My most
recent post
lamented that every NERC entity subject to CIP-013 (i.e. those with High or
Medium impact assets) has to, every 15 months, identify new supply chain
security threats and mitigation measures, and incorporate the relevant ones
into their Supply Chain Security Management Plan; this per CIP-013 R3. I
pointed out (very astutely, I might add) that it didn’t make sense for each
entity to have to review the same information and draw the same conclusions.
Why couldn’t there just be one body that did this for all NERC entities
(although the entities would be free to add to the list of new threats and mitigations
provided by this body)?
My answer to
that question asserted that there is no provision in the NERC Compliance
Monitoring and Enforcement Program (CMEP) for this; therefore, NERC entities
are doomed to comply with R3 completely on their own. I then went on to point
out that this is a general problem for CIP: there is simply no way to incorporate
new threats into CIP and require entities to comply with them, other than
writing a Standards Authorization Request (SAR), convening a Standards Drafting
Team, going through 3 or 4 NERC ballots, submitting the new or revised standard
to FERC, waiting for them to approve it, etc. At the most optimistic, that’s a
3-year process, but I will soon write a post that asserts that the window has
closed for any future modifications to CIP, except modifications ordered by
FERC (there are various reasons for this, but it is primarily because the
industry has been exhausted by all the interpretation issues with CIP v5 –
which will never be resolved – and isn’t exactly looking forward to having a
bunch of new ambiguous standards dumped on their table).
However, an
auditor emailed me to say that he thought there were at least 4 existing
organizations that could fulfill this role. When I replied that the problem
wasn’t that no organization could do this but that there was no provision in
CMEP allowing them to do so, he pointed out to me that “The Standard guidance
suggests that entities need to review actionable information to identify needed
changes to their plans. No one said
where that actionable information has to come from.”
And this
makes sense to me. For the purposes of CIP-013 R3 compliance, I believe it
would be fine if some third party organization, like one of the trade
associations but not limited to them, committed to doing this for all NERC
entities. That is, they would continually look for new supply chain security threats
and mitigation measures and publish these for the whole NERC community (and if
an organization just wanted to do this for their members, then hopefully other
organizations would do the same for their members). Any takers for this? I won’t
name names, but I can think of at least a couple organizations who would be
ideal for this.
However, my
larger point in the post was that a procedure like this is really needed for
all cyber security threats to BES Cyber Systems, not just supply chain threats
in CIP-013. So it would be nice if there were a body that would regularly (or
even continually) review all new cyber
threats as well as all new mitigations to cyber threats, identify those that
are relevant to the electric power industry, and publish these for the industry
(perhaps on a need-to-know basis). If CIP were rewritten along the lines of the
six principles in the post I referenced above, then NERC entities (probably
above a certain size threshold) would have to get an assessment based on the
threats on the current list, then mitigate those threats.
But that can’t
happen now, given the current CIP standards and CMEP. When a new threat arises
now, like phishing or ransomware, the only “legal” way to address it, according
to the NERC Rules of Procedure, is to go through the SAR process I described
above. Obviously, in the case of phishing and ransomware (both of which have
been threats for years), nobody has even suggested a SAR, and as I already
said, I don’t think there will be any more changes to CIP that aren’t
FERC-ordered. So phishing and ransomware will never be addressed within the
current CIP framework (despite the fact that the Ukraine attacks all started
through phishing). This also applies to as cloud threats, and many more current
and future ones. I believe that none of these will ever be addressed, given the
current CIP-002 through -011 wording, which doesn’t have any provision for
addressing new threats, as in CIP-013 R3.
But in my
ideal world, which I described in this
post (the last few paragraphs, although to understand them well you need to
read the whole thing), CIP would be totally rewritten and CMEP would be revised[i],
allowing threats and mitigations to be continually updated without having to
revise the standard itself. If you look at number 3 of the six principles I
list in that post, you’ll see it calls for the entity to continually update its
list of threats; all the threats on the list have to be addressed in some way,
although on a risk-adjusted basis (so threats that pose less risk would require
less mitigation work and might in some circumstances be completely ignored if
they really don’t apply to the particular entity). This list could – and should
– be maintained by a central industry body, although the entity would be free
to add other threats to the list if they felt this was warranted.
So this is
where I see an industry body – which could well be one of the trade
associations, etc. – being able to finally solve the problem caused by the fact
that CIP doesn’t have a good way to respond to new threats (other than CIP-013,
of course). But this can’t happen until CIP is completely rewritten and CMEP is
revised. As I said in the last post, I don’t think NERC is likely to do either
of these any time soon, which is why I’m pessimistic that FERC and NERC will be
allowed to keep responsibility for cyber regulation of the power grid much
longer. But I’ve been wrong before!
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
Although maybe there would need to be two NERC CMEPs. The existing one would be
for the 693 standards, and the new one would be for CIP. If you look at the
list of six principles for the “new CIP” listed in the post just referenced and
you try to figure out how the new CIP standard would be audited, I think you’ll
agree that it would be almost impossible to do that with the existing CMEP. In fact,
I think auditing CIP-013 and CIP-012 will be very challenging with the existing
CMEP, since these are much more like what I would like to see in the new CIP.
But even the existing CIP-002 through CIP-011 don’t fit in very well with CMEP,
which is one of the reasons there are so many continuing problems.
No comments:
Post a Comment