I have come
to realize that CIP-013 suffers from a very serious flaw. It would be a fatal
one, were it not that the human spirit is infinitely resourceful, and I think
the NERC Regions will rise to the occasion and develop a work-around for this flaw.
While I have kinda sorta known of this flaw for a while, it’s only recently
that I’ve been able to articulate it, and also realized what the solution is.
I want to
emphasize that I still stand by what I said in a post
last September: CIP-013 is the closest to my idea of the ideal NERC CIP
standard of all the CIP standards, both those currently in effect and those
that have “retired”. However, it nevertheless does suffer from the serious flaw,
which I will describe in this post.
To understand
the flaw, I need to go back to my series of posts
late last year that discussed “plan-based” requirements (which includes the
requirements in CIP-013, of course). In those posts, I came to the conclusion
that a requirement to develop a plan can’t simply tell the NERC entity to develop
a plan to mitigate a certain class of threats (in the case of CIP-013, these
are supply chain threats), then leave it up to the entity to determine what
threats they should address in their plan. The requirement to develop the plan
needs to include a list of threats (although I called them “criteria” in one or
two of the posts on plan-based requirements) that should be addressed in the
plan. This should be a comprehensive list of all the threats that the drafting
team felt should be included. Of course, the entity is always welcome to add to
it, but the drafting team needs to assume that a threat that isn’t on their
list usually won’t be addressed in the plans.
So does
CIP-013 R1, which mandates that the entity develop a supply chain cyber
security risk management plan, provide a list of threats that need to be
addressed in the plan? As I pointed out in this
post, R1.2 does list six types of mitigation (ordered by FERC) that need to be
included in the plan – and these mitigations correspond to six particular
supply chain threats. However, R1.1 says that the entity must “identify and
assess” risks resulting from “(i) procuring and installing vendor equipment and
software; and (ii) transitions from one vendor(s) to another vendor(s).” And I
believe the word “all” needs to be assumed after “risks”, since otherwise it
wouldn’t make sense (if you’re not going to address all risks, what are you
going to address? Just those that begin with the letter A?)
I rephrase
this list as (i) risks from procuring vendor equipment and software; (ii) risks
from installing vendor equipment and software; and (iii) risks from transitions
between vendors. The six mitigations in R1.2 all fall under the heading of procuring
vendor software, and even then they hardly exhaust all the possible risks just
in that one category; they don’t do anything to address risks in the other two categories.
So the
serious flaw in CIP-013 R1 is that it requires development of a plan to
mitigate supply chain threats (the requirement uses the word risks, but I
prefer “threat” for several reasons) but doesn’t provide a list – beyond the
six items in R1.2 – of threats that should be included in the plan. This means
that someone auditing compliance with R1 only has two choices:
a) Make
up their own criteria for what should be in a plan and audit against that; or
b) Restrict
the audit to only the six items in R1.2. If these items are all sufficiently
addressed in the plan, the entity doesn’t get a PNC. If they aren’t all
sufficiently addressed, the entity is likely to get a PNC.
To be
honest, neither of these is an acceptable choice. Clearly, for the auditor to
make up their own criteria is completely unacceptable, meaning a) is off the
table. But b) is also unacceptable, since R1.1 wants the plans to address a lot
more threats than just the six threats that are implied by R1.2. Moreover, FERC
said the same thing in Order
829, and NERC said it in the Implementation Guidance for CIP-013.
Option b)
might be acceptable if it were likely that NERC entities would bend over
backwards to identify supply chain risks that go well beyond the six items
(threats) in R1.2. In that case, the auditor still couldn’t give the entity a
PNC for not including a particular threat in the list, but they could certainly
ding them if they listed a threat in their plan developed for R1 but didn’t
take any steps to mitigate[i] that
threat as they implemented the plan in R2.
However, I
have two pieces of bad news for anyone who thinks this will happen:
- There is no Easter Bunny; and
- NERC entities aren’t going to bend over backwards to
identify supply chain threats beyond the six threats referenced in R1.2.
While they may identify particular threats that their Region told them
they should identify (or that might be included in a future “NERC-approved”
guidance document, say from the North American Transmission Forum), they
simply aren’t going to search high and low for every threat they can think
of and include it in their list. Even if they are already addressing a
threat outside of the compliance process, just including it in the list
will entail new paperwork, as well as compliance risk if their auditor
decides their implementation of mitigations of that threat in R2 is
inadequate.
So neither
of the above options is acceptable. And it is very unlikely that the FERC
commissioners will all read this post and immediately order that CIP-013 be
rewritten to include a list of supply chain threats that must be addressed in
the plan, since this would delay implementation for probably 2-3 years. What is likely to happen? I (optimistically) think
the Regions will develop a CIP-013 process roughly like what I outlined in this
post at the end of last year – namely, that an entity will be allowed to have
their Region review and suggest changes to their CIP-013 plan prior to starting
implementation, and that the entity will also be able to request that their
Region review and advise on their implementation of the plan, after they have
started implementing it.
As part of
the review of the entity’s plan, the Region will be able to suggest that there
are threats (aka risks) the entity should address in their plan, which they
haven’t addressed. It’s a good bet that, if an entity’s Region suggests they
should add threats X, Y and Z to their plan, they will add them![ii] That’s
why I think this is an acceptable solution to the problem posed by this serious
flaw in CIP-013.
Let’s cut to
the chase: Is what I’m suggesting completely “legal” by the NERC Rules of
Procedure? I’ll bet it isn’t. But as far as I can see, the only other
alternatives are the a) and b) options listed above. So there’s a choice
between the somewhat illegal and the completely unacceptable. Which will it be?
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
There’s a slight problem here, which I only discovered while writing this
post: R1.1 requires the entity to develop a plan to “identify and assess”
supply chain risks, but it doesn’t require the plan to mitigate them! So in
theory, the entity could develop a plan that simply listed a bunch of risks but
didn’t propose to do anything about them. Of course, it’s clear that CIP-013
was ordered and developed in order to mitigate supply chain risks, so I can’t
see this omission shutting down the implementation of CIP-013. But this omission
does need to be fixed by amending the standard, assuming FERC orders other changes
(in a second version, of course) when they approve CIP-013-1.
[ii]
This arrangement will only work if the Region develops a standard set of
threats that it wants included in CIP-013 plans, so that individual auditors
can’t develop their own. If I were new to this business, I would also suggest
that each region publish a list of
threats that need to be included in the plans, but that would go way beyond
what NERC would allow them to do. So the advice will need to be provided on a
one-on-one verbal basis with individual entities. The compliance
advice the Regions currently provide for other CIP standards is delivered
in the same way, e.g. in the SGAS.
No comments:
Post a Comment