Supply chain security lessons from the medical device industry – part I

Nowadays, I try to avoid multi-part posts, since it seems that most of the time I never deliver all of the parts I promised. But I think I might actually do that this time, since I want to tell you about three documents that should be quite interesting to anybody trying to figure out how they can put together a good supply chain cyber security risk management plan – either to prepare for CIP-013 compliance or just because they know their organization needs to have one anyway

I often say nowadays that threats through the supply chain are the number one source of cyber security threats, for just about any industry – I say it because I believe it’s true. And it’s especially true for the electric power industry, since our good friends the Russians have figured out that the supply chain is the soft underbelly of the US grid. They may have actually gotten into the grid itself this way (as the CIA and FBI have said), although we haven’t yet gotten up the nerve to find out whether or not this actually happened. It seems we don’t want to be impolite, or something like that.

And of course, another reason why supply chain security is very important for the power industry is that the NERC CIP-013 standard will come into effect in about 15 months, which isn’t very long considering what has to be done (especially by larger utilities). Besides currently working full time on CIP 13 in my day job, I’m also very involved with the Supply Chain Working Group of the NERC CIPC, which has formed five sub-groups to write white papers on various aspects of supply chain security/CIP 13 compliance (and believe it or not, with CIP 13, security literally equals compliance and vice versa. As everyone in the industry knows, this is very far from being the case with the other CIP standards).

I’m in charge of one of those sub-groups that’s looking at the vendor risk management lifecycle. We’ve been ranging far afield, looking for ideas that we can bring back to the industry in our white paper. I’ve known for­ two or three years that the medical device industry already had mandatory supply chain cyber regulations in place, so I invited a former colleague of mine, Nick Sikorski of Deloitte, to talk to our group a couple weeks ago about what hospitals due to secure their medical device supply chain.

Nick has been working in this area for maybe four or five years and is quite knowledgeable about it, so he didn’t disappoint. Everyone in the meeting found what he said to be quite interesting, and the questions went on for half an hour or so[i]. Plus Nick provided us with three really interesting documents, which seem to hold a lot of ideas for what the power industry could be doing in supply chain security. I was thinking I might discuss all of this in one longish post, but after going through the documents I realized that each one could be the subject of its own post.

First some background: For five or six years, the US Food and Drug Administration (FDA) has published mandatory guidance for cyber security of medical devices sold to hospitals (and sometimes provided to patients by the hospitals, such as pacemakers). You might think that “mandatory guidance” is an oxymoron, like “British cuisine” or “jumbo shrimp”. Either it’s mandatory or it’s guidance, but it can’t be both. However, the FDA has a unique position among regulators; it needs to approve medicines and medical devices for sale in the US. A device maker that wants to be able to sell their product here would be very well advised to follow the FDA’s “voluntary” guidance (and of course the FDA publishes guidance in many areas besides cyber security, and not just for medical devices).

The biggest difference between the FDA’s guidance and CIP-013 is that the former applies to the vendors, not to the end users (which in this case are hospitals). It would be nice if there could be direct regulation of power industry vendors, but since neither NERC nor FERC has any jurisdiction over vendors, this isn’t possible. The industry is left with the situation where a large part of the effort required for CIP-013 compliance depends for its success on getting vendors to do certain things, but in the end the electric utilities are on the hook for compliance, not the vendors. The hospitals aren’t in the same situation.

But this doesn’t mean utilities can’t learn a lot from what hospitals have done to help them secure their supply chains. Perhaps the poster child for this is the Manufacturer Disclosure Statement for Medical Device Security[ii] or MDS2. It’s been around since 2013 (although a successor is being developed now). It was drawn up by the hospitals (not the FDA), and I believe it is filled out religiously by most (all?) medical device makers. In fact, if you Google the name of the document, you’ll find some filled-out forms from vendors like GE Healthcare.

The document is an Excel spreadsheet with about 150 questions divided among 20 categories. Some sections don’t have relevance to CIP 13, since they deal with data privacy (and privacy isn’t a concern for control systems. Of course, data privacy is different from confidentiality of BES Cyber System Information, which is quite definitely a concern of the CIP standards, although not so much of CIP 13). But other sections are quite relevant, such as “System and Application Hardening” and “Security Capabilities”.

I think anyone (almost) involved in CIP 13 compliance should find these questions interesting. Through my work on CIP-013 compliance so far, I have come to see a vendor questionnaire as a key component of a good SCCSRMP (I’ll let you guess what that stands for, although if you go to CIP 13 R1, I think you’ll find out). This is because it can be a great way to assess a vendor’s cyber program, without sending out a team of inspectors to each of say 50 vendors. Of course, it would be nice if some industry body would draw up an “official” questionnaire (as we’ve been discussing in my group) – and maybe that will happen, since at the same meeting where Nick spoke, Tobias Whitney of EPRI discussed a vendor questionnaire they’re currently drawing up, although he can’t provide a draft of it now.

But for the time being I would recommend that each entity draw up its own questionnaire. It should be based on the set of supply chain threats that you have “identified and assessed”, as called for in R1.1, then decided you would mitigate in your SCCSRMP; but it shouldn’t go beyond those.  You shouldn’t just throw a bunch of questions in that sound like they’re good ones. If they don’t address threats you’ve chosen to mitigate in your plan, then you’re going to make vendors jump through hoops to answer a lot of questions, when you don’t really care about those answers.

Of course, your vendor might complain that they’re getting a bunch of different questionnaires thrown at them, and they might point you to some standardized description of their cyber security program for your answers (I know some vendors are doing this now. It’s certainly a good idea, but it probably isn’t going to answer all of the questions you need to ask, and more importantly it may be hard to actually get the answers that you need out of the general verbiage). It’s up to you to decide whether whatever answers you get from the vendor are adequate – and if you don’t think they’re being responsive with some of the questions, then you may want to consider the vendor to be high risk for those threats, and hence use appropriate mitigations. Because that’s really what the questionnaire is about – assessing the risk your vendor poses to BES security, as personified in your own little “corner” of the BES.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

---

[i] This is just one example of the great discussions that my group – and the other four sub-groups of the SCWG – have been having on different aspects of supply chain security. If you want to join the SCWG, you should send me an email and I’ll forward it to the right people.

[ii] I’d like to provide a direct link to the document, but as soon as you click on the Google result, the document downloads – so I can’t capture the URL. You can get it by searching on “mds2 form hn 1-2013”, then clicking on the link that starts “HIMSS/NEMA Standard…”. You can find a “guidance” document on it at this link.