Why is CIP-013 a Good Standard?

As I've hinted previously, I am now pivoting toward discussing CIP-013 (not that I'll completely ignore the rest of CIP, of course!). I'm doing this for two reasons. One is that CIP-013 compliance is going to require a huge effort, by utilities as well as vendors. The second is that CIP-013 is completely different from previous CIP standards, and compliance is completely different. Not only is it different, it's also very close to how I would like to see all of CIP be rewritten. In this post I discuss why I say that.

In July 2016, FERC issued Order 829, which ordered NERC to develop a standard for “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” NERC developed and approved the standard and submitted it to FERC for their approval in September 2017. While FERC approval isn’t completely guaranteed, the new standard, CIP-013-1, will most likely come into effect in late 2019 or early 2020.

Experienced NERC CIP practitioners often repeat the mantra “Compliance doesn’t equal security.” This means that, while the current CIP standards CIP-002 through CIP-011 prescribe particular security practices to address particular threats, there are many threats (phishing, ransomware, cloud-based threats) that are simply not addressed at all. A comprehensive cyber security program needs to address all threats, not just those that happen to be included in NERC CIP.

But CIP-013 is different. CIP-013 essentially requires a NERC entity with High or Medium impact BES Cyber Systems to do two things: develop and implement a supply chain cyber security risk management plan (there are six particular items that must be addressed in that plan per CIP-013 R1.2, but the plan itself is in no way limited to those six items). Since a supply chain cyber risk management plan worthy of the name must by definition address all supply chain cyber risks, this in fact means that, as far as CIP-013 goes, there is no difference between compliance and security. Everything the NERC entity needs to do to secure their supply chain, they also need to do for CIP-013 compliance, and vice versa.

At first glance, NERC CIP practitioners may worry that CIP-013 will overwhelm them. It now seems that everything required for good supply chain cyber security is not only recommended but mandated by FERC and NERC – and therefore potentially subject to million-dollar-a-day penalties for non-compliance. How could this possibly be better than the existing CIP standards, which at least omit many important cyber threats like phishing and ransomware? How will NERC entities possibly comply with a standard that requires them to do “everything”?

Before answering this question, let’s consider why there need to be mandatory cyber security standards in the first place. Of course, there are few if any North American power market participants who don’t believe that cyber security is important. But they all face many competing demands for resources, and since security spending doesn’t usually produce immediately visible results, it often gets pushed to the bottom of the priority list, except when there are mandatory requirements to comply with.

Yet it is also true that mandatory standards like the current CIP-002 through CIP-011 distort cyber security spending priorities. This is because these standards (and similar standards in other industries) only address particular threats and security practices – for example, patch management – while completely omitting other threats and practices, like anti-phishing processes and technologies. But since patch management is required by CIP while anti-phishing is not, NERC entities will inevitably invest much more in patch management, even though phishing is one of the most important security threats today.

The ideal cyber regulation would be one that requires NERC entities to do what they would do anyway, given a hefty cyber security budget: They would identify the threats they face, determine the impact of each one, and remediate them based on their relative impact. Moreover, remediation of each particular threat is based on risk (so that, for example, a risky system gets much more attention than one that poses little risk). This ensures the most efficient allocation of security spending – i.e. the greatest “bang for the buck”. Yet this is almost exactly what CIP-013 does. Here’s why:

• 1.      CIP-013 is objectives-based, meaning it states the objective and requires the entity to attain it. Too many of the other CIP requirements are prescriptive: They tell the entity how to achieve the objective, often in great detail. This creates a lot of compliance risk, and causes a big expenditure of resources on a lot of individual actions that in themselves do very little to enhance security. In CIP-013, the entity is required to develop and implement a good supply chain cyber security risk management plan, period. The content of the plan and the steps to implement it are completely up to the entity.
• 2     CIP-013 is risk-based. While it is never officially stated in the requirements themselves, the excellent Implementation Guidance makes clear that risk is to be taken into account at every step of remediation. Vendors and systems should be categorized by risk, and remediation steps (including what is required of vendors in contract language and other commitments) should always be based on risk. This is what makes compliance with CIP-013 manageable: If it weren’t risk-based (and FERC specifically required this in Order 829), NERC entities would have to take exactly the same steps for their most strategic vendors as they do for their least strategic. And they would have to treat very important systems the same as fairly inconsequential ones.
• 3.    The fact that CIP-013 requires a comprehensive plan means that the entity has to consider all supply chain security threats at one time, and prioritize their remediation based on impact. This is not possible under the other CIP standards, which simply require NERC entities to address particular threats without in any way allowing them to rank those threats against each other based on impact, and allocate remediation resources accordingly.