Very few of my readers run electric utilities – those are the ones that these regulations apply to directly.
Then there are folks who are suppliers to utilities. And suppliers to those suppliers. The new regs require that utilities have a decent vendor cyber risk management program. That increases the pool of interested parties a bit.
Then there are those folks who use electricity and would appreciate it if their lights stay on. Except for those who run their own wind or solar farms, that is the rest of us.
And of course, last, but not least, there are other regulators who are going to watch and say “hey, that sounds like a good regulation; I think I will adopt it for people who do business in my industry or my state”.
So what is in the new regs?
The regulator is NERC – The North American Electric Reliability Corporation. NERC is a quasi-governmental agency that sets forth standards for the electric utilities to follow. They call the rules Critical Infrastructure Protection (CIP).
Note that I am only going to touch on the tip of the regulatory iceberg here, but I will give you a link to all of the CIP regs at the end in case you want to steal some of their ideas.
CIP 005-6 Electronic Security Perimeter
Note all the leading zeros in the rule number. Room for up to a thousand rules. Plus the sub-rules. That’s pretty scary.
This rule adds detailed requirements for firewalls, DMZs and network segmentation. Probably a good idea for everyone. This includes a requirement to be able to know how many active vendor remote sessions you have (as opposed to employees) and have a way to disable them. Again, probably a good idea for everyone.
CIP 010-3 Configuration Change Management and Vulnerability Assessments
Again, change control and vulnerability assessments should be things that everyone is doing anyway. One thing this requires is that you be able to validate that every piece of software in your supply chain. Can you do that? Do you even know what software is in your supply chain. Think of this as software bill of materials (BOM) on steroids. Once you do know what software is in your supply chain then that helps with vulnerability assessments. But how do you “validate” each piece of software? They suggest with crypto checksums for everything. Ask Equifax. It is not as easy as it sounds.
CIP 013-1 Supply chain risk management
This may well be the most complex part. Most companies have a lot of suppliers. Big companies have thousands. Small companies have hundreds. The number of vendors is amazing. They require a written program and remember, those vendors have vendors. And the whole process has to be signed off on by an executive who’s head is on the proverbial chopping block.
Check these CIPs out and see if any of them make sense to you. Then adopt them.
All of NERC’s CIP standards can be found here.
And, just in case you are thinking this is just some private regulator with no clout. Last year they fined an unnamed regulator (which everyone knows is Duke Energy) $10 million for violating the rules.