Three years ago, I managed the vendor evaluation process for a utility assessing wireless options for telecom connectivity to substations. The field was limited to two vendors and cybersecurity was an important topic we wanted to explore in more detail with each. One specific area we sought to understand was the process used to address any cybersecurity issues that might arise with the proposed solutions.
One vendor had a notification process where once they became aware of a potential vulnerability they proactively reached out to a select group of people within customer organizations to alert them of the issue, and what was being done to address it. The advantage to this approach is that upon learning a vulnerability exists, you can then implement interim measures to reduce the chance of it being exploited while the vendor seeks a permanent solution.
The other vendor took a very different approach, where they only provided notification once a patch, fix, or work-around had been identified. Their rationale was that the fewer people aware of the vulnerability, the less likely it was that someone who might try to exploit such a vulnerability would learn of its existence.
While the client preferred the approach used by the first vendor, the evaluation of other features and performance favored the second vendor. At that time, the reasoning was that the second approach, while not optimal, was acceptable and that vendor was selected.
Fast forward to today, the decision process would need to be much different as NERC CIP 013-1, Cyber Security Supply Chain Risk Management, moves through the approval and adoption process.
The current draft of NERC CIP 013-1 identifies six processes vendors providing products or services must have in place. One of these requires vendors to disclose known vulnerabilities related to the products or services. This compels vendors to proactively notify utilities of identified vulnerabilities which fall under the scope of NERC CIP.
While this will not become a requirement until the adoption of NERC CIP Version 7, utilities tend to make long-term buying decisions and commitments for things like telecommunications equipment, SCADA systems, distribution automation systems, and other key areas. As you enter into new agreements or renew existing agreements with these vendors, ensuring they understand and will comply with the future requirements related to NERC CIP 013-1 is something more easily addressed upfront, instead of having to go back and try to address it after the fact. And, while most suppliers to the utility industry will likely comply with the new requirements, explicitly defining this in contracts will give you one less thing to worry about or scramble to address down the road.
The evolving landscape around NERC CIP has numerous implications—some obvious and some that are not so obvious. Are you prepared to operate your utility in this evolving landscape?