NERC Security Guideline for the Supply Chain Cyber Security Risk Management Lifecycle

In response to damaging supply chain attacks such as SolarWinds, Kaseya and Colonial Pipeline, the North American Electric Reliability Corporation (NERC) published a Security Guideline for the Supply Chain Cyber Security Risk Management Lifecycle. The Guideline recommends that critical infrastructure organizations such as electric utilities, natural gas providers and others identify, assess and mitigate supply chain cyber security risks to their critical operational technology (OT) assets. OT system disruptions, such as those cause by supply chain incidents, can cause utility outages and have wide-ranging and negative impacts on society as a whole.

This post examines the key steps in identifying, assessing and mitigating supply chain cyber security risks according to the NERC Security Guideline, and reviews best practices for reducing the risks to critical infrastructure.

Identifying Risks

Chapter 1 of the Guideline states that, “The organization’s first objective in the supply chain cyber security risk management process is to identify risks to its critical OT assets that could have a high impact, or a high likelihood of compromise, depending on the supplier.”

To address this Guideline, build:

• A two-axis scoring methodology based on likelihood of compromise and impact to the organization, creating a heat map-like matrix to plot risks into.
• Automated rules to assign scores if a supplier’s answer to an assessment question fails to achieve an acceptable risk threshold, thereby plotting risks into the matrix.
• Reporting to sort risks by the highest score in the matrix.
• Custom remediations to recommend to the supplier to mitigate the risk.

Preceding this, however, conduct a profiling and tiering assessment to track and quantify inherent risks for all suppliers. From this inherent risk assessment, your team can automatically classify and tier suppliers (including identifying those deemed as critical); set appropriate levels of further diligence off of this baseline; and determine the scope of ongoing assessments.

Assessing Risks

Chapter 2 of the Security Guideline states that, “Once the organization has identified risks, it needs to assess its vendors to determine the degree of risk they pose with respect to each risk that was identified; in most cases, the vendor assessment will be conducted via a questionnaire.”

To achieve this requirements, automate risk assessments to extend the visibility, efficiency and scale of your supply chain risk management program across every stage of the supplier lifecycle. Leverage a library that includes hundreds of standardized assessment templates, with customization capabilities and built-in workflow and remediation to automate everything from survey collection and analysis to risk rating and reporting. Be sure that your assessment platform of choice includes specific assessments for critical infrastructure reporting and best practices, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

As part of the risk assessment process, continuously track and analyze external threats to suppliers by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases.

An important capability at this step is to correlate continuous monitoring results against assessment responses to validate controls. This cannot be accomplished by using spreadsheets for risk assessments or disjointed tools for cyber security monitoring.

Mitigating Risks

Chapter 3 of the Guideline recommends that the organization ask the vendor to mitigate risks identified in the assessment. The goal of risk mitigation should be to bring its value down to an acceptable level in order to reduce the likelihood and/or impact of the risk.

The Guideline says this can be accomplished through RFP or contractual enforcement, but required remediations are also an important post-contract enforcement. See some selected mitigations from the Guideline in the table below.