Monday, September 2, 2019

NERC GridSecCon 2019



I first attended GridSecCon in its third year (2013), and after that I vowed I wouldn’t miss any more. In fact, I can say without hesitation that each year it gets better – and I have no doubt that this year’s (October 22-25 in Atlanta) will be the best yet. It’s the most important security conference/exhibition (and that applies to physical as well as cyber security) for the North American electric power industry, period.

So I was quite happy to be invited to lead a panel devoted to supply chain security at this year’s conference. The panel is entitled “Supply Chain Threat Vector”, and it will take place on Wednesday (Oct. 24) afternoon from 3:15 to 4:00. The description of the panel is concise: “Where risk managers should start in identifying their operational technology supply chain security risk.” Of course, when the panel is constituted and has a phone meeting, I’m sure we’ll flesh out exactly how we’re interpreting that mandate.

The other members of the panel still haven't been finalized; I'll anounce them when I know them. I’ll also announce the objective of our panel, once we've had a chance to meet and discuss it (I have my ideas for that, but I don’t want to state them now and constrain what the panel decides on).

However, I can now give an answer to what some people might naturally ask: Is this panel about supply chain security or CIP-013 compliance? My unequivocal answer to that question is Yes; it is about both security and compliance. Some might then ask: How can this be? After all, every person working in NERC CIP compliance is taught from day one that security doesn’t equal compliance, and compliance doesn’t equal security. Why is CIP-013 different?

CIP-013 is different from the other approved CIP standards, because it doesn’t require the NERC entity to take any specific actions except:

  1. Develop a good supply chain cyber security risk management plan (R1);
  2. Implement that plan (R2); and
  3. Review that plan every 15 months (R3).
That’s it. The plan needs to include the six risks listed in R1.2 (and it’s really eight risks, since R1.2.5 and R1.2.6 both include two risks – kind of a “two for the price of one” deal), but R1.1 makes it clear that the plan needs to address all important supply chain cyber risks, not just those six (although addressing a risk will in most cases mean accepting it). You comply with CIP-013 by developing and implementing a good supply chain cyber security risk management plan, period and end of story. In other words, with CIP-013, compliance equals security and security equals compliance.

This means that the whole question of CIP-013 compliance is what constitutes a good supply chain cyber security risk management plan for important BES Cyber Systems. On this question, the standard itself is silent. The single official guidance document from NERC (developed by the SDT in 2017) simply gives suggestions for what could be included in the plan, so it’s up to the NERC entity to decide what a good plan is. Our GridSecCon panel will aim to provide some suggestions for elements of a good plan. I hope to see you there!*


* I inserted this asterisk to point out an unfortunate circumstance that will require that a lot of people who are involved with NERC CIP compliance (including a substantial number of NERC Regional CIP auditors and enforcement people) be elsewhere the week of GridSecCon. This circumstance is that, for either the third or fourth time, WECC’s semi-annual compliance workshops (including CIP compliance) – called the Reliability and Security Workshop - are scheduled for that week, this time in Las Vegas.

The previous two or three times this happened were the first two or three GridSecCon’s. I know that many entities in WECC complained about this, especially some of their CIP auditors, and WECC finally found a way to keep this from happening. In fact, last year WECC hosted the conference in Las Vegas (and held their workshops the next week in San Diego). I thought the problem had been solved for good.

And now it’s happened again. I don’t know whose fault it is, or what other circumstances may have required that WECC schedule their conference for the same week as GridSecCon, but it’s quite unfortunate that this has happened again, given the number of people that I’m sure would like to attend both events. Once again, these people are forced to choose between the two events – and for someone heavily involved in CIP compliance at a WECC entity, there really is no choice at all.

The WECC CIP workshops host easily 4-500 people. I know not all of them would want, or be able, to attend GridSecCon, but I’m sure that as a result of the scheduling conflict, the conference will be short at least 100 people who could have contributed immensely to the discussions, both during the official sessions and between attendees at other times.

And while I’m on it, I want to lodge another complaint with WECC. This year, the workshops in Las Vegas will cost $650, with no discount if someone wants to attend just the one day devoted to CIP and cyber security. This is far out of proportion (in fact, infinitely so) with what most of the other Regions charge for their CIP workshops, which is $0.00. And at the current rate of escalation (I think the one this spring cost around $450), it won’t be long before they reach $1,000.

Of course, even $1,000 isn’t too much to pay in order to get good compliance information on standards that carry penalties of up to $1 million per day for non-compliance (I admit there is good food at the WECC meetings, but most other Regions provide good food as well, at little or no cost to attendees. When I attended WECC’s spring workshop in spring 2018 in Boise, there was grumbling over the fee then, which I think was in the range of $250-$350. In their survey forms, WECC anticipated this grumbling by asking responders whether they would be willing to give up refreshments during the meeting – not the breakfast and lunch, of course – in exchange for a lower fee. Give me a break!).

But I think WECC could certainly figure out a way to reduce the fee in the future (let alone not escalate it to $1,000). Here’s a suggestion: Since WECC brings a small army of employees to this meeting (which is appropriate, given the size of their Region. For example, I know they have – or have openings for – over ten CIP auditors), they could probably save most of that cost by simply holding all compliance workshops in Salt Lake City from now on. SLC is a wonderful place to visit at any time of the year.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And Tom continues to offer a free two-hour webinar on CIP-013 to your organization; the content is now substantially updated based on Tom’s nine months of experience working with NERC entities to design and begin to implement their CIP-013 programs. To discuss this, you can email me at the same address.

No comments:

Post a Comment