On July 21, 2016, FERC announced they “directed NERC to develop a forward-looking, objective-based Critical Infrastructure Protection (CIP) Reliability Standard that requires each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.” Have you considered how to address this higher level of regulatory obligation?
As the complexity of the BES evolves and security around critical technology systems escalates, the consequences of Supply Chain Cyber Risk that has escaped the organization’s focus can be catastrophic. Organizations that adopt and implement strong, tactical, cybersecurity risk management frameworks, coupled with effectively designed and implemented Internal Risk Control Systems (IRCS), are better positioned to anticipate, predict, and govern cybersecurity risks, vulnerabilities, and threats as well as proactively prepare for future cybersecurity and privacy regulations.
For the past year, the GridSME team has been benchmarking organizations such as NIST, NEMA, and the SANS Institute. We have been working with key clients to develop plans and roadmaps, and conduct Cyber Supply Chain Assessments to identify and prioritize opportunities for improvement within the context of a realistic, continuous, and repeatable Cyber Supply Chain Risk Program that address the most pertinent Cyber Supply Chain threats and vulnerabilities.
If you are interested in learning more about how we have prepared organizations for Cyber Supply Chain Risk and how to articulate your plan and approach to regulators – feel free to give me a call (423-667-4938).
Earl Shockley, Vice President of Risk Management