Acknowledging that many cyber security risks to critical infrastructure originate with third-party vendors, the North American Electric Reliability Corporation (NERC) has published a Security Guideline for the Vendor Risk Management Lifecycle. The Guideline provides examples of vendor risks and suggested mitigations that organizations should consider as they develop their overall supply chain cyber security risk management plans – not just for the bulk electric system (BES) but also for other critical infrastructure areas such as gas pipelines, electric power generation, transmission and distribution, and other areas.
This post examines the stages of the vendor risk lifecycle as identified in the NERC Security Guideline, and reviews best practices for mitigating cybersecurity risks to critical infrastructure at each stage.
Stages of the Vendor Risk Lifecycle
The NERC Security Guideline identifies the following stages of the vendor risk management lifecycle.
- Vendor identification through a Request for Proposal (RFP) or otherwise
- Procurement(s) from the vendor
- Installation and use of the product or service (including vendor support and patching)
- Termination of the vendor relationship
The Guideline then suggests that processes should be documented in the organization’s supply chain cyber security risk management plan for both information technology (IT) and operational technology (OT) environments at each stage of the lifecycle. We examine those stages next.
Mitigating Risks Before Procurement
Chapter 1 of the Guideline states that, “While deciding which vendors should be invited to participate in the RFP, the organization could consider the factors of approved entity lists, intelligence sources, and publicly available information (e.g., history of vulnerability handling, web site hygiene).”
To address this Guideline, compare firmographic details, fourth-party technologies, ESG scores, recent business and reputational insights, data breach history, and financial performance of potential vendors in a single table. Centralizing these insights in line with RFx responses gives you a holistic view of suppliers – both their fit for purpose as well as fit according to your organization’s risk appetite.
See the table below for additional suggested mitigations from Chapter 1.
| Suggested Mitigations | Buenas prácticas |
|---|---|
| Recopile información sobre los planes de mitigación del proveedor para riesgos específicos de ciberseguridad de la cadena de suministro, utilizando una evaluación específica que contenga sólo preguntas relevantes. | Use a customizable assessment to gather and correlate vendor controls to determine threats to systems and data, based on the criticality of the vendor.
Collate data in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk. |
| Incluir términos y condiciones de ciberseguridad en el contrato con el proveedor, o identificar los entregables específicos que deben medirse. | Leverage a contract lifecycle management solution that centralizes the distribution, discussion, retention, and review of vendor contracts. Doing so will ensure that key contractual provisions, such as key performance indicators (KPIs), key risk indicators (KRIs) and service level agreements (SLAs), are included in vendor contracts and are enforced throughout the relationship. |
| Aportar pruebas justificativas, como certificaciones o informes de auditoría realizados por terceros evaluadores cualificados.
Request that the vendor provide a software bill of materials (SBOM) listing all components of their software and/or firmware that were developed by third parties. Realizar una evaluación de los riesgos de contratación (ERC). Mitigar todos los riesgos elevados identificados en el ARP. |
Centralize documents, supporting evidence and vendor certifications into a single vendor profile associated with completed vendor risk assessments and a central risk register.
Deliver recommended remediations to vendors based on risk assessment results to ensure that vendors address risks in a timely and satisfactory manner. Track remediations to conclusion with defined owners – inside your organization and in your vendor’s organization. Assessing Risks |
Chapter 2 of the Security Guideline states that, “Once a vendor relationship is in place and the organization has begun obtaining products or services from the vendor, the organization needs a process for continually identifying, assessing, and mitigating both residual and new risks posed by the vendor.” To accomplish this, the Guideline suggests some of the steps in the following table.
| Suggested Mitigations | Buenas prácticas |
|---|---|
| Centra las preguntas específicamente en la protección del acceso remoto mediante la autenticación multifactor.
Utilice un cuestionario en el que sólo se formulen preguntas pertinentes. Disponer de cuestionarios separados para proveedores de TI y OT. Considere certificaciones como ISO 27001 o SOC2. |
Automatice risk assessments to extend the visibility, efficiency and scale of your vendor risk management program across every stage of the vendor lifecycle.
Leverage a library that includes hundreds of standardized assessment templates – including questionnaires that target IT and OT domains – with customization capabilities and built-in workflow and remediation to automate everything from survey collection and analysis to risk rating and reporting. If the vendor is unable or unwilling to complete a standardized assessment, map ISO certifications or SOC 2 reports into the central risk register view manage risks from that vendor alongside the risks gathered from other vendors’ assessments. Validate assessment results with continuous insights into cyber threats. Consolidating all intelligence into a “single pane of glass” will optimize your risk analysis efforts. |
Mitigating Risks During Product/Service Use
Chapter 3 of the Guideline recommends that the organization ask the vendor to mitigate risks identified in the assessment. The goal of risk mitigation should be to bring its value down to an acceptable level in order to reduce the likelihood and/or impact of the risk.
The Guideline says this can be accomplished through RFP or contractual enforcement, but required remediations are also an important post-contract enforcement. See some selected mitigations from the Guideline in the table below.
| Suggested Mitigations | Buenas prácticas |
|---|---|
| Incluya un texto en la RFP en el que se identifiquen los riesgos de seguridad y las medidas que el proveedor debe adoptar para mitigarlos. | Centralize and automate the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs) as part of vendor selection decisions. Doing so will ensure that suppliers are selected based on critical cyber security measures. |
| Incluya un lenguaje contractual que documente el compromiso del proveedor de implantar controles de seguridad específicos, prevea que la organización revise el progreso del proveedor e identifique métodos para la comunicación futura sobre estos asuntos. | Centralize the distribution, discussion, retention, and review of supplier contracts. Managing supply contracts this way will ensure that you have the proper security clauses and enforcements built into the contract. |
| Definir soluciones específicas. | Deliver recommended remediations to suppliers based on risk assessment results to ensure that suppliers address risks in a timely and satisfactory manner. Track remediations to conclusion with defined owners – inside your organization and in your supplier’s organization.Verifying Risk Mitigation |
Verifying Risk Mitigation
Chapter 4 of the Guideline requires verification that the vendor is complying with policies and mitigation steps. Possible actions include those in the following table.
| Suggested Mitigations | Buenas prácticas |
|---|---|
| Documente y comunique al proveedor la diferencia de rendimiento, el servicio esperado y las condiciones contractuales aplicables o el compromiso documentado. | Customize surveys to make it easy to gather and analyze necessary performance and contract data in a single risk register. Identify key contract attributes relating to SLAs or performance, populate those requirements in a central platform, and assign tasks to you and your vendor for tracking purposes. |
| Comunicar al proveedor que las medidas de rendimiento se reflejarán en la futura puntuación o evaluación de nuevas compras de productos o servicios. | Centrally measure vendor KPIs and KRIs against your requirements by automatically extracting them from the vendor contract.
Suggest remediation recommendations to ensure that vendors address risks in a timely and satisfactory manner. |
| Evaluar la posibilidad de poner fin a la relación con el proveedor. | When a termination or exit is required for critical services, leverage customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. |
Purchasing, Terminating, and Transitioning
Chapter 5 of the Guideline reviews the procedures required to terminate a vendor relationship, including those found in the table below.
| Suggested Mitigations | Buenas prácticas |
|---|---|
| Identificar y mitigar los riesgos asociados al cese o la transición (por ejemplo, retener información sensible).
Haga un inventario de la información confidencial que el proveedor posee sobre los sistemas y redes de la organización y exíjale que dé fe de que toda la información ha sido eliminada. |
Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
* Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status. * Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more. * Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed. * Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance. * Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework. |
Next Steps: Meeting NERC Security Guidelines for the Vendor Risk Management Lifecycle
The NERC Security Guidelines for the Vendor Risk Management Lifecycle provide foundational recommendations for mitigating the cybersecurity risks introduced to your critical infrastructure organization. For help in implementing these best practices, schedule a demonstration today.
Nota del editor: Este artículo se publicó originalmente en Prevalent.net. En octubre de 2024, Mitratech adquirió la empresa de gestión de riesgos de terceros basada en IA, Prevalent. El contenido ha sido actualizado desde entonces para incluir información alineada con nuestra oferta de productos, cambios regulatorios y cumplimiento.
