I have a
Constitutional right to change my mind, and I’m about to do that.
In this
recent post, I repeated the concerns that a staff member from one of the NERC
Regional Entities had raised to me about whether CIP-013, the upcoming supply
chain security management standard, is even enforceable, given that it says
contract language is not “in scope” for the standard. This provision means that
a NERC entity doesn’t have to show any actual contracts to an auditor in a
CIP-013 compliance audit, even though the entity may have asserted that they
complied with CIP-013 R2 by getting vendors to include language in their
contracts that covers the six specific items required by CIP-013 R1.
As I
described in this
follow-on post, an auditor from another NERC region responded to the first post
by pointing out that “The requirement is essentially that the Registered Entity
ask for the elements of the required process(es), not that the vendor agree to
them.” In other words, you don’t need to show a signed contract to prove you
complied with CIP-013 R2 for a particular vendor. The auditor went on to state
that an RFP or even emails stating the “expectations to be placed on the
vendor” could constitute evidence of compliance.
I heard a
similar argument made by Kevin Perry, the head CIP auditor of SPP, at SPP-RE’s
annual CIP workshop in Little Rock this week. He emphasized that CIP-013 R2
(implicitly) requires the entity to try
to get the vendor to agree to commit (through contract language or another
means like just an email) to doing the six things required in CIP-013 R1, not
that they succeed in doing so. They need to provide evidence, like the RFP or
emails described above, that shows they indeed tried to obtain that commitment.
The RE staff
member wasn’t convinced by this auditor’s argument when I presented it to him,
and he sent me a new email. I excerpted two paragraphs from that email in the
follow-on post, but I didn’t simply reprint the whole email. Now that I have
gone back and read the email, I realize I didn’t do justice to what the staff
member said. Here is the full text of his email, although I have broken it into
two parts to indicate the two arguments he makes:
Argument One: “The ultimate goal of
CIP-013 is to modify the terms of acquisition contracts used by the Responsible
Entity:
FERC Order
829 page 59: ‘The new or modified Reliability Standard must address the
provision and verification of relevant security concepts in future contracts
for industrial control system hardware, software, and computing and networking
services associated with bulk electric system operations.’
In keeping
contracts out of scope for audits, CIP-013 does not fulfill the underlying purpose
of the Standard.”
Argument Two: “There may be some things that can be audited, but the auditors
will be handicapped in reviewing evidence. They will not be able to audit that
ICS contracts contain provisions which satisfy the security controls of R1, and
they will not be able to verify that the entity enforces these controls.
Ultimately,
this version of CIP-013 does not fulfill the definition of a Risk-Based
Requirement: “[D]efine actions by one or more entities that reduce a stated
risk to the reliability of the Bulk Power System and can be measured by
evaluating a particular product or outcome resulting from the required
actions.” [NERC RoP App 3A Sect 2.4] If the outcome cannot be measured, then
the Requirement fails as a Risk-based Requirement.”
Let’s look
at the first argument. Although he
didn’t comment further, it seems to me the staff member was saying that the
fact that FERC specifically used the word “contracts” in the quotation from Order
829 means that contracts with the appropriate language are actually what FERC
was aiming for, not just an assurance that the entity tried to get the vendor to commit to what is needed.
To this argument, the auditor replied that
the enforceability of CIP-013 has nothing to do with whether it fulfills FERC’s
order. FERC has to decide whether NERC has fulfilled their order, and if they
think NERC hasn’t done so, they will remand it and repeat (or state more
explicitly) that this is all about contracts; at that point, NERC would have to
change the language. I agree with the auditor on this point.
However, the staff member’s second argument
gives me pause. I think he may be right: A requirement that just requires the
entity to give it the ol’ college try, without having to show they actually
achieved anything, probably does violate the NERC Rules of Procedure.
Unfortunately, I think this brings us back to
a point I made in a post
from April. There, I documented how I had come to the realization that just
having non-prescriptive, results-based NERC requirements (which NERC refers to
as “risk-based”, although I don’t like use of that term in this context) isn’t
enough. The whole NERC enforcement environment – including the Rules of
Procedure and CMEP – is oriented toward prescriptive requirements. This is why
I reluctantly concluded that it will be almost impossible to get any new
non-prescriptive requirements approved by the NERC ballot body[i].
In fact, I think it will be very hard to get
any new CIP prescriptive requirements approved going forward, either. I think
we’ve simply reached the end of the line for any expansion of CIP, absent a
FERC order. Look for more on this topic coming soon to a blog near you.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
And don’t point out to me CIP-013 is non-prescriptive and it just got approved.
There was a special
reason why CIP-013 suddenly surged from about 9% support on the first
ballot to 85% or so on the second (and this same reason probably led to
CIP-003-7 being approved last year on the second ballot, after failing badly on the first ballot): There was a FERC deadline that had to be
met. Absent such a deadline, I think it will be hard for any new requirements –
prescriptive or not – to be approved.
No comments:
Post a Comment