The title of this post should give you pause. Vendors don’t have to comply with CIP-013; only NERC entities do. But this is a distinction without a difference. It has always been the intention of both FERC (in ordering NERC to develop a supply chain security standard) and the NERC standard drafting team (in developing the standard) to require vendors to be involved with compliance – although there will be no penalty to the NERC entity if they try to get a vendor to cooperate in compliance and are unsuccessful.
So it’s very legitimate to ask how a vendor can comply with CIP-013. I have had discussions with several vendors (and many more NERC entities) about this, and here is what we have come up with so far. I do want to point out that this is quite embryonic.
The most important consideration for a vendor is that it will be a big mistake if you look at CIP-013 compliance as some sort of adversary exercise, although you should be forgiven if you have thought of it that way so far. After all, a lot of the guidance so far (and that’s just one 13-page document) focuses on contract language.
My idea of a contract language “negotiation” is one in which the NERC entity’s lawyers and the vendor’s lawyers are sitting on opposite sides of an 8-foot-high brick wall. The entity’s lawyers throw some contract language to the other side and snarl “Here, put this in our contract.” The vendor’s lawyers look it over and throw something else back, saying (perhaps snarling less) “We can accept some parts without change and some with changes, but we can’t accept these other parts at all.” The entity’s lawyers look this over, and reply with their own counter-proposal. This goes back and forth, with the length of time determined by whether or not the lawyers are on salary (in which case they can do this for years) or they are paid by the hour (in which case the company will have to call an end to the fun and tell them to wrap up the “negotiation”).
Of course, this is perhaps an overly bleak view of the contract negotiation process, but I think it illustrates what I’m saying: Both the vendor and the entity should do everything they can to keep their relationship from degenerating to this point. In fact, IMHO if they first resort to contract language in their CIP-013 compliance process, both sides have already lost the game. Contract language is a nice thing to have, but it should never be the first concern.
So what’s the best way for a NERC entity and a vendor to approach the CIP-013 compliance process? I see two possible ways to get this going:
- The entity reaches out to the vendor and says “Let’s have a discussion on how we (note the plural pronoun!) can address CIP-013 compliance.”
- The vendor reaches out to all of their power industry customers (at least all who have any High or Medium impact assets where their software or hardware product is used), perhaps through an e-mailing or even a – gasp! – USPS mailing, and actually suggests how both sides could work together to achieve the goal of CIP-013 compliance.
So here’s a little quiz: Which of these two actions is more likely to result in a fruitful partnership to achieve CIP-013 compliance? I think they are both good options, but I would strongly recommend that the vendor be the first to reach out. Because if the entity reaches out first, I can almost bet that most of them will do that in the form of a demand for particular contract language. This isn’t because they’re sociopaths, but because NERC compliance up until now has primarily been seen as a legal exercise, whether for NERC CIP or the other NERC standards.
If the vendor reaches out first, and if they don’t immediately focus on contract language (if they do, they’ve obviously decided that it’s important that CIP-013 compliance be made as painful as possible, probably for reasons of job security of the people writing the document), then they can set the terms of engagement. The vendor can suggest actions that favor its strengths – i.e. developing, supporting and securing great hardware and/or software products – and don’t favor the utility’s strength (which is the fact that they are, after all, the buyer, and that money is flowing from them to the vendor, not vice versa. Plus the vendor doesn’t have a monopoly, at least in any electric power product market that I know of).
What should the vendor suggest to their power industry clients? I’ll leave that for the next post in this series.
If you are with a vendor to the electric power industry, and your company is trying to figure out what you will have to do to comply with CIP-013, Tom Alrich LLC would be pleased to offer you a free one-day (2-6 hours) workshop to review a) what CIP-013 requires, b) what you are likely to get asked to do by your clients, and c) what they should be asking you to do (since b and c won’t usually be the same thing). There will be no charge for my time, but I will require you to pay travel expenses at cost. Please email or call me if you would like to discuss this.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
Any opinions expressed in this blog post are quite definitely those of my employer, Tom Alrich LLC! If you disagree with what I’ve said, I suggest you take it up with them.