I heard an
interesting comment this week from a friend on the staff of one of the Regional
Entities, who is very knowledgeable about CIP and NERC enforcement in general.
His opinion is that CIP-013 is unenforceable, as it stands in the second draft
– the one now being balloted. Why does he think this? Here’s the smoking gun:
the note below CIP-013 R2 (and since it’s a note, not part of the blue boxes,
it does need to be considered as a binding modification of the requirement. I’ll
have more to say on those blue boxes in one of my next posts – there is more
going on with them than meets the eye) reads
“Note:
Implementation of the plan does not require the Responsible Entity to
renegotiate or abrogate existing contracts (including amendments to master
agreements and purchase orders). Additionally, the following issues are beyond
the scope of Requirement R2: (1) the actual terms and conditions of a
procurement contract; and (2) vendor performance and adherence to a contract.”
My friend
points out that he has no problem with the first sentence. In fact, this
thought was part of FERC’s Order 829, which ordered NERC to develop the
standard; it was also in the first draft of CIP-013. His problem is with the
second sentence, which was in neither Order 829 nor the first draft. And of the
two parts of the second sentence, his problem is with the first part.
What is the
problem? Let’s look at the requirement it’s attached to. R1.2 requires
development of a supply chain cyber security risk management plan that includes
(but isn’t limited to):
1. One or
more process(es) used in procuring BES Cyber Systems that address the
following, as applicable:
a. Notification by the vendor of vendor-identified
incidents related to the products or services provided to the Responsible
Entity that pose cyber security risk to the Responsible Entity;
b. Coordination of responses to vendor-identified
incidents related to the products or services provided to the Responsible
Entity that pose cyber security risk to the Responsible Entity;
c. Notification by vendors when remote or onsite
access should no longer be granted to vendor representatives;
d. Disclosure by vendors of known vulnerabilities;
e. Verification of software integrity and
authenticity of all software and patches provided by the vendor for use in the
BES Cyber System; and
f. Coordination of controls for (i)
vendor-initiated Interactive Remote Access, and (ii) system-to-system remote
access with a vendor(s).
R2 requires
implementation of that plan. In an audit, the Responsible Entity is going to
have to demonstrate that they have taken steps to get their vendors to provide
all of these things. There are various ways to do this, and they can vary
according to the risk posed by the vendor and/or the risk posed by the product
or service being purchased. It is certain that many entities will attempt to
achieve these goals by using legal contract language, at least in the case of
some of their vendors.
My friend’s
concern is that the first part of the second sentence of the note essentially
says that the actual terms and conditions of a procurement contract are out of
scope for the audit. This means that the auditor can’t ask the entity to show
him or her a vendor contract, to demonstrate their assertion that they have
used contract language to address one or more of the items listed in R1.2 for a
particular vendor.
So let’s say
the entity shows their auditors the section of their plan that describes how
they will address each of the six items in R1.2, and the plan says that, for
very important vendors like their EMS vendor, they will address all of the
items using contract language; it looks at first glance like they’ve complied
with R1.2, since they have a proper plan for achieving the objectives listed
above.
Now the
auditors move to R2, which requires the entity to implement the plan. They get
to the section of the plan that corresponds to R1.2, and tell the entity that they
would like to see evidence that they have complied with this part of the
requirement for each of their top ten vendors, starting with the EMS vendor.
And since the plan says that the entity will use contract language to address
the six items in R1.2, at least for this vendor, the auditors request to see
that contract to verify the language is actually there – or more likely, that
the language is acceptable as evidence of compliance. At that point, the entity
points them to the second sentence of the note and (politely) repeats that the
“actual terms and conditions of a procurement contract” are out of scope.
Therefore, they don’t need to produce the contract.
So how are
the auditors going to verify the entity’s assertion that they have complied
with R1.2 for their EMS vendor using contract language, if they aren’t allowed
to see the contract? My friend’s answer is that the auditors can’t verify this assertion without
being allowed to see the evidence. And what if the entity asserts they have
used contract language to address R1.2 for all of their vendors? Then the auditors
aren’t going to verify compliance – at least for the items in R1.2 - at all for
this entity. Do you see any issue with this?
But other
than the fact that it’s not enforceable, my friend doesn’t have any big
problems with CIP-013.
Any opinions expressed in this post are
those of the author, not necessarily those of Deloitte.
No comments:
Post a Comment