Managing supply chain risk in a transforming industry
The utilities market is transforming from what was once an analog market to one that's digital and more connected than ever. From efficient data management to greater insights into how the organization’s behaving, the digitized model helps utilities maintain better control over their environment.
Though utilities are better equipped, they still face the challenge of mitigating supply chain risk. As they digitize the grid, they work with more vendors, which can introduce vulnerabilities in their environment. Supply chain attacks are linked to an overwhelming 40% of all breaches.
As a result, the North American Electric Reliability Corporation (NERC) has responded by enforcing CIP-13, the supply chain risk management standard which requires power utilities to have a supply chain risk management program in place.
Challenges in supply chain risk management
Power utilities are struggling to identify their vendors, especially when buying from third-party resellers. Not to mention, not all vendors disclose their practices publicly or make them easy to understand. This makes it challenging for utilities to comply with CIP-13.
Another issue is relationship management. Since the standard applies to the utility and not the vendor, the utility is often tasked with contacting the vendor for further details.
What are some potential questions that a power utility should be asking their vendors in order to manage supply chain risk?
Here are six key questions to ask, as well as our responses for power utilities that are looking to comply with CIP-13.
What is your method for notification of cybersecurity incidents?
If the vendor is hacked or their confidential data is published online, for example, how does the vendor notify you, the utility?
Response from Genetec: We encourage our customers to stay informed on all of our security incidents by publishing them to the security advisory section of our website.
Also, an email is sent to all affected customers, with the option for anyone from the public to subscribe to our security advisory channel to receive notifications upon incident alerts.
What is your method for notification when remote or on-site access should no longer be granted to your personnel, to access company systems or facilities?
If the vendor has service personnel on-site at your facility, how would they notify you that that person should no longer be there? For example, if a person is terminated, then they should no longer have access to your important systems or facilities.
Response from Genetec: By default, Genetec doesn't have access to end-user systems. In the instance of a support case, a support member would be granted access or would request access to the end customer system via BeyondTrust™ (previously Bomgar) or TeamViewer, to troubleshoot the issue.
How does the vendor notify the customer when vulnerabilities exist in their platform?
Vulnerabilities might be in the product itself, such as in the firmware of a camera or access controller. It’s important for vendors to notify their customers when such vulnerabilities are found.
Response from Genetec: Known vulnerabilities are published in our Genetec security advisory in conjunction with an update to our public-facing website. It's also included in our product release notes for our on-premises systems.
So, anyone could also subscribe to these security advisory channels to stay on top of all these alerts, via e-mail. Genetec also publishes automatic firmware updates to help power utilities keep pace with the latest updates.
What is your method for verification and notification of software integrity?
This one speaks to the potential that someone could modify the software from inside your system. For example, if a hacker accesses your code library or programmers, they could corrupt the software.
Response from Genetec: Genetec Security Center binaries are signed with Windows Authenticode Technology, which ultimately ensures that binaries from Genetec haven't been tampered with. Power utilities can enforce this check in Windows, using the Windows AppLocker feature.
What methods for interactive remote access do you support?
Interactive remote access is a human interacting with another system, remotely. For instance, anyone using remote screen sharing options through WebEx, Zoom, or Teams to operate a system remotely.
Response from Genetec: At Genetec, if a support case is created for troubleshooting reasons, support members can be granted access again via BeyondTrust™ (previously Bomgar) or TeamViewer to troubleshoot the issue.
What methods for system-to-system remote access do you support?
System-to-system remote access is effectively two systems communicating without human intervention or human action.
This is like an API that is communicating back and forth. The CIP-13, CIP-5, and CIP-10 regulations require utilities to identify these forms of access quickly and have the ability to disable them in the event of an incident.
Response from Genetec: Genetec does not, by default, engage in system-to-system remote access.
Complying with CIP-13
Those are the minimum questions you should be asking the vendors. You should also ask about their software development lifecycle, incident response team, and their certifications (SOC, ISO) to name a few. Anything that helps you get a better picture of your vendor’s position on their supply chain management.
Hopefully, your vendor responds well to these questions, because your mileage may vary in terms of whether you need to do a bunch of additional controls just to meet the regulations.
The regulations are on the utility and not on the vendor. As CIP-13 is a risk management standard, the utility simply does not have the option to accept the risk and move on.