In this
recent story about the
Russian hacking from E&E News last week, I was quoted as saying “..it's
not clear whether the federal rules on supply chain vulnerabilities can be
effective..” Of course, this was referring to CIP-013, which came up in this
story since the Russian attacks were (and are) all coming through the supply
chain.
I was
referring here to something I brought up in this
post from April, when I pointed out that R1.1 is probably not auditable because
it simply requires that the entity develop a supply chain cyber security risk
management plan - the requirement doesn’t provide any information about the
risks that should be addressed in that plan. I pointed to CIP-010 R4 as an
example (definitely the best so far) of a plan-based requirement that does
provide high-level criteria for what should be addressed in the plan (these are
provided in Attachment 1, which is called out in the requirement itself and is
therefore part of the requirement. That is important – Attachment 1 isn’t just
some sort of guidance, but is part of the requirement).
In the April
post, I noted that R1.1 simply requires the entity to develop a supply chain
cyber security risk management plan; it says nothing about what that plan
should contain[i].
I originally thought this was a good idea because of its purity: After all,
cyber security is about risk management. The best way to deal with cyber
threats is to put together a risk management plan, since there is no way
anybody could ever write a set of prescriptive requirements (whether or not
they’re mandatory) that would make the entity perfectly secure. The best that can
be done is for the entity to assess the risks and develop a plan to mitigate
the highest risks[ii]
(this is what R1.1 requires the entity to do, although unfortunately the SDT
left out the word “mitigate”. But the whole standard makes no sense if that
word isn’t assumed to be in R1.1).
However, I
later came to realize that, given NERC’s
prescriptive auditing process, requiring an entity just to develop a plan,
without saying what has to be in it, is a recipe for having a non-auditable requirement.
Either a) the auditors will decide what they think should be in your plan and
then try to hold you in violation if your plan doesn’t agree with their ideas,
or b) the auditors will simply give everyone a pass as long as the plan is at
least halfway credible. This is why R1.1 is unauditable.
I think b)
is a much more likely scenario for what will happen with CIP-013 R1.1. So this
leaves the entity (that would be you, Dear Reader) with two choices:
- You can develop a minimal R1.1 plan, perhaps just addressing
the six items in R1.2 (since we already know they have to be in the plan -
for a recipe on how to do this, go to my April post). This will make your
CIP-013 compliance job much easier. And even though it’s likely your
auditor will berate you – and most likely issue an Area of Concern - for
not having developed much of a plan, you can still sleep at night, knowing
that he or she won’t be able to give you a PNC for this (and if they do,
it won’t hold up); or
- You can Do the Right Thing (to quote the title of a great
Spike Lee movie) and actually develop a real supply chain cyber security
risk management plan. This will probably put you at greater compliance
risk, since if you list a risk in the plan, you will have to take steps to
mitigate it. And if you don’t do a good job of mitigation, you can
probably still be held in violation of R2, even though you wouldn’t be in
violation of R1.1 (i.e., NERC can’t audit the plan itself, but it can
audit whether or not you actually did what you said you’d do in the plan).
So which
course do I recommend? Door Number 1, the easier path which may allow you to
leave at 5:00 now and then? Or Door Number 2, the hard path, where you’ll have
to really sit down and think about what your supply chain cyber risks are and
how you will mitigate the most important risks - and then, if you don’t
mitigate them to the auditor’s taste, you might well receive a PNC for violating
R2?
I’m sure you
can guess which door I’m advocating you should take: It’s Door Number 2. Why do
I say this? All you have to do is read this
post on the Russian attacks. Even though it turns out DHS greatly exaggerated
the success of those attacks, that doesn’t change the most important lesson to
be learned from them: Supply chain security is the number one problem for the
electric power industry (and probably for most other industries as well). The
attacks described by DHS (both in their briefings, and in their excellent Alert from March) were
all supply chain attacks. They’ve been going on for a couple years and will
most likely continue, despite the increased scrutiny after DHS’ briefings. And
if you want to see the damage that a supply chain attack can cause, you just
need to look at two: the Target breach of 2013 and last year’s NotPetya
malware.
In almost
any other question of CIP compliance, I will always take the position that the
entity’s job is to design procedures and policies that provide minimal
compliance with the requirements. Most of the currently-enforced CIP
requirements are prescriptive, and of course all CIP requirements – as all NERC
requirements in general – are audited in a very prescriptive, did-they-do-it-or-didn’t-they
fashion. Even if your organization might feel that good security practice is to
go beyond what a particular requirement mandates, you definitely don’t want to
design CIP compliance procedures that go beyond the requirement. If you do, you’re
simply inviting compliance risk.[iii]
However, for
a plan-based requirement, and especially one that explicitly allows the entity
to consider risk, as is the case with CIP-013, this position doesn’t apply. The
whole idea of developing a plan to manage risk is that you need to allocate the
resources you have (staff time and money) in a way that will mitigate the most
risk possible – i.e. you need to allocate your resources so that they get the
most bang for the buck.
This
requires considering all the major threats (which in the case of CIP-013 are
supply chain cyber threats), then ranking them by the degree of risk they pose
to the BES (remember, that is what risk means in any NERC standard. It’s always
risk to the BES, not to the individual entity). Then you need to go through the
list, starting at the top, and decide how much in the way or resources to
allocate to mitigating each risk. When you feel you have mitigated the
important risks, you stop.[iv] In my
opinion, that is how you develop a risk management plan.
I hope to
start doing some posts in the near future that elaborate on – at a high level –
the steps you need to take to develop a plan for CIP-013 R1.1. If you are with
a NERC entity or a vendor that is looking for a more in-depth discussion in
order to start preparing for CIP-013 compliance, ask me about my free workshop
offer, described in this
post.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[i] R1.2
lists six items – they are risk mitigations, rather than risks themselves –
that should be included in the plan. That isn’t because these are the six
actions that the SDT decided were the most important supply chain security risks to mitigate. The
six items are there because FERC specifically called for them in Order
829, which ordered NERC to develop the standard in the first place. The
R1.1 supply chain cyber security risk management plan needs to include these
six items, but only including them doesn’t give you a good plan.
[ii] If you’re
wondering how a small utility might have the resources and know-how to conduct
this whole risk-management exercise by themselves, so am I! Of course, since
CIP-013-1 only applies to High and Medium impact assets – and since most of the
organizations that own these assets probably do have at least some resources
and know-how in this area – I don’t see this as an immediate problem for
CIP-013. But for the future when Lows are included in CIP-013 in some way (and
FERC might order this when they approve CIP-013-1), this will be a big issue. I
would hope NRECA, EPSA, EEI and APPA could step up and help their smaller
members in this process.
[iii] Of
course, I’m not saying that you should limit the steps you actually take in any
particular area of cyber security to the strict wording of the CIP requirement.
For example, suppose you think that CIP-010 R1 doesn’t do a good enough job of
capturing what an organization like yours should be doing for configuration
management of BES Cyber Systems. You should definitely do whatever more you
think is necessary; but just make sure not to include that in your actual
compliance procedures for CIP-010 R1.
[iv]
Of course, I’m glossing over the fact that it’s possible you may run out of
budget before you have sufficiently mitigated the most important risks. When
you see that is happening (and hopefully you’ll see it during the planning
phase, not at the end of the implementation phase), you should try to get the
additional resources needed to mitigate all the important risks. But if you don’t
get those resources and you have to leave some important risk unmitigated, you
will at least know that you mitigated the most risk possible with the resources
you had - since you mitigated the different supply chain threats in the order
of the risk they posed.
No comments:
Post a Comment