The title of
this post should give you pause. Vendors don’t have to comply with CIP-013;
only NERC entities do. But this is a distinction without a difference. It has
always been the intention of both FERC (in ordering NERC to develop a supply
chain security standard) and the NERC standard drafting team (in developing the
standard) to require vendors to be involved with compliance – although there
will be no penalty to the NERC entity if they try to get a vendor to cooperate
in compliance and are unsuccessful.
So it’s very
legitimate to ask how a vendor can comply with CIP-013. I have had discussions
with several vendors (and many more NERC entities) about this, and here is what
we have come up with so far. I do want to point out that this is quite
embryonic.
The most
important consideration for a vendor is that it will be a big mistake if you
look at CIP-013 compliance as some sort of adversary exercise, although you
should be forgiven if you have thought of it that way so far. After all, a lot
of the guidance so far (and that’s just one 13-page document) focuses on
contract language.
My idea of a
contract language “negotiation” is one in which the NERC entity’s lawyers and
the vendor’s lawyers are sitting on opposite sides of an 8-foot-high brick
wall. The entity’s lawyers throw some contract language to the other side and
snarl “Here, put this in our contract.” The vendor’s lawyers look it over and
throw something else back, saying (perhaps snarling less) “We can accept some
parts without change and some with changes, but we can’t accept these other
parts at all.” The entity’s lawyers look this over, and reply with their own
counter-proposal. This goes back and forth, with the length of time determined
by whether or not the lawyers are on salary (in which case they can do this for
years) or they are paid by the hour (in which case the company will have to
call an end to the fun and tell them to wrap up the “negotiation”).
Of course,
this is perhaps an overly bleak view of the contract negotiation process, but I
think it illustrates what I’m saying: Both the vendor and the entity should do
everything they can to keep their relationship from degenerating to this point.
In fact, IMHO if they first resort to contract language in their CIP-013
compliance process, both sides have
already lost the game. Contract language is a nice thing to have, but it should
never be the first concern.
So what’s
the best way for a NERC entity and a vendor to approach the CIP-013 compliance
process? I see two possible ways to get this going:
- The entity reaches out to the vendor and says “Let’s have
a discussion on how we (note the
plural pronoun!) can address CIP-013 compliance.”
- The vendor reaches out to all of their power industry
customers (at least all who have any High or Medium impact assets where
their software or hardware product is used), perhaps through an e-mailing
or even a – gasp! – USPS mailing, and actually suggests how both sides could work together to achieve the
goal of CIP-013 compliance.
So here’s a
little quiz: Which of these two actions is more likely to result in a fruitful
partnership to achieve CIP-013 compliance? I think they are both good options,
but I would strongly recommend that the vendor be the first to reach out.
Because if the entity reaches out first, I can almost bet that most of them
will do that in the form of a demand for particular contract language. This isn’t
because they’re sociopaths, but because NERC compliance up until now has
primarily been seen as a legal exercise, whether for NERC CIP or the other NERC
standards.
If the
vendor reaches out first, and if they don’t immediately focus on contract
language (if they do, they’ve obviously decided that it’s important that
CIP-013 compliance be made as painful as possible, probably for reasons of job
security of the people writing the document), then they can set the terms of
engagement. The vendor can suggest actions that favor its strengths – i.e.
developing, supporting and securing great hardware and/or software products –
and don’t favor the utility’s strength (which is the fact that they are, after
all, the buyer, and that money is flowing from them to the vendor, not vice
versa. Plus the vendor doesn’t have a monopoly, at least in any electric power
product market that I know of).
What should
the vendor suggest to their power industry clients? I’ll leave that for the
next post in this series.
If
you are with a vendor to the electric power industry, and your company is
trying to figure out what you will have to do to comply with CIP-013, Tom
Alrich LLC would be pleased to offer you a free one-day (2-6 hours) workshop to
review a) what CIP-013 requires, b) what you are likely to get asked to do by
your clients, and c) what they should be asking you to do (since b and c
won’t usually be the same thing). There will be no charge for my time, but I
will require you to pay travel expenses at cost. Please email or call me if you
would like to discuss this.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
Any opinions expressed in this blog post are quite
definitely those of my employer, Tom Alrich LLC! If you disagree with what I’ve
said, I suggest you take it up with them.
No comments:
Post a Comment