Know Your Stuff
CIP-013 - Supply chain risk management
Much of the NERC CIP-013 standard requires interaction, participation with, and even dependence on the vendors of the relevant hardware, software and services related to BES Cyber Systems. The challenge is that the utility (Registered Entity) is ultimately on the hook for compliance, regardless of how the vendor performs. But how far do you need to go? What if the vendor doesn’t participate? Are you even sure you know all of the right vendors? With conflicting guidance and very little audit history to use as a reference, this standard can be very daunting. Ampyx Cyber can help you focus on what matters to ensure you are both compliant and secure.
supply chain security Practices for Asset owners
The NERC CIP-013 Supply Chain Risk Management standard requires utilities to identify, assess, and mitigate cyber security risks through implementing a specific set of security controls as part of the procurement process. But CIP-013 is only one of many supply chain security motivators in an industrial organization’s universe of issues. Everything from Executive Orders, international standards, and technology transformation are requiring a shift in supply chain security practices. Ampyx Cyber can help you find the intersection that meets your budget, resource, and risk targets.
Supply chain security practices for vendors
Industrial hardware, software, and service vendors are being pulled in a million different directions related to supply chain security. You need custom answers to individual utility questionnaires for NERC CIP-013. You need an SBOM, FBOM, HBOM. You need a PSIRT. You need an SDL. You need special staff or code or encryption for certain global regions. You may even need special production facilities for unique product lines. Ampyx Cyber can advise on successful common practices and help you navigate around the obstacles.