Since I
consider CIP-013 compliance to be at heart the responsibility of the NERC entity,
not mine, my consulting approach for helping a NERC entity come into compliance
consists of a series of 1-3 weeklong workshops with cybersecurity, compliance,
procurement and (sometimes) legal people. In these workshops, I go through what
CIP-013 says (that’s an easy one: It says what’s in the requirements; nothing
more, nothing less. Although the Evidence Request Spreadsheet for CIP-013 also provides
some very good information on what audits will focus on), as well as the “crowdsourced”
methodology and MS Excel™ workbooks that I and my clients have developed over
the past year (the methodology and workbooks continue to develop, although the
changes nowadays are more in the fine points, not fundamental concepts).
CIP-013
compliance, and certainly my methodology, involves some concepts that don’t
come easily. I consider an initial workshop to be very successful if even two
or three people get the ideas I’m talking about. And I find the people who are
hardest to convince are the Walking Wounded – people who have been beaten into
a submissive state by the prescriptive CIP requirements (most but fortunately not
all of the existing requirements) for years (usually with PTSD from one or two
bad audits). They have given up forever the idea that they can ever make sense
of what CIP requires them to do and guide their actions by the criterion of
what’s sensible. They pray that someone, somewhere will provide them the magic
key that will unlock the true meaning of all the CIP requirements, so that they
can implement their compliance programs in complete confidence that the auditors
will love what they do.
And barring
delivery of that magic key, they pray for an early death.
I bring this
up because, in a conversation at one of the meetings during this week’s
workshop at a medium-to-large-sized municipal utility, we got into a discussion
of what would happen if, during a Procurement Risk Assessment, they decided
that mitigating the remaining residual risk from a particular threat would just
be too costly – so they decided to accept the risk. Would they have the book
thrown at them at their next audit and the utility would be bankrupted by the
fines?
I said no
(and by the way, I’m paraphrasing this discussion, since I don’t remember the
exact details). In CIP-013 compliance, if mitigating a particular risk will
require an unreasonable amount of cost or effort, and if the risk isn’t one
that might likely involve loss of human life or limb if realized, you can
certainly accept the risk if that is the reasonable thing to do. At that point,
a woman from procurement sitting next to me asked something like “What, you
mean we can use our best judgment?”
If you think
about it, this is fairly sad. In most cybersecurity compliance regimes – HIPAA,
PCI, the NIST frameworks, etc. – the organization is allowed to use their
judgment to determine what’s a reasonable action, including accepting risks
that can’t be mitigated at a reasonable cost. But people who have worked in
organizations where CIP compliance is a big deal (even if they haven’t worked
directly in compliance, as was the case with this woman) have just come to
accept that they have no choice but to do whatever they think is required,
regardless of what’s reasonable.
So for all
of those people, I have good news: With CIP-013, you’re free, free! Now all that’s
required is to rewrite all of the other CIP standards as risk-based ones like
CIP-013, and you’ll be truly free. CIP compliance people of the world, unite!
You have nothing to lose but your chains!
No comments:
Post a Comment