Electric Utility Sector Third Party Risk: FERC Order No. 850
As of December 2018, new supply chain risk management reliability standards (Order No. 850) issued by the Federal Energy Regulation Commission (FERC) went into effect.
Going forward, electric utilities must assess their vendors during planning and procurement to confirm adequate security posture and controls. Electric utilities can make strides toward compliance with the three reliability standards (CIP-013-1, CIP-005-6, CIP-010-3) by implementing a vendor risk management program.
The order’s intention is to “improve the electric industry’s cybersecurity posture by requiring that entities mitigate certain cybersecurity risks.” In the area of vendor risk management, the order aims to address the significant risk to utility information systems when a product does not meet minimum security thresholds. An additional objective is to address the risks associated with breach notification requirements and incident response plans in the event a vendor is compromised. Below are five steps electric utilities can take to work toward compliance:
1. Develop and implement an assessment plan – Create and document a procurement assessment program. The program should review basic and advanced security controls for vendor hardware, software, and services associated with electric system operations. Our infographic on the 7-steps to create an effective vendor risk management program covers some best practices to help you get started.
2. Leverage an industry standardized framework – The order requires utilities to confirm remote access approval processes, remote access security, incident response plans, software authenticity, patch timelines/requirements, vulnerability disclosure procedures, and more. Utilities can leverage standards such as the Shared Assessments SIG to assess most if not all of these areas to prevent developing a custom questionnaire.
3. Craft training exercises for procurement and contract staff - Constituents should have an understanding of the new process as well as how to conduct the assessment review. Training should be offered at onboarding and yearly thereafter.
4. Review and negotiate incident notification/response clauses – After performing the assessment, negotiate the vendor contract to include minimum breach and security incident notification requirements.
5. Maintain documented, threaded, and readily available proof of execution - Utilities must be able to produce vendor communication, policy documents, and internal correspondence pertaining to process execution. Centralizing the assessment workflow on a platform such as Privva can help alleviate this burden.
Order No. 850 should be seen as a leading indicator for other utilities that new regulation is on the way. With vendor risk management becoming a board level discussion, we expect only more legislation to come.