Kevin Perry is the retired former Chief CIP Auditor for the SPP
Regional Entity and co-chair of the NERC Standards Drafting Team that drafted
CIP versions 2 and 3, as well as a member of the team that drafted NERC Urgent
Action 1200, the voluntary predecessor to the NERC CIP standards (and still
very much the foundation of those standards). I’ve known Kevin well since he
introduced himself to me at an SPP meeting on CIP in I believe 2011.
Kevin and I had huge email discussions - where our replies
were all in different colors. We ran through all the primary colors and most of
the secondary ones as well – about the many big issues that came up as the CIP
version 5 standards were being drafted and implemented in 2011 to 2015 (CIP
version 5 is essentially the version we still follow today. It’s where terms
like BCS, ESP, PACS, EACMS, ERC, IRA, etc. were introduced into CIP). He often
ruined my day by telling me that the post I’d just taken almost a day to write
was flawed and needed to be corrected. You’ll be pleased to know that we’re
still having some of the same arguments we had then – of course, he continues
to be very unreasonable in not accepting my positions (😊). The nerve of that guy!
True to form, he ruined my day today by telling me that the post
I put up yesterday (which took at least eight hours to write on Tuesday and Wednesday. It turned out to be the 1200th post I've written since I started this blog in 2013)
had a serious flaw. However, in this case I can’t be blamed for it – it turns
out the NERC auditors made a decision I didn’t know about until I received
Kevin’s email. Of course, I certainly wouldn’t expect the auditors to tell me
about this, but Kevin knows most of them very well (he mentored a number of
them when they worked for him at SPP RE).
You can learn all the gory details (or most of them, anyway)
in the italicized text I’ve inserted into yesterday’s post. However, the main
takeaway is that, even though the NERC Regional auditors decided there is no
need for a “CMEP Practice Guide” to remove what many of us believed might
become a “showstopper” impediment to NERC entities using SaaS with BES Cyber
System Information (BCSI), they say this because they think the problem was
already adequately dealt with – specifically, by a document NERC endorsed as
Implementation Guidance for CIP-004-7 and CIP-011-3 (the two revised standards
that came into effect on 1/1/2024 and were expected – prematurely, as it turns
out – to lead to NERC entities feeling comfortable using SaaS with BCSI) in
December 2023.
Thus, the moral of yesterday's story is unchanged: SaaS providers (and software developers who want to start delivering their software as a service) shouldn’t be afraid of using BCSI with their products, and NERC entities with high and/or medium impact BES Cyber Systems shouldn’t be afraid of giving SaaS providers access to their BCSI. However, both SaaS provider and NERC CIP customer need to keep in mind that they will still have to provide the required compliance evidence for CIP-004-7 R6, CIP-011-3 R1 and CIP-011-3 R2.[i]
My blog is more popular than
ever, but I need more than popularity to keep it going. I’ve often been told
that I should either accept advertising or charge a subscription fee or both.
However, neither of those options appeals to me. It would be great if everyone
who appreciates my posts could donate a $20-$25 “subscription fee” once a year (of course, I
welcome larger amounts as well!). Will you do that today?
If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] I
didn’t emphasize this point in my post yesterday. I probably will in the future,
although perhaps just at a high level. If you would like to discuss this topic
with me, let me know.
No comments:
Post a Comment