Supply Chain Standards Compliance Essentials Lew Folkerth, - - PowerPoint PPT Presentation

Supply Chain Standards

Compliance Essentials

Lew Folkerth, Principal Reliability Consultant Monthly Compliance Call May 20, 2019

Forward Together • ReliabilityFirst

Overview

• Origin: FERC Order 829
• Standards
• CIP-013-1 R1, R2, R3

‒ Supply Chain Risk Management

• CIP-005-6 R2 Parts 2.4, 2.5

‒ Vendor Remote Access

• CIP-010-3 R1 Part 1.6

‒ Software Authenticity

• Effective Date: July 1, 2020
• Objectives
• Software integrity and

authenticity

• Vendor remote access
• Information system planning
• Vendor risk management and

procurement controls

• Applicability
• High/Med BES Cyber Systems
• NERC Registered Entities –

NOT Vendors

2

Forward Together • ReliabilityFirst

CIP-013-1

• R1 - Supply Chain Cyber

Security Risk Management Plan (SCCSRMP)

• Applicability: High/medium BES

Cyber Systems (EACMS pending per Order 850)

• R1.1 – Planning for Procurement
• R1.2 – Processes for

Procurement

‒ Six areas required to be addressed

• R2 – Implement SCCSRMP
• By 7/1/2020
• R3 – Review & Obtain CIP

Senior Manager Approval for SCCSRMP

• By 7/1/2020
• Every “CIP Year” (15 calendar

months) thereafter

3

Forward Together • ReliabilityFirst

CIP-005-6 R2 Parts 2.4 & 2.5

• Part 2.4
• Required: “Determine” active

vendor remote access sessions

‒ Interactive ‒ System-to-system

• Implied: Be able to determine

sessions in near-real-time

• Part 2.5
• Required: Have methods to

“disable” vendor remote access

• Implied: Near-real-time response

in order to prevent unauthorized

• peration of systems

4

Forward Together • ReliabilityFirst

CIP-010-3 R1 Part 1.6

• Part 1.6 – Verify Software

Authenticity

• Applies to:

‒ Operating systems or firmware ‒ Commercially available or open- source software ‒ Security patches

• Part 1.6.1 – Identity of software

source

• Part 1.6.2 – Integrity of software
• btained from source

5

Forward Together • ReliabilityFirst

References

• Origination – FERC Order 829:

https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/Order_Suppl yChain_20160721_RM15-14.pdf

• NERC Filing for Approval:

https://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FER C%20DL/Petition%20Supply%20Chain%20Risk%20Management%20Fi ling.pdf

• FERC Supply Chain NOPR:

https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/E- 2_NOPR%20on%20Supply%20Chain.pdf

• Approval – FERC Order 850:

https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/Order%20No .%20850%20Supply%20Chain%20Risk%20Management%20Reliability %20Standards.pdf

• CIPC Supply Chain Working Group
• Several guidelines in development:

https://www.nerc.com/comm/Pages/Reliability-and-Security- Guidelines.aspx

• Mailing list: Send request to Tom Hofstetter:

Tom.Hofstetter@nerc.net

• NIST Special Publications:
• SP800-30 Guide to Conducting Risk Assessments:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80 0-30r1.pdf

• SP800-39 Managing Information Security Risk:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80 0-39.pdf

• SP800-161 Supply Chain Risk Management

Practices:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 161.pdf

• ERO Implementation Guidance:

https://www.nerc.com/pa/comp/guidance/Pages/default.aspx

• RF CIP Knowledge Center:

https://rfirst.org/KnowledgeCenter/Risk%20Analysis/CIP/ https://rfirst.org/KnowledgeCenter/Risk%20Analysis/CIP/CIP%20Library/0 %20-%20Lighthouse%20Supply%20Chain%2029-31.pdf

• Assist Visits:

https://rfirst.org/ProgramAreas/EntityDev/AssistVisits/Pages/AssistVisits.a spx 6

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst