In this recent story about the Russian hacking from E&E News last week, I was quoted as saying “..it's not clear whether the federal rules on supply chain vulnerabilities can be effective..” Of course, this was referring to CIP-013, which came up in this story since the Russian attacks were (and are) all coming through the supply chain.
I was referring here to something I brought up in this post from April, when I pointed out that R1.1 is probably not auditable because it simply requires that the entity develop a supply chain cyber security risk management plan - the requirement doesn’t provide any information about the risks that should be addressed in that plan. I pointed to CIP-010 R4 as an example (definitely the best so far) of a plan-based requirement that does provide high-level criteria for what should be addressed in the plan (these are provided in Attachment 1, which is called out in the requirement itself and is therefore part of the requirement. That is important – Attachment 1 isn’t just some sort of guidance, but is part of the requirement).
In the April post, I noted that R1.1 simply requires the entity to develop a supply chain cyber security risk management plan; it says nothing about what that plan should contain[i]. I originally thought this was a good idea because of its purity: After all, cyber security is about risk management. The best way to deal with cyber threats is to put together a risk management plan, since there is no way anybody could ever write a set of prescriptive requirements (whether or not they’re mandatory) that would make the entity perfectly secure. The best that can be done is for the entity to assess the risks and develop a plan to mitigate the highest risks[ii] (this is what R1.1 requires the entity to do, although unfortunately the SDT left out the word “mitigate”. But the whole standard makes no sense if that word isn’t assumed to be in R1.1).
However, I later came to realize that, given NERC’s prescriptive auditing process, requiring an entity just to develop a plan, without saying what has to be in it, is a recipe for having a non-auditable requirement. Either a) the auditors will decide what they think should be in your plan and then try to hold you in violation if your plan doesn’t agree with their ideas, or b) the auditors will simply give everyone a pass as long as the plan is at least halfway credible. This is why R1.1 is unauditable.
I think b) is a much more likely scenario for what will happen with CIP-013 R1.1. So this leaves the entity (that would be you, Dear Reader) with two choices:
- You can develop a minimal R1.1 plan, perhaps just addressing the six items in R1.2 (since we already know they have to be in the plan - for a recipe on how to do this, go to my April post). This will make your CIP-013 compliance job much easier. And even though it’s likely your auditor will berate you – and most likely issue an Area of Concern - for not having developed much of a plan, you can still sleep at night, knowing that he or she won’t be able to give you a PNC for this (and if they do, it won’t hold up); or
- You can Do the Right Thing (to quote the title of a great Spike Lee movie) and actually develop a real supply chain cyber security risk management plan. This will probably put you at greater compliance risk, since if you list a risk in the plan, you will have to take steps to mitigate it. And if you don’t do a good job of mitigation, you can probably still be held in violation of R2, even though you wouldn’t be in violation of R1.1 (i.e., NERC can’t audit the plan itself, but it can audit whether or not you actually did what you said you’d do in the plan).
So which course do I recommend? Door Number 1, the easier path which may allow you to leave at 5:00 now and then? Or Door Number 2, the hard path, where you’ll have to really sit down and think about what your supply chain cyber risks are and how you will mitigate the most important risks - and then, if you don’t mitigate them to the auditor’s taste, you might well receive a PNC for violating R2?
I’m sure you can guess which door I’m advocating you should take: It’s Door Number 2. Why do I say this? All you have to do is read this post on the Russian attacks. Even though it turns out DHS greatly exaggerated the success of those attacks, that doesn’t change the most important lesson to be learned from them: Supply chain security is the number one problem for the electric power industry (and probably for most other industries as well). The attacks described by DHS (both in their briefings, and in their excellent Alert from March) were all supply chain attacks. They’ve been going on for a couple years and will most likely continue, despite the increased scrutiny after DHS’ briefings. And if you want to see the damage that a supply chain attack can cause, you just need to look at two: the Target breach of 2013 and last year’s NotPetya malware.
In almost any other question of CIP compliance, I will always take the position that the entity’s job is to design procedures and policies that provide minimal compliance with the requirements. Most of the currently-enforced CIP requirements are prescriptive, and of course all CIP requirements – as all NERC requirements in general – are audited in a very prescriptive, did-they-do-it-or-didn’t-they fashion. Even if your organization might feel that good security practice is to go beyond what a particular requirement mandates, you definitely don’t want to design CIP compliance procedures that go beyond the requirement. If you do, you’re simply inviting compliance risk.[iii]
However, for a plan-based requirement, and especially one that explicitly allows the entity to consider risk, as is the case with CIP-013, this position doesn’t apply. The whole idea of developing a plan to manage risk is that you need to allocate the resources you have (staff time and money) in a way that will mitigate the most risk possible – i.e. you need to allocate your resources so that they get the most bang for the buck.
This requires considering all the major threats (which in the case of CIP-013 are supply chain cyber threats), then ranking them by the degree of risk they pose to the BES (remember, that is what risk means in any NERC standard. It’s always risk to the BES, not to the individual entity). Then you need to go through the list, starting at the top, and decide how much in the way or resources to allocate to mitigating each risk. When you feel you have mitigated the important risks, you stop.[iv] In my opinion, that is how you develop a risk management plan.
I hope to start doing some posts in the near future that elaborate on – at a high level – the steps you need to take to develop a plan for CIP-013 R1.1. If you are with a NERC entity or a vendor that is looking for a more in-depth discussion in order to start preparing for CIP-013 compliance, ask me about my free workshop offer, described in this post.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.
[i] R1.2 lists six items – they are risk mitigations, rather than risks themselves – that should be included in the plan. That isn’t because these are the six actions that the SDT decided did the most to protect supply chain security. The six items are there because FERC specifically called for them in Order 829, which ordered NERC to develop the standard in the first place. The R1.1 supply chain cyber security risk management plan needs to include these six items, but only including them doesn’t give you a good plan.
[ii] If you’re wondering how a small utility might have the resources and know-how to conduct this whole risk-management exercise by themselves, so am I! Of course, since CIP-013-1 only applies to High and Medium impact assets – and since most of the organizations that own these assets probably do have at least some resources and know-how in this area – I don’t see this as an immediate problem for CIP-013. But for the future when Lows are included in CIP-013 in some way (and FERC might order this when they approve CIP-013-1), this will be a big issue. I would hope NRECA, EPSA, EEI and APPA could step up and help their smaller members in this process.
[iii] Of course, I’m not saying that you should limit the steps you actually take in any particular area of cyber security to the strict wording of the CIP requirement. For example, suppose you think that CIP-010 R1 doesn’t do a good enough job of capturing what an organization like yours should be doing for configuration management of BES Cyber Systems. You should definitely do whatever more you think is necessary; but just make sure not to include that in your actual compliance procedures for CIP-010 R1.
[iv] Of course, I’m glossing over the fact that it’s possible you may run out of budget before you have sufficiently mitigated the most important risks. When you see that is happening (and hopefully you’ll see it during the planning phase, not at the end of the implementation phase), you should try to get the additional resources needed to mitigate all the important risks. But if you don’t get those resources and you have to leave some important risk unmitigated, you will at least know that you mitigated the most risk possible with the resources you had - since you mitigated the different supply chain threats in the order of the risk they posed.