If you’re looking for today’s pandemic post,
go to my new blog. If
you’re looking for my cyber/NERC CIP posts, you’re come to the right place.
This is a
question I’ve heard a few times lately. The first time I heard it, I was
surprised because I thought the answer would be obvious by now. But after a
couple more people asked it, I realized I haven’t been doing a good job of
explaining these things!
The answer
is “Not anytime soon, for sure”. If you’re a Low-only entity, you probably
remember NERC’s Data Request from last summer, in which they asked questions
about various cyber risks at low impact assets. When the results became
available around December or January, none of the risks seemed to be very
widespread except for one: remote access. About one third of Low impact sites
(primarily generation) allowed vendor remote access (interactive,
system-to-system or both). There was no other risk that came close to this one.
At that
point, NERC staff recommended to the Board of Trustees that there be a supply
chain requirement that applies to BES Cyber Systems at Low assets, and that it
only apply to mitigation of risks due to vendor remote access. The Board did
that, so now NERC is putting together a drafting team to write a SAR (and
presumably write the requirement itself after that).
This new
requirement won’t be part of CIP-013, which will remain for the foreseeable
future as a High and Medium impact only standard. The requirement will be added
as another section to CIP-003 R2 Attachment 1. Since R2 is definitely a
risk-based requirement and tries to stay clear of requiring identification of
individual BES Cyber Systems, the new vendor remote access section will
certainly conform to that model. In other words, it will be like CIP-013-1
R1.2.5, rather than CIP-005-6 R2.4 and R2.5. The latter two requirement parts
are definitely not risk-based and they apply to all Medium and High BCS,
period.
When will
the new requirement part (section, whatever) be in effect? Between two and
three years from now, although I’m inclined to say three. Given the number of
low impact assets, my guess is the implementation period alone will be at least
one year. My guess is Lows will be required to have something like the
Intermediate System, VPN and two-factor authentication required for Mediums and
Highs by CIP-005 R2.1 – R2.3. And if they don’t do that, they’ll be required to
show that whatever they have in place provides a similar level of risk
mitigation. This might be a tall order, but I won’t rule out the possibility of
other ways to protect remote access that would provide approximately the same
level of security).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment