A good news article on CIP-013

I have pointed out many times in this blog that by far the best coverage of cyber security issues in the energy industry is that provided by the web-based Energy and Environment News. Unfortunately, the subscription cost for that is out of the range of us non-one-percenters, but you should look into having your organization subscribe (not just for cyber, but all energy news).

So it’s not surprising that E&E News provided the only coverage that I have seen so far of FERC’s approval of CIP-013 last week. I recommend you read this article (if you are asked to do a free trial subscription, I highly recommend it, since they have good articles every day, with cyber articles about the power industry usually at least a couple times a week. At least you’ll be able to read all the articles while your trial lasts).

In my last post (on Thursday, the day FERC approved CIP-013) I provided a brief summary of FERC’s Order 850 and said I’d have more to say after I had time to read it carefully over the weekend. Well, guess what? What I have to say now isn’t terribly different from what I said in my brief summary:

1. FERC left the implementation period at 18 months, rather than order it be shortened to 12 months, as they had suggested in their NOPR in January.
2. As they also suggested in January, they ordered that NERC add Medium and High impact Electronic Access Control and Monitoring Systems to the applicability of the standard, beyond the current Medium and High impact BES Cyber Systems. They are giving NERC 24 months to do this, which is twice as long as they gave NERC to develop the entire standard in the first place (however, when I say “They”, I need to point out that there is only one Commissioner still in office from when FERC issued Order 829 in July 2016. And that Commissioner – Cheryl LaFleur – dissented from the Order, since she very rightly didn’t believe that one year was enough time for NERC to do a good job of drafting the standard and going through the long and politically fraught approval process).
3. Regarding the other items that FERC suggested in their NOPR should be considered for applicability in CIP-013 – Physical Access Control Systems, Protected Cyber Assets and Low impact BES Cyber Systems – FERC said on Thursday that they will hold any decision until they see the final version of NERC’s supply chain security study, which is due early next year.
4. To be honest, the most interesting part of Order 850 was at the end, in paragraphs 78 and 79. Paragraph 78 discussed comments FERC received about the meaning of “vendor”; FERC’s answer mistakenly said that NERC had defined the term. Actually, the story behind that is a lot more nuanced, and points to a larger problem with the NERC CIP standards in general. Since I specialize in Larger Problems in this blog, I will dig into this later, although I have a number of other posts in the queue before that can happen.
5. Paragraph 79 was sparked by comments suggesting that NERC entities would be on the hook for deficiencies in cyber security practices by their vendors. FERC correctly pointed out that the standard specifically states that entities won’t be on the hook, although they are still responsible for mitigating the risk that the vendor presumably didn’t mitigate. For example, if your vendor agrees (in contract language or just in a letter) that they will help you mitigate new vulnerabilities that affect their products and then doesn’t do that in one case, you still have to take other steps to mitigate the risk caused by that new vulnerability.

But, through work I am currently doing with a vendor to the power industry, I’ve come to see that there’s a very neat, elegant solution to the problem of obligating vendors to take certain steps - and penalizing them if they don’t. What is really cool, though, is that this is also a solution to the vendors’ problem (which I mentioned in the E&E News article) that some NERC entities are downloading contract language from various sources on the internet and sending it to the vendors, demanding that they include that in their contracts. Of course, there’s no way the vendor can deal with this big variety of requests. My solution will also solve that problem. Not bad – two big problems nailed with one solution! Next up: a neat single solution for the two big problems of global poverty and people who talk loudly on their cell phone on trains.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013; we also work with security product or service vendors that need help articulating their message to the power industry. To discuss this, you can email me at the same address.