In October,
I wrote a post
pointing out that, even though the likely implementation date for CIP-013, the
new supply chain security management standard, was more than two years away,
there were good reasons to at least start the compliance planning process. The
main reason why I made this assertion was that vendor contracts come up for
renewal all the time. If your NERC entity knows what cyber security language you
should request for CIP-013 purposes and can get it incorporated in new
contracts, you will be saving yourselves many times more effort when CIP-013
comes into effect, since it is always harder to get vendors’ undivided
attention when there isn’t a new contract on the horizon.
That
argument is still valid, but there are a couple more that demand even more
attention. First, I heard this morning that FERC has CIP-013 on their agenda
for their meeting this Thursday. They will almost certainly do one of two
things: a) Issue a Notice of Proposed Rulemaking (NOPR) stating their intention
to approve CIP-013 and asking for comments; or b) Issue an Order approving CIP-013.
In either of these cases, they could also make clear their intention to order
changes to the standard, which would then have to be drafted and voted on as
CIP-013-2. But either way, CIP-013-1 will be on the path to implementation.
The
difference between these two cases, as far as the implementation timeline goes,
is that an Order would start the clock ticking on the 18-month implementation
plan for CIP-013, meaning compliance will be due about 18 months after this
Thursday (the due date would probably be October 1, 2019). However, if they issue
a NOPR (and I believe this is the more likely course) and allow 3-4 months for
comment before issuing their Order, the compliance date will be either January
1, 2020 or April 1, 2020; my guess is it will be the latter.
So does
April 1, 2020 sound like it’s a long time away? If you are a small organization
(with one or more Medium or High impact assets), this might in fact be a long time.
But if you’re a medium-to-large organization, you can’t wait much longer to at
least begin your planning process for coming into compliance with CIP-013. I
have been discussing what CIP-013 compliance requires with some NERC entities
in the past few months, and I can assure you it’s probably a lot more than you
thought. In fact, I will soon start a series of posts on what is needed for
CIP-013 compliance, so you can understand why I say this.
However,
there’s another reason why it’s important to start CIP-013 compliance soon,
that I realized when I wrote this
post last week. The gist of the post is that plan-based requirements (like
those in CIP-013) need to be treated differently by the NERC Regional Entities
than prescriptive requirements (like many of those in most of the other CIP
standards). When an entity is required to develop and implement a plan, as in
the case of CIP-013 R1 and R2, there really needs to be some mechanism for the
Region itself to be able to review the plan before it is implemented. The post
describes such a mechanism, which was suggested to me by an auditor; most
importantly, it’s a mechanism that’s already in effect in one Region and could
be replicated in others.
So, while I
can’t promise anything, I think it’s a good assumption that by maybe a year and
a half from now, most if not all of the Regions will be able to review your
CIP-013 supply chain cyber security risk management plan and offer you comments
on it. The comments won’t touch on whether the plan is “compliant” or not, but
will touch on how what you are proposing in the plan compares with best
practices. My guess is most NERC entities will welcome being able to have this review,
to avoid the problems that were discussed in relation to CIP-014 (another
plan-based CIP standard) in this
post and this
one.
So let’s say
your entity waits a few months, then starts leisurely thinking about what
CIP-013 requires. Meanwhile, FERC issues their Order approving the standard and
the compliance date is now set for April 1, 2020. You realize that you now have
a little more than 18 months to become fully compliant. You accelerate the
compliance planning process, and as soon as possible start to implement
compliance (remember, you will have to be compliant on the effective date of
the standard). You make a Herculean effort, and you are finished – including
having a fully developed plan – by say February 2020.
You might
feel pretty good about this, but let’s say you then decide to ask your Region
to review your plan. They say they’ll be glad to do this, but since a number of
other entities have just asked the Region to review their plans, it will be
more than say six months before they can review yours and report back to you on
it (say they’ll get back by August 2020).
This means
you will have to start implementing your plan in April, without having the
benefit of any feedback from your Region. The main reason you asked for the
review was to be able to hear and act on the results before you started implementing
the plan; while it will still be good to have those results, it would obviously
have been much better to have them at least a few months before April 1. You
will have to start implementing the plan without knowing what your Region
thinks of it.
Ideally, it
would have been better if you could have finished your plan say by October 1,
six months before the CIP-013 implementation date. That would have given your
Region time to review and comment on the plan, as well as given you time to
change the plan to reflect those comments – all before the April 1, 2020
compliance date. But obviously, this would have required starting the CIP-013
process earlier, like say around January 2018!
The moral of
this story is of course that you should really start thinking now about the
different structures required for CIP-013 compliance, and how you will
implement them at your organization. And now here’s the sales pitch: Tom Alrich
Consulting is prepared to help you do this thinking! The first step might be a
set of workshops over say three days to a week, including the different groups
that will be involved with CIP-013 compliance – and unlike the previous CIP
standards, CIP-013 will require substantial involvement from Supply Chain and
Legal, as well as Cyber Security, IT and NERC Compliance. With the experience
of those workshops, I can work with you to develop a roadmap for your CIP-013
compliance implementation – and leave enough time for review by your Region!
Like more information on this? Drop me an email at tom@tomalrich.com.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment