The day after I published my post questioning whether CIP-013 was enforceable (based on comments by a friend of mine who works for one of the NERC regions), an auditor (from another region) emailed me his dissenting opinion. He said:
“The requirement is essentially that the Registered Entity ask for the elements of the required process(es), not that the vendor agree to them. Therefore, the Standard is correct in that the language of the resulting contract is not in scope. (The procurement steps include) the Request for Quotation or Bid, Request for Contract Amendment, and/or any other Registered Entity-initiated correspondence that sets forth the expectations to be placed upon the vendor. As long as I see the expectations in the procurement documents issued by the Registered Entity, they have satisfied the requirement.
“So, while I would readily argue that the Standard is weak as water, it is not unenforceable.”
I showed these comments to my friend (I should say other friend, since the auditor is also a good friend), and he had this (friendly) rejoinder:
“The ultimate goal of CIP-013 is to modify the terms of acquisition contracts used by the Responsible Entity:
“Quoting FERC Order 829 Page 59 (Note: this is the Order that NERC develop a supply chain security standard): ‘The new or modified Reliability Standard must address the provision and verification of relevant security concepts in future contracts for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.’
(My friend continues) “In keeping contracts out of scope for audits, CIP-013 does not fulfill the underlying purpose of the Standard. There may be some things that can be audited, but the auditors will be handicapped in reviewing evidence. They will not be able to audit that ICS contracts contain provisions which satisfy the security controls of R1, and they will not be able to verify that the entity enforces these controls.
“Ultimately, this version of CIP-013 does not fulfill the definition of a Risk-Based Requirement: “[D]efine actions by one or more entities that reduce a stated risk to the reliability of the Bulk Power System and can be measured by evaluating a particular product or outcome resulting from the required actions.” [NERC Rules of Procedure, Appendix 3A Section 2.4] If the outcome cannot be measured, then the Requirement fails as a Risk-based Requirement.”
I’m not going to take a side in this debate. These two people know a lot more about auditing than I will ever know. If you have an opinion on this question, I’d like to see it. Of course, this wouldn’t be the first time that two Regions have disagreed on some aspect of CIP!
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.