Complying with CIP-013, Part 1: The Purpose of the Standard

This is the first in what will probably be a long series of posts on CIP-013 – although they certainly won’t all be contiguous. The purpose of these posts is to help you understand the main issues involved with CIP-013, so that you can start planning how you will come into compliance by the effective date (which, as I noted last week, is likely to be no later than October 1, 2019). As I have already pointed out (and will continue to!), I am now an independent consultant and would love to discuss with you how I might help your organization both plan and implement your CIP-013 compliance program – and this applies to vendors as well as NERC entities. Just drop me an email at tom@tomalrich.com.

In this post, I’m going to pretend that I’m looking at CIP-013 for the first time, and that I haven’t been part of previous discussions about it. What can I learn by simply reading the standard? This might seem like just an academic exercise to you, but remember: The standard as written is the only thing you can hang your hat on. Any other guidance – including the Implementation Guidance prepared by the drafting team – has no official status for compliance. It’s important for you to understand what the standard actually says, and then weigh what other people – including me – say about it.

The first sentence in the standard describes its Purpose: “To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.” What do you notice about this?

The first thing I notice is that the word risk is used twice. By contrast, I don’t think any of the other CIP standards use that word at all in their Purpose statements. For example, CIP-003’s Purpose statement reads “To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).” CIP-007’s Purpose is “To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).”

The CIP 3 and CIP 7 Purpose statements speak in engineering terms. They are both based on the faith that putting in place certain “management controls” or procedures – namely, those specified in the requirements - will provide adequate protection to BES Cyber Systems. But CIP-013 doesn’t talk this way. It doesn’t say there are certain specific things that a NERC entity needs to do in order to have good supply chain security. It just says there are risks present in supply chains, and they need to be “managed”.

Note there is no mention of eliminating risks, or of “protecting” BES Cyber Systems. The Purpose statement admits up front that risks will never be completely eliminated and BCS won’t ever be completely protected. The best we can do is mitigate the risks so that they’re “manageable”. Is this some sort of cop out? Has NERC lost its nerve? After all, wasn’t its goal always to protect the BES from cascading outages, etc? Now NERC is just saying “Well, we can never really protect the BES from supply chain risks. The best we can ever hope to do is reduce the risk that some supply chain compromise will cause a cascading outage.”

Of course, I’m sure you agree with me that NERC is right here: The best that can be done is to mitigate cyber risks to the supply chain, not eliminate those risks and “secure” the supply chain. In fact, this is really the case for the other CIP standards. Their faith that certain procedures or other controls will “secure” BES Cyber Systems, or that BCS can be “protected”, is misplaced. Really, all of the other CIP standards – including their Purpose statements – should be rewritten so that they follow the path that CIP-013 has blazed for them.[i]

We now know that the goal of CIP-013 is mitigation of risks, not implementation of particular controls. This right away tells us that we need to look at this standard very differently from the previous NERC standards. What are some of the obvious differences?

1. The risks to be mitigated in CIP-013 are risks to “the reliable operation of the Bulk Electric System”, not to the organization. Of course, since the other CIP standards are also focused on threats to the BES, this may not seem like a particularly remarkable statement. However, when we talk about supply chain risks in general we’re often thinking about organizational risk: the risk that a key supplier will go bankrupt and the organization will have to pay a lot of money to transition to another supplier’s systems, etc. We need to keep in mind, as we talk about the risks we’ll be addressing in CIP-013 compliance, that the only risks that matter are risks to the BES. Even if we know that a particular risk – like a key supplier going bankrupt – does actually pose a BES risk, we need to make sure we document it that way, since the controls we implement to mitigate a particular risk will be different depending on how we frame that risk, and since the auditors will want to see that we are actually mitigating risk to the BES, not just to the organization.
2. “Mitigation of risk” isn’t a measurable concept, so the CIP-013 requirements won’t be auditable in the same way the other CIP standards are. There’s no way an auditor can say “You haven’t mitigated enough risk, so I’m going to find you in violation.” There will have to be some other way you will be measured (of course, I’ve written a number of posts on this question of auditability recently, but I’m pretending that I’m reading CIP-013 for the first time, so I’ll ignore those for the moment).
3. CIP-013 R1.2 may seem to be a requirement like those in the other NERC CIP standards: It requires the entity to do six particular things. So you might ask “Why do you say this standard is so different? Won’t I be found non-compliant if I don’t do one of these six things?” It’s certainly true that you will be found non-compliant if you don’t do one of the six things. However, what’s different is that these six things are only one part (and not a big part) of what you need to do to comply with CIP-013. It’s everything else that’s very different from the other CIP standards.
4. When we talk about cyber security controls in the context of the other CIP standards, we’re always talking about controls that the NERC entity puts in place, regarding its own systems and procedures. However, a good portion (although certainly not all) of the controls that will need to be implemented for CIP-013 compliance will actually be ones that a vendor puts in place, regarding its own systems and procedures. At the same time, vendors don’t have to comply with CIP-013; NERC entities do. How will this work, where the burden of compliance will be somehow split between the vendor and the customer (i.e. the NERC entity), but the responsibility for compliance lies completely with the customer? The answer: This is still To Be Determined, and it’s unlikely there will be some sort of clear, universally-adopted answer to this question any time soon (and perhaps ever). Have a nice day.
5. The last part of the single sentence in the Purpose statement says you will have to implement “…security controls for supply chain risk management of BES Cyber Systems.” I believe this marks the first time that the phrase “risk management” has appeared in a NERC CIP standard (or for that matter, in any NERC standard). In all of the other CIP standards, the controls wouldn’t be described as being for risk management but for cyber security. But this is a clue that we’re not in Kansas anymore, Toto: What is going to be required is a risk management exercise, not a particular set of controls.

In the next post in this series, we’ll start looking at the CIP-013 requirements themselves.

The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] The idea that all of the CIP standards should be replaced by risk-based ones is one of the four principles of the book that I and two co-authors are working on. We hope to have it published by the end of 2018, and perhaps sooner than that.