If you’re looking for my pandemic posts, I’ve
created a new blog. If you’re
looking for my cyber/NERC CIP posts, you’re in the right place.
As I’ve been putting out long
posts on the pandemic, some people have wondered what happened to my cyber/NERC
CIP posts. I certainly haven’t forgotten about them, but I decided for the
moment – and that moment isn’t over at all, would it weren’t the case – that I want
to devote more time to my pandemic blog than to this blog. I won’t kid you -
that’s not going to change soon, given the way things are rapidly deteriorating
on the Covid-19 front.
BTW, even though I thought NERC
would push back the CIP-013 compliance date, they haven’t done it yet (note on 3/27: Kevin Perry pointed out to me that I should mention that NERC can't unilaterally push the CIP 13 date back; FERC officially needs to do that. I had discussed that when I originally called for the pushback, but I'd left it out here. FERC only has three Commissioners now, but that's still a quorum. Presumably, they have a way they can do the required meeting remotely). I still
think they will, but it wouldn’t be a good idea not to keep pursuing that – the
main thing that has to be done is develop your supply chain cyber security risk
management plan, required by R1.1. Of course, if you’re needed to help your
employer keep the lights on during the crisis (and can you imagine what a mess
it would be if there were a long outage when so many people are working at
home? And if hospitals were blacked out – well, I’d rather not think about
that. They’re going to have a lot of problems as it is, starting this weekend
in New York City), then by all means continue to do that. It would be a good
idea to declare CIP Exceptional Circumstances, even though CIP-013 isn’t
directly covered by CEC.
My offer at the end of this
newsletter of a free webinar for your organization, describing my methodology
for CIP-013 compliance, is still valid! But don’t ask me to come onsite to do
it. I’m holed up in my apartment in Evanston, Illinois, and I’m not planning
any trips outside for a while. I’m part of what’s known as a high-risk
demographic, although I’d probably do this even if I weren’t. This is nothing
to dismiss – some people are doing that, and a good percentage of them will be
very unhappy they took that course.
But I do want to bring three
things to your attention:
- I’ll be
delivering my first of two webinars for the NERC Supply Chain Working
Group next Monday at 1 PM Eastern Time. The topic will be Supply Chain
Cyber Security Risk Management Lifecycle. You don’t have to sign up for
the webinar (and they’re being given each week until early May – same time
each week), but the instructions are here.
I hope you’ll attend. The webinars are all being pre-recorded, but the
Q&A will be live. Both the webinar and Q&A recordings will be
posted fairly soon.
- There’s
a video posted of all the presentations at the Protect our Power
conference in January (which seems like 2015, the world has changed so
much since then), including mine (on CIP-013 and supply chain security,
natch). You can find them all here.
Mine is decent, but I highly recommend Monta Elkins’ (which BTW is on
supply chain security as well, although focusing on the hardware side).
- Last but not least, I want to call your attention to this E&E News article on supply chain attack on a supplier to Ameren, which resulted in data on two plants being breached; however, it doesn’t appear any critical data were accessed. But it just goes to show…CIP-013 is there for a reason! BTW, this article is by Christian Vasquez, who has replaced Blake Sobczak as the main electric power cyber writer (although Pete Behr is still pitching in). Blake has now been elevated to a more general editing role, although Blake’s still publishing his weekly newsletter on energy cyber (which is where I saw the link to this article). Christian is a good writer and quite thorough – he clearly wants to get to the bottom of the story. It’s nice to have him on the beat!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically
for your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment