Early this
year, I was invited to speak at the EastWest
Institute’s Global Cybersecurity Cooperation Summit in Berkeley, CA in
March – specifically, at the meeting of the EWI’s Breakthrough Group on
Increasing the Global Availability and Use of Secure ICT[i] Products
and Services. I had certainly heard of the EastWest Institute previously, but
only in the context of their weighing in on ponderous global issues like war
and peace. I didn’t realize that cybersecurity would rank as a concern worthy
of their attention, but this is obviously the case, and has been for many
years.
I believe
the reason I was invited to speak at this meeting was the various posts I have
written on FERC Order
829 and the subsequent development
of CIP-013, the new Supply Chain Security standard (of course, that standard is
very much still in the development process. Moreover, three of the existing CIP
standards are now being modified to include requirements from the first draft
of CIP-013, that commenters on the first draft felt would be better included in
those standards).
Last year
the Breakthrough Group published an ICT
Buyers Security Guide. I read the guide and discussed it with the members
of the group before the meeting. I am quite impressed with this document, for
two important reasons. First, it is concise (the main discussion takes up about
22 pages). As such, it contrasts vividly with NIST 800-161, NIST’s supply-chain
security guide. Like most NIST publications, 800-161 tries to exhaustively (and
exhaustingly!) cover every possible aspect of its subject, supply chain
security. Unfortunately, the result is that non-governmental organizations, who
aren’t required to follow it, must put in a considerable amount of effort just
to decide which controls they should focus on (and also, for each control, how
they should address it).
Second, the
guide is very practical. Perhaps because it is concise, it is focused on
providing guidelines that organizations can immediately put into practice. These
guidelines are mostly in the form of 25 questions that can be asked of suppliers,
like “Are third-party inputs evaluated for security prior to selection and
tracked/validated upon entering the supply chain?” and “How are products and
services continually tested for security vulnerabilities?”[ii]
If you’re
wondering how this Guide might fit in with CIP-013, I would think some or all
of these questions might be incorporated into your entity’s process for
compliance with CIP-013 R1.1.1 (at least, as that requirement part stood in the
first draft, posted in January).
So I
recommend that you read this document, and consider how it might help your
organization achieve two goals: a) Improve your supply chain security posture;
and b) Comply with CIP-013.
I also want to
point out that the EWI supply chain security group is now working on a major
revision to the Guide. If you might be interested in participating in that
process (which includes phone conferences and in-person meetings), let me know and I’ll put you in touch
with the leader of the group.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
ICT stands for Information and Communications Technology.
[ii]
Of course, it’s up to the organization to determine which questions to ask of
which suppliers. One big difference between this Guide and both CIP-013 and
NIST 800-161 is that this guide focuses entirely on what suppliers do and don’t
do. It doesn’t address other areas that are under the entity’s control, such as
secure deployment and vendor remote access control. Of course, some might argue
that these topics aren’t really part of supply
chain security. And they probably wouldn’t be in CIP-013 either, except for
the fact that FERC ordered they be included.
No comments:
Post a Comment