As I've hinted previously, I am now pivoting toward discussing CIP-013 (not that I'll completely ignore the rest of CIP, of course!). I'm doing this for two reasons. One is that CIP-013 compliance is going to require a huge effort, by utilities as well as vendors. The second is that CIP-013 is completely different from previous CIP standards, and compliance is completely different. Not only is it different, it's also very close to how I would like to see all of CIP be rewritten. In this post I discuss why I say that.
In July 2016, FERC issued Order 829, which ordered NERC to develop a standard for “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” NERC developed and approved the standard and submitted it to FERC for their approval in September 2017. While FERC approval isn’t completely guaranteed, the new standard, CIP-013-1, will most likely come into effect in late 2019 or early 2020.
In July 2016, FERC issued Order 829, which ordered NERC to develop a standard for “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” NERC developed and approved the standard and submitted it to FERC for their approval in September 2017. While FERC approval isn’t completely guaranteed, the new standard, CIP-013-1, will most likely come into effect in late 2019 or early 2020.
Experienced
NERC CIP practitioners often repeat the mantra “Compliance doesn’t equal
security.” This means that, while the current CIP standards CIP-002 through
CIP-011 prescribe particular security practices to address particular threats,
there are many threats (phishing, ransomware, cloud-based threats) that are
simply not addressed at all. A comprehensive cyber security program needs to
address all threats, not just those that happen to be included in NERC CIP.
But CIP-013
is different. CIP-013 essentially requires a NERC entity with High or Medium
impact BES Cyber Systems to do two things: develop and implement a supply chain
cyber security risk management plan (there are six particular items that must
be addressed in that plan per CIP-013 R1.2, but the plan itself is in no way
limited to those six items). Since a supply chain cyber risk management plan
worthy of the name must by definition address all supply chain cyber risks,
this in fact means that, as far as CIP-013 goes, there is no difference between
compliance and security. Everything the NERC entity needs to do to secure their
supply chain, they also need to do for CIP-013 compliance, and vice versa.
At first
glance, NERC CIP practitioners may worry that CIP-013 will overwhelm them. It
now seems that everything required
for good supply chain cyber security is not only recommended but mandated by FERC and NERC – and
therefore potentially subject to million-dollar-a-day penalties for
non-compliance. How could this possibly be better than the existing CIP
standards, which at least omit many important cyber threats like phishing and
ransomware? How will NERC entities possibly comply with a standard that requires
them to do “everything”?
Before
answering this question, let’s consider why there need to be mandatory cyber
security standards in the first place. Of course, there are few if any North
American power market participants who don’t believe that cyber security is
important. But they all face many competing demands for resources, and since
security spending doesn’t usually produce immediately visible results, it often
gets pushed to the bottom of the priority list, except when there are mandatory
requirements to comply with.
Yet it is
also true that mandatory standards like the current CIP-002 through CIP-011
distort cyber security spending priorities. This is because these standards
(and similar standards in other industries) only address particular threats and
security practices – for example, patch management – while completely omitting
other threats and practices, like anti-phishing processes and technologies. But
since patch management is required by CIP while anti-phishing is not, NERC
entities will inevitably invest much more in patch management, even though
phishing is one of the most important security threats today.
The ideal
cyber regulation would be one that requires NERC entities to do what they would
do anyway, given a hefty cyber security budget: They would identify the threats
they face, determine the impact of each one, and remediate them based on their
relative impact. Moreover, remediation of each particular threat is based on
risk (so that, for example, a risky system gets much more attention than one
that poses little risk). This ensures the most efficient allocation of security
spending – i.e. the greatest “bang for the buck”. Yet this is almost exactly
what CIP-013 does. Here’s why:
- 1. CIP-013 is objectives-based, meaning it states the objective and requires the entity to attain it. Too many of the other CIP requirements are prescriptive: They tell the entity how to achieve the objective, often in great detail. This creates a lot of compliance risk, and causes a big expenditure of resources on a lot of individual actions that in themselves do very little to enhance security. In CIP-013, the entity is required to develop and implement a good supply chain cyber security risk management plan, period. The content of the plan and the steps to implement it are completely up to the entity.
- 2 CIP-013 is risk-based. While it is never officially stated in the requirements themselves, the excellent Implementation Guidance makes clear that risk is to be taken into account at every step of remediation. Vendors and systems should be categorized by risk, and remediation steps (including what is required of vendors in contract language and other commitments) should always be based on risk. This is what makes compliance with CIP-013 manageable: If it weren’t risk-based (and FERC specifically required this in Order 829), NERC entities would have to take exactly the same steps for their most strategic vendors as they do for their least strategic. And they would have to treat very important systems the same as fairly inconsequential ones.
- 3. The fact that CIP-013 requires a comprehensive plan means that the entity has to consider all supply chain security threats at one time, and prioritize their remediation based on impact. This is not possible under the other CIP standards, which simply require NERC entities to address particular threats without in any way allowing them to rank those threats against each other based on impact, and allocate remediation resources accordingly.
I'm optimistic. Two things are of primary importance to start securing utility electronic control systems. Procurement requirements that specify "securable" equipment (AAA, crypto) and intrusion detection capability. How much of DHS recommendations make it into CIP-013 plans will be a measure of how effective this reg. will be. Now if we could only get intrusion detection we'd have far better guidance on where to efficiently spend on preventive controls. And we'd have the ability to make the risk based case for spending on cybersecurity controls.
ReplyDelete