Stay Up To Date With NERC CIP Changes
Finding guidance on supply chain security for energy control systems operators can be confusing and challenging, with multiple approaches, standards and maturity assessments available. This article outlines everything you need to know about the NERC CIP updates in the Energy Sector.
Share This Article:
Australia currently has no clear mandatory minimum cyber security standard for business, although the ACSC issued a high alert in March 2022 urging businesses to adopt an enhanced cyber security posture considering the elevated threat environment.
A number of domestic and international frameworks are used by Australian energy system operators to offer them guidance on technical designs, engineering controls and governance aspects. The NERC CIP is a key example of a standard for Supply Chain Management in the Energy Sector.
What is NERC CIP and how is it relevant?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of principles and standards aimed at regulating, enforcing, monitoring and managing the security of bulk electric systems in North America.
While the NERC CIP is tailored to the cybersecurity aspects of the North American Energy market, it can certainly apply to Australian regulations and standards such as the Australian Energy Sector Cybersecurity Framework (AESCSF). With the aim to provide a framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity, the AESCSF largely references the NERC CIP. Focusing on the updated aspects of the NERC CIP, we could take suitable guidance as it still holds relevance for the Australian market, and expect similar aspects to be integrated into the AESCSF when periodically reviewed.
What are the new requirements?
Recent updates of the NERC CIP for the US energy sector were released on 1st October 2022. It aims to provide guidance for assessing and protecting the supply chain, which is commonly missed but has the potential to be a high-risk blind spot when securing industrial control systems.
The following is a list of the key changes:
CIP-005-7
New requirements further refine remote access requirements, notably the ongoing management of vendor remote access including documenting processes:
- Requirement R2, Part 2.4: Have one or more methods for determining active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access).
- Requirement R2, Part 2.5: Have one or more method(s) to disable active vendor remote access (including Interactive Remote Access and system-to-system remote access).
- Requirement R3: Each Responsible Entity shall implement one or more documented processes that collectively include the applicable requirement parts in CIP-005- 7 Table R3
- Requirement R3, Part 3.1: Have one or more method(s) to determine authenticated vendor-initiated remote connections.
- Requirement R3, Part 3.2: Have one or more method(s) to terminate authenticated vendor-initiated remote connection sessions and control the ability to reconnect.
CIP-010-4
Software is often an overlooked supply chain risk and CIP-010-4 updates requirements to ensure the verification of the identity of a software source as well as the integrity of the software obtained from the software source.
It is aimed to address supply chain risks with malicious downloads from faked or corrupted vendor sites where legitimate code may be supplemented for malicious software.
This update also enforces verification of software where processes such as verifying certificates and hash values can be used to ensure the software matches as expected prior to being implemented.
CIP-013-2
Risk management extensions are covered by CIP-013-2, which advises that entities must identify, assess, evaluate, and monitor risks to their Electronic Access Control or Monitoring Systems and Physical Access Control Systems.
This includes developing supply chain risk management plans for these systems, ensuring that processes are used in the procurement phases of these systems, verifying all software including patches for these systems, and vendor-initiated remote access is controlled for these systems.
What about Australian Guidance?
Anchoram advises that both local and international guidance can provide the best outcomes for the Australian energy market and the continual revision of the AESCSF is an important step in ensuring this remains relevant. Accordingly, this should be used as part of maturity assessments for Australian Energy organisations to gauge their maturities.
Find out more about the AESCSF Program.
It is important to note that of course, Australian regulations hold precedence and should be complied with as the priority. Most recently from a risk assessment, the Cyber and Infrastructure Security Centre (CISC) has released a detailed advisory for the Energy Sector.
In summary, the NERC CIP updates provide guidance that can be used to further secure the supply chain and extend the focus on systems that may be overlooked but still play a key part in the provision of energy systems via the control systems and physical access.
Experts who understand the nuances between technical standards and maturity frameworks can be hard to find, which is why the Anchoram team is here to help Energy Sector clients navigate these challenges. For more information about how Anchoram can assist your organisation, contact us for Energy Sector-focused advisory services.
Finding guidance on supply chain security for energy control systems operators can be confusing and challenging, with multiple approaches, standards and maturity assessments available. This article outlines everything you need to know about the NERC CIP updates in the Energy Sector.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.