If you’re looking for my pandemic posts,
I’ve created a new blog. If
you’re looking for my cyber/NERC CIP posts, you’re come to the right place.
Kevin Perry,
former chief CIP auditor of SPP Regional Entity, emailed me this morning to
agree with my post
yesterday, which argued that you shouldn’t worry about having to self-report
noncompliance if you decide to change your CIP-013 plan after the compliance
date. He said:
I agree (thought you would never hear me say
that).
I look at it this way... threats and risks evolve. Vendors and
providers are added or changed.
After-action reviews provide insight as to what worked well and what
could have worked better. Your plan
should evolve as the landscape and experience evolve. No auditor should ever expect CIP-013
perfection out of the gate.
However, I
don’t agree with Kevin when he says I thought I’d never hear him say he agreed
with me. He agreed with me once in I believe 2014, but then he realized he
misunderstood what I said and said he actually disagreed. J
In any case,
it is nice to see him agree. And I agree with him when he says no auditor
should ever expect CIP-013 perfection out of the gate. On the other hand, he
didn’t say no auditor ever will
expect perfection. On the other other hand, I think most auditors would currently
be stymied if you asked them what CIP-013 perfection was in the first place. Which
is one reason why I hope NERC extends the CIP-013 compliance date. There needs to
be some training on topics like what a good supply chain cyber security risk
management plan should contain, rather than have each Region and even auditor
going their separate ways.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment