I have heard
from an industry source that FERC recently asked at least one of the trade
associations to answer two questions (they in turn circulated these to their
members):
Q1: Which, if any, of the existing
CIP requirements would you get rid of and why? Do any of these requirements
harm/hinder security efforts?
Q2: What would a performance or
results-based approach to the CIP Standards look like? (e.g., a CIP-014 type
approach) Could it help to improve compliance efficiency and certainty as well
as the security of the BES? How?
FERC didn’t ask for my opinion on these questions, but since
I always try to be helpful, and since I have answered these multiple times in
various posts but not in one place, here is how I would answer them if asked.
Regarding Q1, my answer is very simple: Just getting rid of
particular CIP requirements and leaving others makes no sense (no more sense
than the “2 for 1” rule – in which two regulations must be eliminated for every
new rule – makes). The problem isn’t that some of the specific things that CIP
makes entities do are unneeded while others are needed. Everything that CIP requires is needed, just not all to the same
degree. Plus there’s a lot more that CIP doesn’t require – controls on
phishing, ransomware protections, etc. – that is also very much needed.
And that’s the point (which also brings me to my answer to
Q2): By requiring that NERC entities allocate large amounts of resources to
particular areas like CIP-007 R2 patch management compliance and not requiring
any resources be spent on areas like phishing[i], CIP
forces a misallocation of an entity’s cyber dollars.
In an ideal standard, the entity would a) come up with a
list of current threats to its control of BES processes (and this list should
ideally be generated externally by some group like the E-ISAC[ii]); b) get
an assessment of its current control posture vis-à-vis these threats; c) from
the list of vulnerabilities developed by that assessment, prioritize them by
their degree of impact on control of the BES; d) develop a mitigation plan that
allocates resources to each vulnerability based on its degree of impact; e)
have their NERC Region review the plan and order changes if needed[iii]; f)
execute the plan; g) be audited by their Region on how well the entity had
executed the plan[iv];
and h) rinse and repeat – execute the whole cycle every two or three years (for
larger and riskier entities) or longer (for smaller and less-risky entities. Of
course, I’m talking about risk to the BES, not financial risk or something like
that) – and the new vulnerability assessment must be based on the latest
version of the “threat list”[v].
At one point I thought that CIP-014 was a good model for
what I’m proposing, but I now think that it should have a lot more structure (like
the above) if we’re talking about replacing CIP-002 through CIP-011. CIP-014 essentially
tells the entity (that has assets in scope) to get an assessment and fix the
problems, period. These are both steps in what I’m advocating, but they’re far
from being the whole story.
I recently put
together a list of the six principles (subject to later additions, of
course. I don’t believe six is a magic number) that would govern the security
regime I am advocating[vi]. They
are:
- The
process being protected needs to be clearly defined (the Bulk Electric
System, the interstate gas transmission system, a safe water supply for
City X, etc).
- The
compliance regime must be threat-based, meaning there needs to be a list
of threats that each entity should address (or else demonstrate why a
particular threat doesn’t apply to it).
- The
list of threats needs to be regularly updated, as new threats emerge and
perhaps some old ones become less important.
- While
no particular steps will be prescribed to mitigate any threat, the entity
will need to be able to show that what they have done to mitigate each
threat has been effective[vii].
- Mitigations
need to apply to all assets and cyber assets in the entity’s control,
although the degree of mitigation required will depend on the risk that
misuse or loss of the particular asset or cyber asset poses to the process
being protected.
- It
should be up to the entity to determine how it will prioritize its
expenditures (expenditures of money and of time) on these threats,
although it will need to document how it determined its prioritization.
I have just answered the first part of Q2: “What would a
performance or results-based approach to the CIP Standards look like?” My
answer is that it would look like what I’ve just described. This is a results-based
approach because it requires the entity to achieve a particular result (mitigation
of the vulnerabilities identified in the assessment, ranked by their impact),
without prescribing how that is to be achieved (of course, there will be lots
of guidance on how to mitigate various types of vulnerabilities, and more
importantly that guidance will be regularly updated, perhaps by the same group
that updates the threat list).
The second part of Q2 reads: “Could it help to improve
compliance efficiency and certainty as well as the security of the BES? How?” I
will break this down into its parts.
- Does what I am proposing
improve compliance efficiency? I guess it does, but compliance efficiency
isn’t the goal – efficiency of improving cyber security should be the goal.
As I said at the outset, NERC CIP now forces a mis-allocation of resources
toward tasks that – while certainly producing some security benefit – probably don’t produce a benefit that
justifies the expenditure required; while at the same time leaving less
resources for areas like phishing that aren’t part of the CIP requirements
at all and are probably more deserving of resources.[vii]
What I am proposing would a) reduce (but not eliminate) the paperwork
burden, but more importantly b) produce a great deal more cyber security
for every dollar spent, vs. the current prescriptive CIP compliance
regime.[viii]
- Does what I’m proposing
improve compliance certainty? I’m not sure whether it improves it, but it
certainly doesn’t hurt it. It makes compliance certainty fade as an issue,
since there are no longer prescriptive requirements, whose interpretation
one way or the other will make entities face million-dollar-a-day fines. An
entity will still be subject to fines, but those will be for not fulfilling
the promises it made when FERC approved its mitigation plan. The entity
could be fined if it didn’t follow through in some way, and if it also
didn’t address the corrections that the region ordered.[ix]
- Does this help the
security of the BES? Absolutely. As I said, the biggest benefit is that it
effectively increases the amount of money going to BES security without in
itself requiring an overall increase in cyber security expenditures
(although don’t kid yourself – cyber expenditures are going to have to go
up every year for the foreseeable future. That’s the world we live in).
So here are my respectful answers to FERC’s questions. If
anyone has comments or wants to discuss these, email me at talrich@deloitte.com.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
In practice, I’m sure most utilities are now spending a lot of money to address
the phishing threat. But it’s almost axiomatic that, since the CIP requirements
carry the possibility of big fines whereas anti-phishing measures don’t avoid
any fines, entities will spend much more on other less serious threats if they’re
part of the CIP requirements.
[ii]
This list should be updated regularly, at least once a year and maybe every six
months. The entity could always add a threat to its own list, if its own
situation dictates it should be on the list. Conversely, they could remove a
threat from the list if it doesn’t apply to them or if they’d already
sufficiently mitigated this. They would have to document their justification
for doing this, though.
[iii]
Of course, they couldn’t order changes just because some auditor felt like it.
There would be guidelines for what constitutes an acceptable plan.
[iv]
Normally, if the Region feels an entity has not properly addressed a particular
vulnerability, they could order it to re-do or augment the steps it took to
address that vulnerability. And if the Region feels the entity has really
screwed up the whole effort, they could order it be redone. Again, there would
be guidance on what does and doesn’t constitute successful mitigation of a
vulnerability.
[v]
One of the big problems with CIP now is that it is close to impossible to
address a new threat. For example, virtualization has brought lots of benefits
but also new potential threats. Virtualization was widely used in 2011 when the
CSO 706 (CIP) SDT turned its attention to developing v5, yet I don’t think
there was any real thought of addressing virtualization in v5. Now NERC really
has to address it, and the drafting team is doing very good work on addressing
virtualization on a conceptual level, as well as starting to develop new (or
revised) requirements and definitions. However, because of the sheer number of
the changes that will be required, I am skeptical
they will ever be able to get all of this approved by the ballot body, at least
within the lifetime of the universe as we know it. I will attend the drafting
team’s meeting in Montreal next week and hope to get a better take on this
effort, since I admit I have not paid enough attention to virtualization
lately.
[vi]
While that post was specifically about natural gas pipeline regulation, I wrote
the principles so that they would apply equally well to any process-based
critical infrastructure. In the next post,
I discussed them in the context of the electrical power industry, which is of
course where they are needed first.
[vii]
And don’t tell me that the solution to this problem is to write a SAR for a new
CIP phishing standard! I don’t want the current CIP standards to be expanded
beyond what they currently cover. Instead, I want a regime where all threats are considered and
prioritized. I am sure phishing will be at the top of a lot of entities’ lists
of threats to address, although that might not be true in five years (I’m sure
there will be new threats we haven’t thought of yet by that time).
[viii]
I’ve noted a couple times that I asked some entities how much of every dollar
they spent on implementing CIP v5 went to cyber security vs. just compliance –
the average answer I got was 50%. I
doubt my plan will reduce any utility’s total spending on cyber security
(including CIP compliance). However, I do believe it will increase that
percentage to say at least 75 or 80%. If say two billion dollars a year is now
being spent on CIP compliance by North American utilities and IPPs (and I don’t
know what the full number is, although I’m sure it’s well over $1 Bn),
increasing the percentage to 75% would be an effective increase of $500 million
going to cyber security. That’s much more than I earn in a year.
[ix]
I won’t pretend there isn’t a potential problem with rogue auditors who like to
torment utilities by unreasonably saying they haven’t fulfilled their
mitigation plan. There will need to be controls to prevent this, the most
important being a much more extensive auditor training program and higher
requirements for cyber security expertise.
No comments:
Post a Comment