Regular
readers of this blog (all three of you!) may have figured out that I’m writing
two series of posts on CIP-013: one for NERC entities and one for vendors. The
important thing to remember is that both series should be of interest to
everybody. The two sets of concerns are almost completely the same, because a)
vendors have all sorts of incentive to make sure their customers don’t get into
trouble due to something they did or didn’t do; and b) most vendors have their
own supply chain, which has to be secured in almost the same way as NERC
entities will be securing theirs.
If you ask any NERC CIP compliance
professional (or say a supply chain or legal professional at a NERC entity
subject to CIP-013) what is the main focus of compliance with CIP-013, the
upcoming supply chain security risk management standard, they will most likely
tell you it’s contract language. This isn’t terribly surprising, since there
was endless debate during the drafting/balloting periods on the role contract
language would play in compliance. And I’ve heard that some utilities are
already requesting security contract language from their vendors.
I must admit that I was very focused on
contract language in the first few posts I wrote about CIP-013 last fall. But
as I started my current posts on the standard this year, and focused more on
the standard and the Implementation Guidance, I realized that it’s a mistake to
think that contract language is in some way the ultimate goal of CIP-013. Far
from it.
First, here’s a little quiz: Why was CIP-013
written? The possible answers are: a) to secure NERC entities’ supply chains;
or b) to beef up language in vendor contracts. You’re right! The answer is a).
Security is the object of CIP-013, not contract language. To see this, you first
need to look at the requirements of CIP-013. Do the actual requirements ever
refer to contract language? No, they don’t. The only time contract language is
mentioned is in this note found after R2:
Implementation
of the plan does not require the Responsible Entity to renegotiate or abrogate
existing contracts (including amendments to master agreements and purchase
orders). Additionally, the following issues are beyond the scope of Requirement
R2: (1) the actual terms and conditions of a procurement contract; and (2)
vendor performance and adherence to a contract.
Does either of these sentences say anything
about contract language being an objective of CIP-013? The first sentence says
that renegotiation of existing contracts isn’t required. I’ll admit this does
somewhat imply that, when a new or existing contract is negotiated, there needs
to be a discussion of contract language. But that isn’t the same thing as
requiring that contract language be the primary means for compliance with the
standard, even though so many people apparently believe that is the case.
The first part of the second sentence is even
more interesting, since it says that the terms and conditions of a procurement
contract are “beyond the scope” of R2. What does this phrase mean? It specifically
means that contract language is not
the subject of R2 – and if an auditor asks to see an entity’s vendor contract,
they can be turned down because it isn’t in scope.
I’ve covered this ground before, but in a
different context. In a series of three posts (starting with this
one, following up with this
one and concluding with this
one), I addressed the idea that CIP-013 was unenforceable because of the
above provision about contract language being out of scope. A staff member (and
former auditor) from one region had made this assertion to me. He argued that NERC
entities are required[i]
to get their more-risky (i.e. important) vendors to agree to contract language
for at least the six items listed in R1.2. However, since the NERC entity isn’t
required to show the actual contract to the auditors, this means the auditors
don’t have any way of verifying the entity’s assertion that they obtained the
contract language.
An auditor (from another region) wrote in
after that post to say that NERC entities aren’t required to get the vendor to
agree to particular contract language in order to obtain the six items in R1.2
(I wrote about this in the second of the above posts). To quote him, “The
requirement is essentially that the Registered Entity ask for the elements of
the required process(es), not that the vendor agree to them. Therefore, the Standard is correct in that
the language of the resulting contract is not in scope. (The procurement steps include) the Request
for Quotation or Bid, Request for Contract Amendment, and/or any other
Registered Entity-initiated correspondence that sets forth the expectations to
be placed upon the vendor. As long as I
see the expectations in the procurement documents issued by the Registered
Entity, they have satisfied the requirement.”
I agree with the auditor that succeeding in
getting language placed in a contract isn’t required, and that it should be
sufficient that the Registered Entity “initiated correspondence that sets forth
the expectations to be placed upon the vendor”. But I would go even further. I
don’t think the entity needs to show any procurement documents at all, because
I don’t think the entity needs to prove that they “initiated correspondence”
with the vendor to implement certain controls, if they can show other evidence
of compliance. And what other evidence can the entity show? The best evidence will
demonstrate that the vendor is actually doing what they were supposed to do![ii]
After all, isn’t the goal of CIP-013 to protect the BES against supply chain
risks, not simply document that you’ve asked your vendors to do certain things?
Suppose you want to show your auditor that
your vendor is providing “Notification…when remote or onsite access should no
longer be granted to vendor representatives..” as required by R1.2.3. Let’s say
the vendor has had several people leave their company in the last year who had
electronic or physical access to the vendor’s systems at say one of your
substations, and each time this has happened they’ve sent you an email asking
you to remove the person’s access. All you should have to do is show those
emails to the auditor. What possible further benefit would there be from also
showing them procurement documents, let alone a contract? Of course, if you also
have these, that’s fine. But if the vendor verbally agreed to do something, or
just sent you a letter outside of the procurement process, but you can show
they’re actually doing what they said they’d do, that should be sufficient
evidence.
Let’s turn from the requirements of CIP-013
to the Implementation
Guidance. This document has language that implies that contract language is
a goal of the standard (although certainly not the only one), while at the same
time it also says just the opposite. However, I can see how people who have
read the document have come to believe that contract language is the primary
control they should be focusing on.
First off, let me point out that there is
nothing mandatory about the Implementation Guidance. The auditors aren’t bound
to follow it in their audits, and the entities aren’t bound to follow it in
their implementation of CIP-013. That being said, you can be sure most entities
and all auditors will have read the document carefully and will usually try to follow
it as often as they can. So it is important to at least understand what it
says. On page 1, you’ll find this paragraph:
First, in developing their supply chain cyber security risk management
plan(s), Responsible entities should consider how to leverage the various
components and phases of their processes (e.g. defined requirements, request
for proposal, bid evaluation, external vendor assessment tools and data, third
party certifications and audit reports, etc.) to help them meet the objective
of Requirement R1 and give them flexibility to negotiate contracts with vendors
to efficiently mitigate risks. Focusing solely on the negotiation of specific
contract terms could have unintended consequences, including significant and
unexpected cost increases for the product or service or vendors refusing to
enter into contracts.
Here,
the Implementation Guidance is specifically warning the entity against relying
solely on contract language. However, the message is very different when you
get to pages 5-8, where the six specific items required under R1.2 are
addressed. For each of these items, there are one or more processes listed.
These are described as “Examples of ways that a Responsible Entity could, through process(es) for procuring BES Cyber Systems
required by Part 1.2, comply with Parts 1.2.1 through 1.2.6.” (my emphasis) It
seems that, at least for the six risks addressed in R1.2, the members of the Standards
Drafting Team that wrote the Implementation Guidance were primarily considering
controls that occur in the procurement phase of the vendor relationship –
including contract language.[iii]
When
you look at the 20 actual processes suggested under the parts of R1.2, you will
notice that all but three of these begin with one of two phrases: “In an RFP or
during contract negotiations, request that the vendor include in the contract
provisions…” or “During procurement”. Of course, both of these phrases simply
confirm the fact that whoever wrote this section of the Implementation Guidance
was primarily looking at the process of obtaining contract language – or other
processes focused entirely on the procurement phase of the vendor relationship –
to achieve the mitigation of risk required in each of these six cases.
But
in my opinion, the big emphasis on the procurement process in this section of
the Implementation Guidance is a mistake. Essentially, what is being implied in
this section is that the only possible way to coordinate security controls with
vendors is during the procurement process, when obviously the customer has the
most leverage over the vendor. This might be a good model for a purely
commodity market, where you have a bunch of vendors competing viciously with
each other and they all receive a very low margin (on presumably a high volume
of sales). In this case, the customer clearly has to obtain everything they
want from the vendor up front, and they need to negotiate simultaneously with
multiple vendors and play them off against each other for concessions.
I
don’t know about you, but I don’t think this is how it works in the market for
control systems that run the grid. I am betting that almost all vendors in this
market will do almost anything they can to make their customers happy, since
they are counting on having a long-lasting relationship with them. And
different vendors’ products are very different, so it’s impossible to play
vendors off against each other, as in a commodity-type market.
Clearly,
a customer’s leverage isn’t limited to the procurement process. I am sure that,
in most cases, a field technician (backed up by their VP) with a serious
complaint about a vendor, midway through the contract lifetime, will usually have
as much leverage as a purchasing agent on the eve of contract renewal.[iv]
Even though it is notoriously difficult to change vendors of control systems in
the power industry, I really don’t believe that any vendor would last very long
if they didn’t do everything they could to provide what their customers need.[v]
Again, I’m saying that I think the emphasis on the procurement process in this section
of the CIP-013 Implementation Guidance is a mistake. I really doubt there are
auditors who will insist that NERC entities need to wait for the procurement
(or contract renewal) process in order to request any meaningful changes to
vendor security controls. And it follows almost certainly that auditors won’t
require that contract language be the primary vehicle for obtaining agreement
on controls – especially since that’s the one type of evidence that the
auditors won’t be able to see!
If
I’m so sure that the emphasis of this whole section of the Implementation
Guidance is wrong, how did it end up there in the first place? To answer that,
you need to know that at least half of the members of the drafting team for
this standard were supply chain people – and I’m speculating that this
particular section was drafted by some of them.
For
supply chain people, the procurement process is kind of the whole show, since
that is when they have by far the most interaction with vendors, as well as
when what they do and say will have the most impact. But they don’t get
involved much with the day-to-day interaction with vendors that goes on in the
field. So supply chain people are naturally going to consider the procurement
process – and especially contract language – as the primary vehicle for
influencing what vendors do. They don’t see how vendors often easily agree to
requests that come through completely different channels.
The
moral of this story? It would be a big mistake for NERC entities to focus on the
procurement process – and especially on contract language – as the sole, or
perhaps even the predominant vehicle for getting vendors to agree to implement
security controls. There are lots of paths to achieve this goal, including
simple phone calls from a field technician to their friend Joe at the vendor.
However, what will need to change with CIP-013 compliance is that those calls
or emails – when related to vendor controls the entity has decided need to be
in place in order for it to comply with CIP-013 – will need to be logged and
archived so they can be evidence of compliance.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed
in this post. To discuss this, you can email me at the same address or call me
at 312-515-8996.
[i]
The staff member based this on the fact that FERC seemed to have made this a
requirement in their Order 829, in which they ordered NERC to draft this
standard. The auditor replied that FERC’s statements have no bearing on how a
standard should be interpreted, once they have approved it. You can read their
back-and-forth in the second of the three posts I linked above.
[ii]
And keep in mind that, if the vendor absolutely refuses to do something that
the entity requested, the entity isn’t in violation for that reason. However –
and this is important – they are still under obligation to if possible mitigate
the risk in question, presumably using a different method that doesn’t require
the vendor to do something for them. Of course, there are certainly some risks
that it won’t be possible to mitigate without the cooperation of the vendor,
such as the risk of someone who had access to your systems leaving the vendor’s
employment, and your organization not being notified that this has happened
(this is, of course, the risk addressed in R1.2.3). In these cases, if the
vendor simply won’t cooperate, the entity isn’t obligated to change vendors;
but the entity should document how they tried to obtain cooperation.
[iii]
Of course, you need to keep in mind that the six items listed in R1.2 are there
because FERC ordered these six items be specifically included in the standard.
They aren’t in any way intended to be the only items that need to be included
in the entity’s supply chain cyber security risk management plan. The plan
needs to address each of the three risk areas listed in R1.1: a) risks from
procuring vendor equipment and software, b) risks from installing vendor equipment
and software, and c) risks from transitions from one vendor to another. The six
items in R1.2 all correspond to risks that fall into category a). However,
there are certainly many other risks that fall into that category, which aren’t
included in these six. And of course, the six items don’t address any risks
that fall into categories b) and c).
[iv]
Of course, I’m not talking here about huge vendors like Microsoft and Adobe,
for whom the electric power industry accounts for a very small part of their
revenue. They will of course provide product support, but if XYZ Power calls up
and demands that Microsoft insert a new feature into the current Windows
version, I rate the likelihood they will succeed in this demand as very low.
[v]
Of course, if anyone has a different view on this, I’d love to hear it. Send me
an email or comment on this post.