NERC CIP-013-2 is one of the first enforceable, industry-specific software supply chain security standards in the United States. It came into effect 1 October 2020 as CIP-013-1, was updated to CIP-013-2 with an effective date of 1 January 2024, and it applies to Responsible Entities operating bulk electric system assets classified as high- or medium-impact under CIP-002-5.1a. The standard requires utilities to develop, implement, and periodically review supply chain risk management plans for the procurement and installation of BES Cyber Systems. The operational reality of complying with this while running an actual grid is where the story gets interesting.
The utilities sector has a specific profile that shapes how supply chain security works in practice. Long equipment lifecycles — transformers run for forty years, substation automation gear for fifteen to twenty. Vendor concentration — Siemens, Hitachi Energy (formerly ABB Power Grids), Schneider Electric, GE Vernova, and a relatively small number of specialized suppliers cover most of the market. A regulatory environment that is specifically attuned to grid reliability, with FERC oversight, NERC enforcement, and Regional Entity audits that carry real financial consequences.
What CIP-013 actually requires
The standard is short by regulatory measure — two pages of requirements — but its implications run deep. R1 requires each Responsible Entity to develop one or more documented supply chain cyber security risk management plans for procuring BES Cyber Systems. R1.1 requires the plan to identify and assess cyber security risks from vendor products and services. R1.2 requires specific contract language addressing software integrity and authenticity, vendor remote access security, and incident notification. R2 requires the plan to be implemented. R3 requires the plan to be reviewed and approved by the CIP Senior Manager or delegate at least every fifteen calendar months.
The language that has produced the most engineering work is R1.2.1 — software integrity and authenticity — and R1.2.2 — vendor remote access security. These two subparts are where the SBOM conversation has landed for utilities, even though the standard does not use the term SBOM.
Software integrity in an OT environment
Verifying software integrity on a relay, an RTU, or an HMI is fundamentally different from verifying a web application. The software comes from the vendor on physical media or a secure download portal. It is installed during a commissioning window that may not recur for years. Once installed, updating the software may require taking the asset out of service, which in a grid context can require coordination with the reliability coordinator and a scheduled outage.
The control utilities have converged on for R1.2.1 compliance is hash verification against vendor-published reference values. When the vendor ships a firmware image, the utility verifies the hash matches what the vendor published. When the software is loaded onto the asset, the hash is recorded. When audit time comes, the Responsible Entity can produce evidence of each step.
The practical gap that utilities have struggled with is hash verification for transitive components. A substation automation platform from one of the major vendors typically includes dozens of subcomponents — some the vendor's own, many third-party. When CVE-2021-44228 — log4shell — landed in December 2021, utilities spent weeks working with vendors to determine which assets were affected, because the asset-level hash told them nothing about what libraries were running inside the image.
Vendor remote access
R1.2.2 addresses vendor remote access, and the industry practice here has hardened noticeably since CIP-013 took effect. Vendor remote access into BES Cyber Systems is now almost universally brokered through Interactive Remote Access (IRA) systems — Cyber Asset Management tooling, privileged access management platforms, jump hosts that log every session. The vendor does not have direct access to the asset. The vendor connects to the utility's IRA platform, authenticates with multi-factor, and operates through a supervised session.
This has had a side effect that has been quietly important for supply chain security: it creates a chokepoint where the utility can inspect what the vendor is actually doing on the asset. Commands can be reviewed. Files transferred can be scanned. Patterns that look like credential theft or persistence installation can be detected.
The CIP-013-2 updates
The revision from CIP-013-1 to CIP-013-2, approved by FERC on 21 January 2022 and effective 1 January 2024, expanded applicability to include Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) associated with high- and medium-impact BES Cyber Systems. This was a meaningful expansion. EACMS includes the firewalls, intrusion detection systems, and access control servers that sit between BES Cyber Systems and the corporate network. PACS includes the badge readers and physical-access controls that protect the rooms the BES Cyber Systems live in.
Before CIP-013-2, a utility could meet CIP-013 obligations with a procurement program that covered the relays and RTUs but not the firewall in front of them. That gap is now closed. Utilities spent most of 2022 and 2023 retrofitting their supply chain risk management plans to cover EACMS and PACS, and 2024 has been the first full compliance year under the expanded scope.
Incidents that shaped the thinking
Several incidents have shaped how utilities think about supply chain risk. The 2015 and 2016 Ukraine power grid attacks attributed to Sandworm, which used the BlackEnergy and Industroyer toolkits respectively, demonstrated that adversaries would specifically target grid control software. The 2020 SolarWinds Orion compromise hit several utilities in the United States, because Orion was widely deployed in utility IT networks and sometimes touched OT-adjacent systems. The Cyclops Blink botnet disclosure by CISA and NCSC in February 2022 showed Sandworm continuing to compromise edge networking gear — WatchGuard and later ASUS devices — that sits on the perimeter of many utility networks.
More recently, the Volt Typhoon activity described in the 7 February 2024 CISA, NSA, and FBI advisory AA24-038A brought a specific focus. The advisory described PRC-sponsored actors living in US critical infrastructure networks, including electric utilities, with pre-positioning apparently intended to enable disruptive action during a future conflict. The tradecraft described — living off the land, use of legitimate administrative tools, long dwell times — is exactly the profile that is hardest to detect without the kind of inventory and attestation that CIP-013 was designed to build.
What utilities are doing in practice
The utilities that have operationalized CIP-013 well tend to share a few characteristics. They maintain a central inventory of BES Cyber Systems, EACMS, and PACS with asset-level software versions and hashes. They have a procurement process that routes every acquisition of CIP-scoped equipment through a supply chain risk review. They collect SBOMs or equivalent software composition evidence from vendors on a defined cadence, and they correlate that evidence against the CVE feeds that ICS-CERT and vendor advisories publish.
They also have compensating-control documentation for assets where the vendor cannot provide the level of evidence the standard contemplates. For legacy equipment from vendors who have exited the market, the compensating control is usually a combination of network segmentation, enhanced monitoring, and a documented retirement plan.
The forward-looking angle
Reports from the NERC Reliability and Security Technical Committee through 2023 and 2024 have pointed toward further evolution of CIP-013. The draft revisions currently under consideration would add more specificity around SBOM requirements and shorten some notification timelines. FERC Order No. 887, issued in January 2023, directed NERC to develop new or modified CIP standards for internal network security monitoring — an area that overlaps with the supply chain story because detecting living-off-the-land activity inside the ESP is how you catch the post-compromise phase of a supply chain attack.
How Safeguard Helps
Safeguard provides the software inventory and SBOM coverage that CIP-013-2 now expects across BES Cyber Systems, EACMS, and PACS, with reachability analysis that lets grid operators focus on the CVEs actually exercised in their deployed firmware rather than the transitive noise. Griffin AI correlates CISA, ICS-CERT, and vendor advisories — including Volt Typhoon IOCs from AA24-038A — against your asset inventory so the CIP Senior Manager has current, evidence-ready findings. Our TPRM module tracks Siemens, Hitachi Energy, Schneider Electric, and your other BES vendors against live threat intelligence and attestation status, feeding directly into your R1.1 risk assessments. Policy gates enforce vendor software integrity checks and block promotion of firmware whose hash does not match the vendor's published reference, giving auditors the R1.2.1 evidence trail the standard requires.