Note: This post originally started out to be
part II of II on lessons learned so far from the CIP-014 experience – that post
covered the first lesson, and this post was intended to cover the second
lesson. I started this post with what I thought would just be a paragraph or
two expanding on what I’d written in the first post – and you can see what
happened. But have no fear, I have most of the post regarding the second lesson
already written, and it will appear very shortly.
Two weeks
ago, I wrote a post
that was intended to be the first of two, on lessons that can be learned from
NERC’s experience so far with CIP-014, the physical security standard that
applies to certain key substations. Why am I worried about CIP-014, since I’ve
written very little about it previously? Because CIP-014 is an objectives-based
(non-prescriptive), risk-based standard like CIP-013, the upcoming supply chain
security standard[i];
any lessons that can be learned from the CIP-014 experience so far are very
relevant to CIP-013. And I also think the other CIP standards should be
replaced by objectives-based, non-prescriptive ones, so these lessons will be
relevant when that long-hoped-for (at least by me. I’m not sure if anyone else
hopes for them, although I believe I’ll be able to persuade my dog in the near
future) day arrives.
My main
concern regarding objectives-based, risk-based standards is how they will be
enforced by NERC. I realized
earlier this year that simply rewriting the CIP standards isn’t enough. Because
the whole NERC compliance regime, as embodied in the Compliance Monitoring and
Enforcement Plan aka CMEP, is based on auditing very prescriptive standards, to
properly enforce objectives-based, risk-based standards will require a huge
adjustment in the mindset of the auditors, as well as everybody else involved
in enforcement at NERC and the regions. And it will probably require a rewrite
of CMEP, or perhaps a separate CMEP for the CIP standards, vs. the other NERC
standards.[ii]
The lesson
from CIP-014 that I wrote about two weeks ago was that there really needs to be
some sort of review by NERC or the
regions of the entity’s plan, before they implement it. In the case of
CIP-014, this is the plan for improving physical security of a key high-voltage
substation. In the case of CIP-013, it is the entity’s Supply
Chain Cyber Security Risk Management Plan. In that post, I discussed how a
large NERC entity would probably never implement a planned $80MM physical security
system at their key substations, because the region refused to say whether this
deployment would help (or hurt) their compliance position on CIP-014.
Of course,
having NERC (or in this case, the Regional Entity) review the plan before it is
implemented goes against everything in CMEP – plus, as an auditor pointed out
to me after he read that post, it also goes against GAGAS, the government
guidelines for auditors that all NERC auditors follow. According to those two
documents, auditors need to maintain their independence, and can’t provide
compliance advice in advance to the entities they will audit. And I totally
agree with them that this is the case.
Yet this
also poses a huge problem for objectives-based, risk-based standards. Think
about it: In a world of prescriptive, non-risk-based requirements (as is
basically true for CIP v5/v6, although there are a number of requirements that
are objectives-based, or at least non-prescriptive. On the other hand, there
are no requirements in CIP v5 or v6 that are risk-based), the auditors
absolutely shouldn’t be providing compliance advice up front to the entities
they audit.[iii]
But
objectives-based, risk-based standards don’t lend themselves to the type of
audits that prescriptive standards do; in fact, it’s hard to see how the word
“audit”, in the normal sense of somebody with a clipboard going through and
checking a Yes or a No box after each of a set of questions, of the form “Did
the entity do X?” is at all applicable for these standards. In CIP-013 and
CIP-014, the entity is simply required to develop and implement a plan of some
sort. The only criteria by which they can be judged to have complied or not are
the two questions: 1) Did they develop a good plan? and 2) Did they implement
the plan well? How would it be possible for an auditor to answer either of
those questions except by using a tremendous amount of judgment, no matter how
informed that judgment is by a host of guidance emanating from NERC, the
regions, and other parties (and right now, of course, there is very little
official NERC guidance on CIP-013 and not enough on CIP-014)?
Strictly
speaking, if NERC were going to seriously audit CIP-013 and CIP-014 according
to CMEP and GAGAS, they would have to make the whole enforcement process a
giant gamble. The entity would have to, completely on their own or at least
relying on no guidance that comes directly from NERC or the regions, come up
with their own ideas on how to develop and implement their plan, and then how
to implement it. At the end of this whole process, they would be subject to a
single audit, where the auditors would just check Yes or No for each of the two
questions in the previous paragraph. The fate of the entity’s entire CIP-013
and CIP-014 compliance programs would rest entirely on whether the auditors
checked Yes or No for these two questions. If you think you’re under pressure
before your CIP audit now, just imagine what this would be like!
I point this
out not because I think this scenario will come to pass, but because I’m sure
it won’t. It simply makes no sense to do this. How does it make sense not to
provide any guidance to entities as they develop and implement their plans?
What possible good would be achieved by not doing this? Just think of the
example from the first post in this series: the utility that probably won’t
make a particular big physical security investment, since they don’t know
whether it might help or possibly even hurt their chances of being determined
compliant with CIP-014? And I recently met with a utility that said they were
having a hard time getting management at all interested in starting to prepare
for CIP-013 compliance (despite the benefits
of doing so now) because there is very little real guidance from NERC or the
regions about how to develop and implement a supply chain cyber security risk
management plan (more on this in a subsequent post).
Face it,
objectives-based (and probably risk-based) CIP standards are here to stay.
Since CIP v5, all of the new CIP
requirements and standards that have been developed (this includes CIP-010-2
R4, CIP-003-6 and CIP-003-7, CIP-014, and CIP-012) have been objectives-based.
This is partly because FERC ordered both CIP-013 and CIP-014 to be
objectives-based (although FERC’s term for it was different – something like
“not one-size-fits-all”), but also because nobody on a NERC CIP standards
drafting team nowadays has an appetite for developing prescriptive standards
(as I found
out when I attended what turned out to be a key SDT meeting in June of
2016). The problem of a mismatch between NERC CIP standards and the NERC
auditing regime is only going to get worse as time goes on.
So how will
this mismatch be resolved? In the longer run, it will be resolved both by
rewriting the CIP standards and by hopefully developing a separate version of
CMEP for the CIP standards (since the current CMEP is fine for the O&P
standards). That will of course be a huge, wrenching change for NERC and the
regions. You might thus dismiss this as a pipe dream, and I would agree with
you if I thought NERC had another option; but in the long run I don’t think
they do. There is pressure building among the public and in Congress for the
government to take more steps to secure the electric grid from cyber attack
(and I wrote about how this pressure might come about in this post)[iv]. I
believe that in the next few years NERC is going to be faced with the choice of
either developing a sustainable set of mandatory cyber security standards, and
a sustainable compliance framework to go with them, or the responsibility for
cyber security of the Bulk Electric System will be taken away from NERC (and
FERC) and invested in some other agency like the Department of Energy, the
Department of Homeland Security, or even a proposed
Department of Cyber Security.
But in the
short run, it is clear to me that the problem of the current CMEP not allowing
CIP-013 and CIP-014 to be properly enforced will lead to the result that….they
won’t be “enforced” at all. Auditors will review both the entity’s plan and how
the plan was implemented; then they will provide advice on how the entity could
improve on what they did. But this advice won’t be in the form of a Potential
Non-Compliance finding (which can lead to an actual Violation), but rather in
the form of an Area
of Concern finding. As you probably know, AoC’s are issued now whenever an
auditor finds some security practice that they think is deficient, but which is
not actually in violation of any CIP requirement. The entity is under moral
pressure to correct the problem, but they can’t be found in violation if they
don’t.
Am I
complaining about the fact that CIP-013 and CIP-014 aren’t really “enforceable”?
No, I think this is much preferable to the doomsday audit scenario I described
above. But I also think there have to be
mandatory CIP requirements that are actually enforced; I discussed my reason
for saying this in another recent post.
In brief, NERC entities will simply not get the same budgets for cyber security
spending if their managements begin to perceive that the standards are
increasingly being enforced on a “voluntary” basis. There really should be
substantial monetary penalties when an entity clearly develops an inferior plan
for CIP-013 or CIP-014, and/or doesn’t implement it properly or at all. Until a
new compliance regime is in place at NERC, this simply can’t happen.
I wish to
close with one of my favorite quotes from Lewis Carroll (from Through the Looking Glass, the companion
book to Alice in Wonderland). Humpty
Dumpty has just used a word in a very non-normal way. Alice objects that he
isn’t using the word in the proper way.
'When I use a word,'
Humpty Dumpty said, in rather a scornful tone, 'it means just what I choose it
to mean — neither more nor less.'
'The question is,' said Alice, 'whether
you can make words mean so many different things.'
'The question is,' said Humpty Dumpty,
'which is to be master — that's all.'
I would
rephrase Humpty Dumpty’s response as “The question is, which is to be master –
you or the words?” And so I ask you, which is to be master in the case I just
described, CMEP and GAGAS, or the need to have an enforcement framework that is
appropriate for objectives-based, risk-based standards like all of CIP should
be and like CIP-013 and CIP-014 are now? I promise I’ll have a lot more to say
on this in the future. You have been warned.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
In general, I think CIP-013 handles risk better than CIP-014, but that may be
because the subject matters of the two standards are so different: purchasing
policies and procedures vs. physical security of certain high-voltage
substations.
[ii]
My general idea is that there is a very big difference between the CIP cyber
security standards and the other NERC standards, which are usually called the
Operations and Planning (O&P) or “693” standards. The latter are ultimately
based on the laws of physics: If you do or don’t do X, Y will happen. This type
of standard has to be prescriptive,
and needs to be audited in a very prescriptive manner.
But cyber security practice is statistical. If you don’t
patch one server for one day, it’s unlikely you’ll suffer adverse consequences.
If you don’t patch any of your servers for one year, you will be much more
likely to be successfully attacked, but even then it isn’t a certainty. However,
there would undoubtedly still be some small security benefit to patching your
servers every day. Does this mean that CIP-007 R2 (my poster child for a
prescriptive, non-risk-based requirement) should be expanded so that NERC
entities now will need to patch their servers daily? Most NERC entities – and
auditors – would shudder at the mere thought of that, since it would require a
massive effort and many more resources. Yet, in the prescriptive framework of
NERC standards, with no allowance for risk at all, there really is no way to
say what the stopping point should be – that is, on a risk-adjusted basis, the
point at which any possible security benefits are outweighed by the cost. The
only logical stopping point would be when there were so many prescriptive CIP
standards in place that the risk of cyber attack was effectively zero. Even if
that point could ever be reached – which it can’t, of course – if we got there,
we would have long ago passed the point where electric utilities would have to
suspend distribution of electric power and devote their entire staffs to NERC
CIP compliance!
Thus, I think cyber security standards in general need
to be objectives-based and risk-based. And to be honest, I don’t know of any
other mandatory cyber security standards that are prescriptive and
non-risk-based, like CIP-002 through CIP-011 (although there are certain
individual CIP requirements like CIP-007 R3 that are actually objectives-based.
However, until CIP-013 was developed, none of the CIP standards or requirements
have been explicitly risk based, meaning that all systems in scope don’t need
to be treated exactly the same way, but the controls applicable to them can be
based on the risk they pose to the BES).
A few readers may remember that I started saying about
a year and a half ago that I was working – with two co-authors – on a book
about how the CIP standards can be rewritten to make them much more sustainable
than they are now. I confess that we haven’t put many words on paper (or
virtual paper) yet. This is mostly because my ideas were still evolving – for
example, my realization mentioned above, that the enforcement program itself
will need to be rethought, not just the standards themselves.
My ideas are now at a point where I think I have the
whole argument in my head, at least in principle (and a lot of the argument can
be found in different posts I’ve written. However, it’s in a few sentences or
phrases here and there, not in any form where I can copy and paste them into
the book); and I have started serious writing. This, coupled with the fact that
I will have more free time
for the next couple months or so, makes me hope that I will make some serious
progress on the book in the near future, although I strongly doubt I’ll be able
to finish it that quickly.
[iii]
If you read any of my posts from say 2014 through the end of 2016, you may be
surprised with this statement. Those posts coincide with the period when the
industry (and I) was struggling to figure out what the wording of CIP v5 meant.
I frequently suggested that NERC and the regions should go beyond what was
strictly allowed by CMEP and the NERC Rules of Procedure and provide true
interpretation guidance to entities, simply because there was so much in CIP v5
that was undefined, vague, or – in the case of CIP-002 R1 and Attachment 1 –
completely contradictory. Ultimately, both NERC (through the Small
Group Advisory Sessions) and the regions (through unofficial advice that is
always provided verbally, never written
down), ended up doing exactly that, not because I’d advised it but simply
because it was the only thing they could do. They couldn’t continually tell the
entities “You have to figure it out for yourselves. We can’t tell you
anything”, and then expect the entities to meekly submit when they are assessed
violations that are due to their misunderstanding what a requirement means (or
at least what the region thinks it means).
So my statement that I agree that auditors shouldn’t be
providing compliance advice to the entities they audit, in a compliance regime
of prescriptive, non-risk-based requirements, only applies in the case where
the requirements are very clear and unambiguous. This unfortunately is not the
case with CIP v5, although I need to add that I don’t blame this on the
drafting team. I blame it on the fact that cyber security is a discipline in
which unambiguous prescriptive requirements simply cannot be drafted. A full
discussion of why this is the case will probably have to wait for my book.
[iv]
And I’m not taking any position on whether or not that pressure is warranted,
just stating that it exists and it’s inevitably going to grow.
No comments:
Post a Comment