commission.

In conjunction with that action, the NERC Board of Trustees issued a resolution calling on the Association and NRECA to develop white papers addressing the best and leading cybersecurity supply chain risk management practices with a focus on small registered entities. The white paper was developed by the two trade associations in response to that resolution. The Large Public Power Council and the Transmission Access Policy Study Group were significant contributors to the white paper.

The Association and NRECA said that supply chain risk management for small registered entities must be understood in the context of the overall risk-based approach of NERC’s Critical Infrastructure Protection, or CIP, standards, which classify bulk electric systems cyber systems as having low, medium, or high impact on the reliable operation of the BES. NERC’s requirements for protecting BES cyber systems are commensurate with those systems’ risk classification.

The trade groups said that consistent with that risk-based approach, and supported by the Association and NRECA, NERC’s supply chain standards “appropriately apply to medium and high impact BES cyber systems, which is intended to focus industry resources on protecting those systems that pose heightened risk, while not being overly burdensome or diverting resources toward protecting low-impact assets that have less risk to BES reliability.”

The standards address cybersecurity supply chain risks in a way that sets goals for registered entities, while allowing flexibility in how to achieve those goals, the white paper said. FERC has proposed to approve those standards.

Along with protecting medium and high impact BES cyber systems, NERC’s supply chain standards have the potential to indirectly reduce supply chain risk for all BES cyber systems, the Association and NRECA noted.

“When registered entities implement their processes and procedures to comply with the new supply chain standards for their medium and high impact BES cyber systems, they are likely to apply those same or similar processes and procedures more broadly to their procurement and vendor management practices across their organizations,” the white paper said. “And as larger registered entities with more bargaining power insist that vendors comply with new supply chain risk management practices, those vendors may well adopt those practices across the board benefitting purchasing for all utilities, big and small.”

According to the white paper, NERC has also undertaken, or intends to undertake, several activities to support industry’s implementation of the supply chain standards, as well as activities beyond the scope of the standards that will further lower supply chain risk.

These activities include exploring opportunities with product manufacturing standard bodies to address supply chain risks and looking at opportunities to assist stakeholders in developing an accreditation model for identifying vendors with strong supply chain risk management practices.

“If successful, these NERC efforts will help protect all BES cyber systems — including low impact -- from supply chain risks,” the Association and NRECA said.

White paper identifies best practices

The white paper identifies a catalog of practices for supply chain risk management that small registered entities with low-impact BES cyber systems can consider.

“Each of these small registered entities with low impact BES cyber systems will need to factor in many considerations, such as staffing, resources, and their own unique circumstances in order to determine which of these practices are appropriate and realistic for their use,” the Association and NRECA said.

Th practices reflect the result of extensive interviews of nine Association and NRECA members. The interviews showed that small registered entities with only low-impact BES cyber systems can, and do, implement appropriate supply chain management measures that help mitigate supply chain risk and can be considered best practices commensurate with the low risk that those entities pose to BES reliability.

Practices detailed in the white paper are currently being implemented by one or more of the sampled member public power utilities and cooperatives, and except where otherwise noted, each practice is being implemented by one or more of the sample utilities and cooperatives that are small registered entities with only low-impact BES cyber systems.

The sampled public power utilities and cooperatives “are well aware of supply chain risks,” the white paper notes.

NRECA and the Association said that one of the largest risks is that of a malware campaign infecting a product with malicious code while the product is still within the control of the vendor, while another significant supply chain risk is from employees of vendors that have remote access to BES cyber systems.

 “Supply chain risk assessment is rapidly evolving, so new risks may emerge and existing risks may be diminished. And as NERC’s supply chain standards are implemented, larger entities subject to those standards and their vendors will likely evolve as to how they mitigate supply chain risks, which may result in more best practices for small registered entities to consider using to mitigate their lower-impact supply chain risk.”

The white paper summarizes best practices that are currently in use by one or more of their small members that have only low-impact BES cyber systems in five areas: (1) Organization; (2) vendor selection; (3) vendor remote access to systems; (4) software integrity and authentication; and software updates and patch management.

In addition, the white paper notes that smaller registered entities with low-impact BES cyber systems have other resources they can turn to as additional sources of information that may merit consideration in seeking to mitigate their supply chain risk.

Specifically, NRECA and the Association have programs in place to support their members as they work to improve the cyber and physical security of their organizations, including procurement and supply chain issues.

The white paper was provided to the NERC Board of Trustees as policy input on April 25 and it will also be submitted to the Federal Energy Regulatory Commission in a supply chain proceeding at the Commission (Docket No. RM17-13).