For power and utilities organizations responsible for the Bulk Electric System (BES), the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are the mandatory benchmarks for cyber and operational security. They’re detailed and demanding - designed to ensure that the grid remains resilient.
The complication is that maintaining compliance isn’t just about keeping your own house in order. This is particularly relevant for the energy sector which relies on complex global supply chains that expose them to increased risk.
This is why NERC requires energy organizations to develop and implement vendor risk management and cybersecurity plans to maintain a level of control across the entire ecosystem, including the third-party software and applications that keep your critical infrastructure running - and the third party vendors behind it.
As part of their mandated risk management strategy, organizations have leant on Escode’s Software escrow and verification services to demonstrably help mitigate risk, strengthen business continuity, and support compliance.
Software escrow is a simple and effective third-party arrangement that securely stores source code, build instructions, and other vital assets. If your vendor finds they can no longer deliver, for example through bankruptcy, acquisition, or some other serious failure, the mutually agreed terms of your arrangement mean you get access to the assets you need to get your critical systems back up and running.
CIP-013-1: Supply Chain Risk Management
The CIP-013-1 standard requires registered entities to implement supply chain risk management plans for high and medium risk BES Cyber Systems by implementing security controls. Software escrow and verification can support compliance of the following areas within the standard:
CIP-009-7: Recovery Plans for BES Cyber Systems
This standard focuses on ensuring that BES Cyber Systems can be recovered following a cyber event. By using software escrow and verification you can ensure that you can quickly get access the critical software source code, documentation and instructions you need for recovery.
EOP-005-3: System Restoration from Blackstart Resource
This standard requires that system restoration plans incorporate processes and resources for Blackstart; the process for recovering from a total or partial shutdown of power infrastructure. Verification services document and test critical software code, so you have the confidence that when you need to recover and restore quickly, you’ll be able to access the code and documentation you need.
Compliance can feel like a mountain of mandates. But we all understand that behind every regulatory requirement is an essential need - keeping people safe, systems stable, and lights on across the continent.
Software escrow can help you with NERC CIP compliance in the following areas:
As the world-leader in software escrow, Escode has many years of experience supporting organizations that are part of the Critical National Infrastructure, helping to maintain compliance by strengthening business continuity and tackling third-party risk.
It’s more than ticking boxes. It’s about building resilience.
Get your free guide to learn more and explore Software Escrow solutions.
