Is an electricity provider’s supply chain its weakest link in the event of a cyberattack? The evidence is compelling that third parties often play unwitting roles. For example, the NotPetya ransomware attacks in mid-2017 originally gained a foothold via a backdoor in third-party accounting software. To safeguard North America’s electricity supply, the North American Electric Reliability Corporation (NERC) has issued several critical infrastructure protection (CIP) standards. The CIP-013-1 standard, which has been approved by FERC in the fall of 2018, addresses the vulnerabilities and threat vectors that external third parties in the supply chain can have on the Bulk Electric System (BES).This CIP standard will be enforceable starting on July 1, 2020. Affected companies will need to be able to prove that they’re compliant within 18 months of the NERC CIP-013-1 effective date in order to avoid penalties. NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation. For example, between 2016 and 2018, multiple penalties as high as $2.8 million were levied for a violation. Penalties could run even higher because reported penalty amounts don’t account for money spent by entities to remediate the violations.Why is CIP-013-1 Required?On a federal level, revisions of the NIST SP 800-53 standard ..
Support the originator by clicking the read the rest link below.
