Since the attack on the power grid in Ukraine, defending critical infrastructure against the threat of cyberattack has become a top priority. In an effort to strengthen supply chain risk management within the energy sector, the Federal Energy Regulatory Commission (FERC) approved new mandatory cybersecurity reliability standards from The North American Electric Reliability Corp. (NERC). As with all major updates to an organization’s internal policies and infrastructure, utility companies now face the task of conducting internal security audits, implementing technical upgrades and adjusting long-term budgets, which will create many challenges.
The new reliability standards don’t go into effect until the end of January 2019, and organizations need to be able to demonstrate compliance by July 1, 2020, leaving them just slightly longer than 18 months to prepare. As companies endeavor to make the necessary changes, Daniel Skees, partner with Morgan Lewis, said they will likely face five major challenges.
So, what are those challenges and how can utilities prepare for the rollout of the new standards?
Navigating the Procurement Process
To be able to demonstrate that arrangements with vendors meet the minimum supply chain cybersecurity requirements, regulating a company’s procurement process for the first time will be one of a handful of challenges because the evidence needed for compliance is generated through procurement with vendors, Skees said. “Traditionally, compliance in security has dealt with assets and making sure controls are in place. Things like audits and granting access is all done through compliance, IT and security.”
The challenge for the utility side is that procurement has to generate auditable paperwork showing it has attempted to enter into these provisions in their contracts with vendors.
“They will have to demonstrate that they tried to get vendor participation,” said Skees. “The regulations recognize that utility companies can’t always get contractual commitments from vendors. The standard allows them to have a process to address the issues, but they don’t have to have specific contractual language. Their compliance isn’t measured by the vendor’s ability to live up to commitment.”
Developing the Risk Management Plan
The risk management plan will be the foundation for demonstrating compliance. Developing and figuring out exactly what that will look like and who will be involved is no simple task.
Bringing Devices and Vendors into the Standard
According to Skees, utility companies will benefit from having a long ramp-up period to deal with the challenge of determining what devices and which vendor relationships will be brought into this standard. “These companies already have existing vendor contracts with specific cybersecurity terms, and the new standard doesn’t require that companies revisit and revise. Instead, it applies to new contract moving forward. Those are the relationships that are going to have to be subject to the new standard.”
The standard will require a big survey effort to determine the assets and the contracts for providing software and ongoing services, and the survey needs to be thorough—missing an asset could result in millions of dollars in fines.
Ability to Terminate External Access
Currently, utilities must have a mechanism to identify any external access from vendors or contractors that are providing support services. The new standard requires them to be able to identify instances when vendors are using that access and have the ability to terminate access if needed. “Right now it’s not required to have the ability to immediately cut that access off. The current requirement is to control the access,” Skees said.
Transitioning from Vendor to Vendor
By the time the new standards go into effect, entities are supposed to have the ability to make sure the cyber supply chain remains secure when transitioning from one vendor to another. “There’s not a lot of context behind what that is supposed to look like, which can result in some difficult conversations,” Skees said.
Companies have existing commitments and controls with a supplier, but realize perhaps that it’s not the right vendor, and they need to switch. Because companies need to address cybersecurity challenges as they drop one vendor and replace it with another, cooperation between the outgoing and incoming vendors will be necessary. However, that could prove to be mildly awkward, as the vendor being dropped has little incentive to play nice.
Additional Challenges to Consider
The new standards also raise some important concerns, as the intention is not to create a situation where companies are looking to do the bare minimum to meet the requirements necessary for compliance. In addition, “Everyone will need to realize that since they are going to be asking more from vendors, it will drive up the cost of those goods and services. They are asking vendors to do more, but doing more has a cost associated with it. If a vendor contractually commits to security controls, that requires investment, and it will cost more to get these services,” Skees said.
While it’s too early to figure out how much that cost is going to be, the changes that result from the effort to comply with the new standards could provide a good opportunity for vendors to differentiate themselves by understanding that the clients need these services. It’s also an opportunity to update cybersecurity provisions in general. Technology has changed the industry and risks have advanced, so vendors will need a number of cybersecurity offerings to have an updated IT contract.