If you’re looking for my pandemic posts,
I’ve created a new blog for them. If
you’re looking for my cyber/NERC CIP posts, you’re come to the right place.
NERC announced
today that they’ve petitioned FERC to move back the compliance date for
CIP-013-1, CIP-005-6 and CIP-010-3 to October 1. Moreover, they said that, due
to the uncertainty regarding the length of the outbreak and the recovery, they “will
continue to evaluate the circumstances to determine whether additional
implementation delays may be warranted and submit any appropriate filings with
FERC at that time.”
Of course, this is what I advocated,
and I’m glad to see it happen. It’s needed for the obvious reason, but it’s
also needed because I really don’t think many, if not most, NERC entities have
really come to grips with what a good supply chain cyber security risk
management plan should include. I’ve said many times that, given how little
guidance the standard itself gives, it would be fairly easy to produce a pretty
minimal plan that doesn’t really do very much, but would be strictly speaking
compliant.
However, if you do this, you’re
shortchanging yourself. Supply chain security and ransomware are the two
greatest cyber threats worldwide now (and one could argue for either one to be
the number one threat). Since you presumably have been given a few shekels to
comply with CIP-013, why not at the same time do your organization (and the
BES) a big favor and really consider what your supply chain security risks are,
and how to mitigate them? As we all know, nothing brings in funding for cyber
security better than the prospect of big fines. Don’t let this opportunity go
to waste!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment