After my last post, I received emails from a couple of people who understand NERC CIP very well. They were disturbed that I seemed to be saying we should throw away mandatory cyber security standards for the power sector altogether, due to the huge cost of compliance with CIP. Rest assured, I’m not saying that. I think mandatory standards are absolutely essential, since – as everyone admits – the only sure-fire way to get adequate funding for cybersecurity in almost any organization is if there are mandatory standards in place.
However, I think it’s possible to design standards that wouldn’t lead to the majority of total industry spending on CIP going to activities that have little to no impact on security, but which are required for compliance - as an informal “poll” that I have been taking over the past few years leads me to believe is the case today. In fact, we have such a design in front of us. CIP-013-1, while certainly not perfect, comes very close to being my model for how all of the CIP standards should be rewritten.
But the fact that it is so economically inefficient is just one of five problems that I see with the current CIP standards regime (i.e. the standards currently in effect). I have mentioned all of these problems in posts at various times in recent years, but I have never written about them together in one place. Last summer, I got about two thirds of the way through a book that tries to do that, as well as propose a solution. However, since then I’ve been too busy to finish it.
Last spring I was fortunate enough to be asked by the editor of Cybersecurity: A Peer-Reviewed Journal (a UK-based publication) to write an article for this year’s journal, which is actually published in quarterly 100+-page editions. I chose the topic of “How can we effectively regulate grid security?” The article describes – at a very high level, of course – the five problems I see with the current NERC CIP compliance regime (which includes more than the standards themselves), and very briefly outlines how I’d address them.
I’d love to be able to finish my book so I can fill in the details on these topics, but at the moment I feel that putting food on the table is more important (I have this funny thing about food…).[i] Fortunately, I just reread the article and I think it provides a very good summary of what I will say in the book – in about 1/25 of the space!
Going by the articles from previous years that I was provided as samples, the journal publishes very high-quality work; so you may feel you would like to invest the $295 to subscribe for this year (there is no online version). However, if you don’t want to do that (or you’d like to try before you buy), I was given permission to make my article available a month after it was published, which was last month. I’m now doing that (using a proof copy I was sent).
Since I can’t attach PDFs to this blog (only JPEGs, and I’ve only done that once), I need you to drop me an email at email@example.com if you would like to read the article (it’s 10 pages). I promise that no salesman will email you back and I’ll send it to everybody who asks, whether or not you’re a competitor to my huge consulting business (however, if you work for a Russian or Chinese state-sponsored organization, I won’t send it to you - although I don’t expect anybody from one of those organizations to send me an email from their official account! Of course, there’s nothing in the article that could in any way guide attacks on the North American power grid).
And I’d like to hear comments on the article! I think it’s becoming more relevant all the time, especially since NERC needs to soon make some pretty fundamental decisions about what they want CIP to be when it grows up. I hope to have a post out on that subject within a couple weeks.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.
[i] I’ve also decided that I would like to put out a book on supply chain cyber security risk management and CIP-013, before I go back to the other book. This one will be much easier to write, since I’m currently “writing” it as part of my work (at the moment all of my work is on CIP-013).