Wednesday, February 27, 2019

Here’s your big chance!

I’ve been saying for a while that the biggest flaw in CIP-013 is that it doesn’t provide a list of risks (or threats, as I prefer to call them, following NIST 800-30) that need to be addressed in the supply chain cyber security risk management plan required by R1.1. Because there is no list provided – beyond a very high-level list of three or four types of risk that need to be addressed – this means it is up to each entity to decide a) what are the most important supply chain threats that apply to the electric utility industry, and b) which of those pose the most risk to their own BES Cyber Systems. Their plan needs to describe how they identified the highest risks, and how they will mitigate them.

The problem is that it isn’t an easy task to look through the literature and identify the most important risks the industry faces. Larger utilities might have the staff to do this type of work, but smaller utilities definitely don’t. This is why I said a year and a half ago, in relation to CIP-013 R3, that there should be an industry body tasked with identifying threats that NERC entities would consider in developing their CIP-013 plans. This body would publish periodically (at least annually) a list of cybersecurity threats to the power industry (and specifically to BES Cyber Systems). NERC entities would need to annually determine which of these threats posed significant risk to their BCS, and would next need to develop a supply chain cyber security risk management plan to mitigate those risks.

So if an industry body developed a list of supply chain cyber security threats (or risks, to use CIP-013’s term) that are important to the electric power industry, this list could well provide the starting point for the supply chain cyber security risk management plan required by CIP-013 R1.1 (which I’ll call the “CIP-013 plan” from now on). This definitely doesn’t mean that NERC entities would have to mitigate all of the threats on the list, since a) some won’t apply to some utilities and b) some will be determined to carry low enough risk to a particular utility that no mitigation is called for.

Of course, if a utility has an unlimited budget for supply chain cyber security risk mitigation, they can mitigate every threat on the list, no problem. However, for those that don’t have an unlimited budget, they have to spend the budget they have where it will do the most good. It will do the most good if they identify the threats that pose the highest risk, and develop a plan to mitigate those threats. In fact, I think that all of the CIP standards should work this way.

However, creating an official body to identify threats for NERC entities to consider in their CIP-013 plans, along with the required changes to CIP-013 itself, would take years to accomplish. This does nothing to solve the current problem of complying with CIP-013-1.

So if there isn’t going to be an industry body that officially tells NERC entities what threats they should consider in developing their CIP-013 plans, what’s plan B? In the middle of last year, I (and a few others) started talking about an existing industry group (i.e. not part of NERC) doing that, although industry groups might be a better word. I was hoping that the trade associations could be convinced to identify the most important supply chain cyber security threats that their members were likely to face. Of course, no NERC entity would be compelled to even read the threat list put out by their trade organization, let alone act on it. But for many (and probably most) entities, it would be a big help to have a list that would give them a good start for developing their CIP-013 plans. As it stands now, there is no obvious starting point for them.

I’m not discussing some sort of theoretical problem. I’m now working with two NERC entities on long-term projects to implement CIP-013 compliance, and have started both projects with workshops where we discuss the issues and the best way to proceed. It has readily become apparent that the two biggest tasks – which the entity has to take ultimate responsibility for – are to a) identify the threats they will consider in their CIP-013 plan; and b) estimate the risk that each threat poses to their environment, so they can focus their mitigation efforts on the threats that pose the highest risk. Both of these entities (one large and one medium-sized) would benefit from having an industry group that would consider supply chain security threats and let the industry know about threats that it deems important for NERC entities to consider for mitigation in their CIP-013 plans. However, until a few days ago I saw no hope that any industry body might be willing to take up this task.

What changed my mind was learning earlier this week that a new group I have been nominally part of for more than a month (although I’ve only been able to attend one phone meeting of theirs so far) seems to see the need for identification of important supply chain threats, and is going to start that effort next Wednesday. This is the NERC Supply Chain Working Group, which is “chartered” by the NERC CIPC (the industry group that oversees all NERC cyber security activities. The CIPC’s duties include following – but not having any direct role in – development of new CIP standards and requirements).

In their agenda for their first onsite meeting under their new chairman, Tony Eddleman of the Nebraska Public Power District, the SCWG lists five papers they want to write, each one focused on a particular area of supply chain security:

                                                 ii.      Considerations for secure hardware delivery
                                               iii.      Considerations for establishing provenance of systems and components
                                               iv.      Considerations for threat-informed procurement language
                                                 v.      Considerations for supply chain risk management lifecycle (assessments & reassessments, external dependencies, concluding supplier relationships)
                                               vi.      Considerations for unsupported or open-source technology

Note: I deliberately omitted item i on the team’s list, which is “Supply Chain risks related to cloud service providers”.  While this is an important topic for NERC entities nowadays, I don’t call this a CIP-013-related task. CIP-013 currently only applies to BES Cyber Systems, but the CIP standards effectively forbid entities from implementing actual BES Cyber Systems in the cloud – for example, outsourced SCADA (at least, this applies to Medium and High impact BCS. There’s currently nothing to prevent entities from implementing Low impact BCS in the cloud). However, a growing number of NERC entities is storing information on BCS (BCSI) in the cloud, as part of outsourced services like configuration management. But CIP-013 doesn’t apply to BCSI.

Of course, these are only five areas of threats within the universe of supply chain security threats; I’m sure that a complete overview of supply chain security threats would require ten or more additional papers. But all five are difficult topics, and I commend the committee for taking these on; maybe they will be persuaded to tackle the others later.

But this is where the title of this post comes in. The SCWG is open to all, whether or not you work for a NERC asset owner (you do have to be a user of electricity, but I’m not sure how you’re reading this post if you’re not!). Their meeting next week is in Pittsburgh, in conjunction with the CIPC’s quarterly meeting there, but there will also be a webinar for those who can’t be there in person (I unfortunately can’t do either, since that is the day I’m participating in a panel at the RSA Security Conference whose topic is…what else? chain security for the energy industry).

Whether or not you can attend next week’s meeting, if you would like to participate in the CSWG and have a hand in writing one or more of these papers, drop an email to Tony at Fame and fortune surely await you[i]!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

[i] However, I’m not liable if you don’t earn fame or fortune from this. What you will earn is a good feeling that comes from helping a) the industry and b) your own organization as they address the issue of supply chain security, which I believe is easily the biggest worldwide cyber security threat of our time.

No comments:

Post a Comment