The day
after I published my post
questioning whether CIP-013 was enforceable (based on comments by a friend of
mine who works for one of the NERC regions), an auditor (from another region)
emailed me his dissenting opinion. He said:
“The
requirement is essentially that the Registered Entity ask for the elements of
the required process(es), not that the vendor agree to them. Therefore, the Standard is correct in that
the language of the resulting contract is not in scope. (The procurement steps include) the Request
for Quotation or Bid, Request for Contract Amendment, and/or any other Registered
Entity-initiated correspondence that sets forth the expectations to be placed
upon the vendor. As long as I see the
expectations in the procurement documents issued by the Registered Entity, they
have satisfied the requirement.
“So, while I
would readily argue that the Standard is weak as water, it is not
unenforceable.”
I showed these comments to my friend (I should say other friend, since the auditor is also a good friend), and he
had this (friendly) rejoinder:
“The ultimate goal of CIP-013 is to modify
the terms of acquisition contracts used by the Responsible Entity:
“Quoting FERC Order 829 Page 59 (Note: this
is the Order
that NERC develop a supply chain security standard): ‘The new or modified
Reliability Standard must address the provision and verification of relevant
security concepts in future contracts for industrial control system hardware,
software, and computing and networking services associated with bulk electric
system operations.’
(My friend continues) “In keeping contracts
out of scope for audits, CIP-013 does not fulfill the underlying purpose of the
Standard. There may be some things that can be audited, but the auditors will
be handicapped in reviewing evidence. They will not be able to audit that ICS
contracts contain provisions which satisfy the security controls of R1, and
they will not be able to verify that the entity enforces these controls.
“Ultimately, this version of CIP-013 does not
fulfill the definition of a Risk-Based Requirement: “[D]efine actions by one or
more entities that reduce a stated risk to the reliability of the Bulk Power
System and can be measured by evaluating a particular product or outcome
resulting from the required actions.” [NERC
Rules of Procedure, Appendix 3A Section 2.4] If the outcome cannot be
measured, then the Requirement fails as a Risk-based Requirement.”
I’m not going to take a side in this debate. These
two people know a lot more about auditing than I will ever know. If you have an
opinion on this question, I’d like to see it. Of course, this wouldn’t be the
first time that two Regions have disagreed on some aspect of CIP!
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
So if I purchase my BES Cyber asset (protective relay) off the self, all i have is a receipt. I have not requested a quote nor a bid. My procurement goes something like, i want relay xyz. Here is $. and they hand me the asset and my receipt. Not sure how to comply since there are no vendor negotiations at all.
ReplyDelete