Mike Johnson
put out a very good post
last week summarizing the comments that FERC received regarding CIP-013, in
response to their January NOPR
indicating they intend to approve the standard. I won’t summarize the post, but
I found it most interesting to note that the comments fell into two distinct
groups, depending on whether the commenter was from a NERC entity or some other
organization.
In both
groups, the comments were almost always uniform. For the NERC entity group, the
responses almost all said[i]:
- That FERC’s proposal to shorten the implementation period
for CIP-013 from 18 to 12 months is a bad idea, since there’s a huge
amount of work that needs to be done to prepare for compliance, especially
for the larger utilities. I’m in complete agreement with this sentiment.
Part of the reason why I says this is that – just as was the case with CIP
v5 – there is significant uncertainty
about what the requirements mean. Until this is cleared up in some way,
NERC entities will have a very hard time putting their compliance programs
in place.
- That requiring NERC entities to apply CIP-013 to Electronic
Access Control and Monitoring Systems (EACMS), as well as BES Cyber
Systems, is another bad idea; FERC also asked for comments on this in the
NOPR. I agree that this shouldn’t be done in the first compliance version
(i.e. FERC shouldn’t order a crash “compliance filing” to make this one
change, before CIP-013 takes effect at all). I do think this could be
considered for the next version, which of course would take effect 2-3
years from now (but see below).
- That before ordering that any other new systems be brought
into scope (FERC suggested that Low impact BCS should be included in
CIP-013, as well as Physical Access Control Systems and Protected Cyber
Assets), FERC should wait for NERC to complete the study ordered by the
Board of Trustees (due out this summer, I believe). I support that idea as
well.
However,
there was one set of NERC entity comments that stood out from all of the
others: those were the comments submitted by the US Bureau of Reclamation. I don’t
agree with most of what they said, but I thought their comments were quite
interesting.
First, BoR
says that CIP-013 should apply to all systems in scope for the current CIP
standards (BCS, PCAs, PACS, EACMS, and Low impact BCS). To make up for this
increase in scope, there should be a 24-month implementation period. This might
sound like a fair trade-off (a scope extension for more time to implement it),
except for the fact that I think NERC entities are going to want to have a say
on this big extension of the scope. They can quite reasonably argue that they
voted for a standard that applied to just Medium and High impact BES Cyber
Systems – and they voted down the first draft in part because it applied to
Lows. It is unfair to add Lows back to the scope without considering changes to
the requirements themselves (the first draft had different requirements for Low
BCS than for Mediums and Highs).
I think FERC
would be understanding of this argument. But I really don’t see them just
sending CIP-013-1 back to NERC (i.e. remanding it), then ordering NERC to draft
and ballot new requirements as well as the scope increase and a 24-month
implementation plan. That would effectively put off implementation of CIP-013
for another three years. FERC clearly wants to have a supply chain standard in
effect as soon as possible. While they may order that NERC expand the scope,
but that would come in a new version to be drafted and balloted, not in an
order for a quick and limited compliance filing.
BoR’s second
recommendation is even more interesting, in that they rewrote CIP-013 R1. They
suggest that R1 be rewritten to read:
Each Responsible Entity shall identify,
assess, and mitigate cyber security risks resulting from (i) procuring vendor
equipment and software; (ii) installing vendor equipment and software; and
(iii) transitioning from one vendor to another by:
1.1. Receiving vendor notification of
vendor-identified incidents related to the products or services provided to the
Responsible Entity that pose cyber security risk to the Responsible Entity;
1.2. Coordinating responses to
vendor-identified incidents related to the products or services provided to the
Responsible Entity that pose cyber security risk to the Responsible Entity;
1.3. Receiving vendor notification when
remote or onsite access should no longer be granted to vendor representatives;
1.4. Receiving vendor disclosure of
known vulnerabilities related to the products or services provided to the
Responsible Entity and steps to mitigate them;
1.5. Receiving vendor verification of
the integrity and authenticity of all software and patches provided for use in
the entity's BCS; and
1.6. Coordinating controls for (i)
vendor-initiated Interactive Remote Access and (ii) system-to-system remote
access with vendor(s).
Before I
discuss this, I want to point out that BoR caught the obvious mistake in R1.1
that I also discovered as I was writing this
post: that the drafting team left out the word “mitigate” in R1.1. This
should be fixed in the next version of CIP-013, although everything else NERC
has written and said about CIP-013 (and that FERC said in Order 829) points
clearly to mitigation being the primary purpose of the standard; I think that
will be enough to make CIP-013-1 enforceable with that implicit addition.
Let’s look
at the first part of BoR’s R1 and compare it to CIP-013-1 R1. Note that BoR has
taken out the entire “preamble” to the requirement – saying the entity needs to
develop “one or more…plans…” I definitely don’t agree with this change. In my
opinion, one of the chief virtues of CIP-013-1 R1 is that it is a plan-based
requirement; I wish all the CIP requirements were also plan-based (although
CIP-013 has other serious flaws, of course).
Now let’s
look at R1.1 in the standard. It reads “One or more process(es) used in
planning for the procurement of BES Cyber Systems to identify and assess cyber
security risk(s) to the Bulk Electric System from vendor products or services
resulting from: (i) procuring and installing vendor equipment and software; and
(ii) transitions from one vendor(s) to another vendor(s).”
BoR has
taken out the language requiring “One or more process(es) used in planning for
the procurement of BES Cyber Systems…”, but essentially left the rest. I
pointed out in this
post that combining this language (what BoR took out) with the preceding language
from the preamble to R1 leaves this redundant sentence: “The plan shall include one or more processes used in
planning for the procurement…” So I would heartily endorse the idea of
removing this language, as long as the preamble were left in place – but of
course BoR didn’t do that.
Let’s move
on. BoR essentially left the rest of R1.1 in place, namely “Each Responsible
Entity shall identify, assess, and mitigate cyber security risks resulting from
(i) procuring vendor equipment and software; (ii) installing vendor equipment
and software; and (iii) transitioning from one vendor to another”. This is of
course a good thing, since I don’t want to see R1.1 ignored. But then BoR
added the
word “by” , followed by the six items they number 1.1-1.6, which are of course
just rewordings of R1.2.1-R1.2.6 in CIP-013-1 itself.
In this
recent post, I pointed out that almost everything I’ve heard from NERC or the Regions
about CIP-013 R1 seems to imply that R1.2 is the only part of R1 that matters;
in other words, it seemed to me when I wrote that post that NERC might be
intending to ignore R1.1 altogether, since auditing it will be problematic (although
as I pointed
out a few days later, that concern may be overblown). So am I happy that
BoR left the important part of R1.1 in place?
No I’m not. Because look what they
did by adding “by”, followed by the six items from R1.2 in the original
standard. They are in effect saying “You need to identify, assess and mitigate
supply chain risks, and you do this by doing the six things below.” In other
words, as long as you’ve done the six things, you’ve also done all of your risk
identification and mitigation. Of course, this doesn’t make sense, since all
you’ve done is implement the six things, not identify or mitigate any other
risks. In other words, there is no point in having the initial paragraph in BoR’s
R1. It could just list the six things in 1.1-1.6 and there would be no change
in meaning.
So in
rewriting R1 as they did above, BoR seems to be firmly on the side of those who
think that R1.2 is the whole of the requirement, and R1.1 can be ignored. Of
course, this may ultimately be how CIP-013 R1 is interpreted, by both NERC and
the auditors. We’ll need to wait and see about that. In any case, I found BoR’s
comments on CIP-013 to be very interesting, and I commend them for making them.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
I read the NERC entity comments myself, and I agree that it was amazing how
uniform they were, with one exception discussed below.
No comments:
Post a Comment