I admit I’ve gotten very behind on my reading this year, but I was able to catch up some over the holidays. One thing I did was read Lew Folkerth’s columns (always called “The Lighthouse”) in the most recent RF newsletters[i]. Two of them were pure gems – there’s no other way to say it.
Lew’s July-August Lighthouse column was entitled “Software Vulnerability Management”, and can be found here. In the column, he starts by making the point that NERC entities should start considering their CIP patch management program to be part of their overall software vulnerability management program. He goes on to nicely fit the CIP patch management timeline into the overall vulnerability management timeline. He then describes three different cases for CIP-007 R2 patch management (and CIP-010 R3 vulnerability assessments), and how they fit into that timeline – as well as providing a good description of the CIP-007 R2 compliance process and what auditors will look for.
Lew’s November-December Lighthouse column is entitled “In-Depth Considerations for Electronic Access Points”; it can be found here. It differs from the other column in that it isn’t focused on compliance procedures; rather, it makes the point that it is very important to be careful about identifying and classifying your EAPs (for compliance reasons). And to make sure that all traffic flowing through an EAP, in either direction, is justified by documented rules.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] Lew is part of the Compliance Outreach group within RF, and is a former CIP auditor; he also contributes a lot to NERC efforts, such as participating in writing the CIP v5 RSAWs. I have referred to him often in these posts, including discussing articles he’s written for previous RF newsletters. You can find the complete RF newsletter archives here.
I wish to point out that none of the other NERC regions offers the kind of CIP commentary that Lew provides. This is probably because none of the other regions has Lew! And to be sure, it is also because I don’t think any of the other regions has an independent CIP outreach effort, that isn’t staffed by the auditors themselves. Obviously, auditors can’t officially provide any compliance guidance that might be considered in some way an “interpretation” of the requirements.