AICPA SOC Service Organizations

Supply Chain Risk Management CIP-013-2

One of the most recent and effective cyberattacks in history occurred with the SolarWinds hack where Russian nation-state hackers were able to gain access to the networks, systems, and data of thousands of SolarWinds customers. The hack was a supply chain breach of the SolarWinds Orion system, a system management tool, which allowed hackers to potentially gain access to SolarWinds customers data and their networks. Compounding the issue was the time it took to discover the hack, well over a year, plenty of time to cause very significant damage.

NERC’s CIP-013-2, Supply Chain Risk Management, is designed to mitigate risks associated with the supply chain and requires an entity to have one or more documented supply chain cyber security risk management plans that address six key elements related to the vendor, and their responsibilities to the entity where a cyber security risk is posed by their product. Entities must demonstrate implementation of the supply chain risk management plan in the form of correspondence, policy documents, or working documents. Additionally, the plan must be reviewed and approved by the CIP Senior Manager or delegate at least once every 15 calendar months, ensuring the document is current and addresses any new requirements that may have arisen within the time frame preceding the last review. Implementation of supply chain guidelines will help mitigate large, damaging attacks such as SolarWinds Orion. Follow requirements listed in CIP-013, particularly verification of software integrity and authenticity of all software and patches as well as coordination of controls for vendor-initiated remote access. Ensure your vendor is implementing cybersecurity best practices when it comes to their products such as the use of software vulnerability code checking applications. Also remember that cybersecurity incidents of this nature should always be reported quickly using the entity’s Incident Response Plan(s), as required by CIP-003 and CIP-008. In these days and times, it is more important than ever to be familiar with your Incident Response Plans. Not only will this be very useful to the entity at the time of an incident, but it also helps ensure information regarding a cybersecurity event will be widely disseminated.