I have more
than a few times talked with someone from a large utility who assures me “We
really believe in cyber security. We don’t need NERC CIP because we would do
all of that anyway.” Both of these sentences have always struck me as strange.
To take the
first sentence, when I hear it I always think (but never say!) “I’m really glad
you believe in cyber security; that’s good news. Let me go out on a limb and
guess that you also really believe in motherhood, apple pie and the Fourth of
July.” In other words, talk is cheap. I’ve never heard anyone say “We don’t
believe in cyber security at all.” Although some organizations have said so
with their actions.
Now let’s
look at the second sentence. When someone says that, I usually think (and
sometimes say) “Oh, really? You mean that, if you didn’t have to comply with
NERC CIP, you would still take great pains to document that – as required by
CIP-007 R2.2 - every 35 days you have checked with the patch source for every piece of software installed on a
component of a Medium or High impact BES Cyber System or a Protected Cyber
Asset to see if there is a new security patch available – even if that vendor
has never released a security patch and probably never will? Would you really
do this if you weren’t obligated to by CIP?”
Of course
they wouldn’t. While some documentation is obviously required as a good
security practice, this – and a number of other documentation requirements of
CIP – does very little to advance security. Indeed it detracts from it, since
if you’re spending your time documenting something like this, you’re taking
away time you could spend actually improving security in a way that isn’t
required by CIP, such as combating phishing or ransomware (although I’m sure
all NERC entities are putting resources into these two threats as well. But
since these are IMHO the two biggest cyber threats today, it’s not an
exaggeration to say that almost any amount spent combating them isn’t enough).
But let’s
leave the question of compliance documentation aside; I’ve already discussed
it in another post. Is the second sentence really true? Are there electric
utilities or IPPs that would spend as much on cyber security in the absence of
NERC CIP as they do in its presence? I’m sure there are a few that would, but
for the majority of NERC entities I’m also sure the answer to this question is
no. Mandatory requirements (especially if accompanied by potentially huge
penalties for non-compliance) are always going to be funded first, even if
other non-required areas of cyber security might in some cases deserve more
funding, ahead of at least some CIP requirements. And strict logic
indicates that it is inevitable that the level of funding for such non-required
threats has to be less than it would be in the absence of mandatory cyber
requirements.
At the
September NERC CIPC meeting in Quebec City, a good discussion broke out
(sparked by a presentation by Tobias Whitney of NERC) about getting money for
cyber security projects. A couple participants said that they have more than
once advocated for a request for funding for security projects not strictly
required by CIP by saying that the expenditure would “help CIP compliance”. And
lo and behold, the doors to the bank vault were flung open. However, if those
three magic words hadn’t been uttered (like sprinkling pixie dust), those
projects probably wouldn’t have been approved. So this is the main reason why
the electric power industry needs mandatory cyber regulations: Without them,
there would be a much lower overall level of funding for cyber security.
You may now
ask “So why are you always complaining about NERC CIP? If it’s getting the
industry much more funding for cyber projects, it must be making it more secure.”
I agree that CIP has made the industry much more secure than it would be
otherwise (see this
post for more on this topic). However, I think the cost of compliance with the
current CIP standards regime outweighs the benefits by a good margin – and that
cost is increasing as new standards like CIP-012 and CIP-013 come online. So
the question is how to write a standard that a) is mandatory, but b) doesn’t
force the entity to invest a lot of time and effort in activities that don’t
benefit cyber security very much (and indeed, what is needed is a standard that
“forces” the entity to do what they would otherwise do with adequate funding
for cyber security, but no mandatory standards).
I believe
that these two criteria could be met by a new set
of CIP standards - and a compliance regime to go with them - that would 1) be objectives-based,
2) be threat-based, 3) be risk-based and 4) provide a list of threats to
address that would be subject to frequent updates by some central group of representatives
of NERC entities. CIP-013 actually comes
close to this (actually just the first three, but 3 of 4 ain’t bad!),
although since I don’t think
it can be audited under the current NERC CMEP and RoP, it can’t really be
called a “mandatory” standard – except for the six items listed in R1.2. But
even not being mandatory, I think there will be lots of pressure on NERC
entities to do the right thing and do their best to comply with CIP-013.
No comments:
Post a Comment