If you’re looking for my pandemic posts, I’ve created a new blog for them. If you’re looking for my cyber/NERC CIP posts, you’re come to the right place.
NERC announced today that they’ve petitioned FERC to move back the compliance date for CIP-013-1, CIP-005-6 and CIP-010-3 to October 1. Moreover, they said that, due to the uncertainty regarding the length of the outbreak and the recovery, they “will continue to evaluate the circumstances to determine whether additional implementation delays may be warranted and submit any appropriate filings with FERC at that time.”
Of course, this is what I advocated, and I’m glad to see it happen. It’s needed for the obvious reason, but it’s also needed because I really don’t think many, if not most, NERC entities have really come to grips with what a good supply chain cyber security risk management plan should include. I’ve said many times that, given how little guidance the standard itself gives, it would be fairly easy to produce a pretty minimal plan that doesn’t really do very much, but would be strictly speaking compliant.
However, if you do this, you’re shortchanging yourself. Supply chain security and ransomware are the two greatest cyber threats worldwide now (and one could argue for either one to be the number one threat). Since you presumably have been given a few shekels to comply with CIP-013, why not at the same time do your organization (and the BES) a big favor and really consider what your supply chain security risks are, and how to mitigate them? As we all know, nothing brings in funding for cyber security better than the prospect of big fines. Don’t let this opportunity go to waste!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!