The NERC CIP-013 standard, approved by FERC in the fall of 2018 and enforceable as of October 2020, addresses cyber threats to the Bulk Electric System (BES) that come from the supply chain. The requirement states that utilities must “mitigate cyber security risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.” There’s been a lot said about the NERC CIP-013 standard. What it is; what it isn’t. There is no shortage of consulting firms willing and able to help on the program, policy and procedures. In fact, you should already be well past all of that since even the extended compliance date has come and gone.
What has received less attention is how to protect your company using technology-based monitoring controls that provide technical backstops in your program, some of which you may already have with solutions like Industrial Defender. These controls are critical to keeping you on the right side of the NERC CIP-013 standard, and ensuring you keep the Violation Severity Factor to a minimum, since that’s based on implementation failures of the sub requirements of R 1.2. As we’ve seen with previous NERC CIP standards, the need to show “continuous compliance” over the full audit period has often been the challenge, and is best handled with automation.
The chart below walks through each of the more technically inclined sub requirements of R1.2 for the NERC CIP-013 standard and how you can achieve some level of controls automation for a fundamentally sound compliance program. As they say, an ounce of prevention is worth a pound of cure, so we’ve also identified which controls are preventative and which are detective. Keep in mind that the controls and technology referenced in this chart don’t just help with compliance. They’ll also build the cybersecurity foundation for all your OT systems. Many of these controls are referenced in the 20 CIS Controls and the NIST Cybersecurity Framework. If you are deciding on next year’s budget, focus on building your preventative controls first. However, choosing solutions that offer both preventative and detective measures will give you the highest return on investment.
P = Preventative
D = Detective
To learn more about how we can help you automate your NERC CIP-013 compliance, reach out to one of our OT security architects to discuss your unique needs.