Supply Chain Risk Management Standards to be Developed as Part of NERC’s Critical Infrastructure Protection Security Mission

On July 21, 2016 the Federal Energy Regulatory Commission (FERC) directed the North American Electric Regulatory Commission (NERC) to develop a new supply chain risk management standard that addresses risks to information systems and related bulk electric system assets. The standard will cover a variety of issues including software integrity and authenticity, remote vendor access, vendor risk management and procurement controls.

In parallel the FERC also issued a Notice of Inquiry (NOI) to gather the public’s input on the protection of control centers used to monitor and control the bulk electric system in real-time, with particular interest in remote vendor access and application whitelisting. In this NOI, the FERC referred to the December 2015 attack on the Ukraine electric grid as an example of the need to update the current Critical Infrastructure Protection (CIP) standards.

These initiatives have a common interest in securing the communications that connect the electric utilities’ control centers to the outside world. This is an important step in mitigating future attacks on the Industrial Control Systems (ICS) that monitor and control equipment responsible for generating and transmitting power in North America. The efforts to continue to develop the CIP standards, and welcoming the industry’s expertise will help organizations to reduce the ICS attack surface by better managing the security of remote vendors and supply chain in general. To learn more about how CyberArk addresses the NERC CIP standards and requirements, read our white paper: Protecting the Grid: Addressing NERC CIP Requirements for Securing Privileged Accounts.

In June 2016, CyberArk introduced new cyber security capabilities for ICS to limit the progression of malware, better identify privileged account-related risks, and improve remote access security in industrial environments. We will share our perspective on the best practices organizations should follow to shore up security gaps in their supply chain and to secure access to sensitive assets. We plan to formally submit comments to the FERC on this NOI, and we encourage other industry experts to support the initiative.