In my post
on Monday, I suggested that any NERC entity who has to comply with CIP-013-1 by
July 1, 2020 submit their R1 plan to their Region to review by March of next
year. The reason for this suggestion is that many regions won’t want to review
plans after the compliance date, and it’s important to get it in to them in
time to make sure it gets reviewed – since there will presumably be a lot of
other entities with the same idea.
Kevin Perry,
former Chief CIP Auditor of SPP RE, emailed and pointed out to me that March
might well be too late. For one, the auditors have day jobs to do, and given
the likely crush of entities wanting plan review, it’s very possible they won’t
be able to review all of the plans by July 1. But even more importantly, you
want to have enough time to make whatever changes the auditor suggested, before
the compliance date. So I’m going back to my original suggestion
that you should aim to submit your plan to your Region by January. And if you
can’t make that date, do your best.
However, as
I said in Monday’s post, I think the Regions that tell you they can’t review
your CIP-013 plan after the compliance date don’t understand that the principle
of auditor independence shouldn’t apply to a standard that requires you simply
to develop and implement a supply chain cyber security risk management plan – a
requirement (R1.1) that provides just about zero guidance (in the requirement
itself, which is of course the only “guidance” that counts in NERC – i.e. is
binding on both auditor and entity) on what should be in the plan.
However,
this isn’t necessarily a problem with CIP 13. The problem is with most of the
other CIP requirements, which are prescriptive and create the illusion that it’s
possible to mitigate cybersecurity risks in the same way that you address
electric operational risks. The latter are based on the laws of physics, which –
as far as I know – don’t change from year to year or entity to entity. Cyber
risks, on the other hand, can never be specified to any degree of rigor, which
is why prescriptive requirements make very little sense in cyber. For the same
reason, IMHO auditor independence also doesn’t make sense when it comes to CIP.
And it especially doesn’t make any sense when it comes to CIP-013, since the
standard doesn’t prescribe anything in particular.
This, by the
way, is partially a statement of what I’ll be talking about in my webinar
on Nov. 7. You might want to check it out.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, remains open to
NERC entities and vendors of hardware or software components for BES Cyber
Systems. To discuss this, you can email me at the same address.
No comments:
Post a Comment