A cyberattack begins with a pathway into your organization. As a small electric cooperative with a supply chain, are you doing all you can to protect your members and the bulk electric systems?

NRECA and the American Public Power Association are here to help. Each association has programs to support their members as they work to improve both cybersecurity and physical security, including procurement and supply chain procedures.

In a new white paper, NRECA and APPA examine a swath of small utilities and identify their best practices in managing supply chain cyber risks across several areas, such as utility organization, vendor selection and vendor remote access to systems.

Here are a few of those best practices:

  • Improve coordination and cooperation between departments within an organization.

  • Reduce the number of vendors, which can allow for better relationships with those vendors.

  • Restrict vendor remote access to specific service requests.

  • Thoroughly test new software prior to installation.

  • Test patches prior to their implementation, which mitigates supply chain risk.

NRECA and APPA support standards by the North American Electric Reliability Corp. that apply to cybersecurity supply chain risks for utilities that carry medium and high impact on the bulk electric systems. The standards address supply chain risks by setting goals for utilities and providing them flexibility in how to achieve those goals.

"By protecting medium and high impact bulk electric systems, NERC's supply chain standards have the potential to indirectly reduce supply chain risk for all BES cyber systems," said Barry Lawson, NRECA senior director, regulatory affairs.

"For example, large utilities can insist that vendors comply with their supply chain risk practices. In turn, those vendors may adopt those practices across the board, benefiting all utilities, big and small."

Check out the white paper: Managing Cyber Supply Chain Risk-Best Practices for Small Entities