This is the
second in a series of posts of how vendors can “comply” with CIP-013. Of
course, vendors don’t have to comply at all, and they don’t have to help their
power industry clients comply either. On the other hand, if they wish to remain
a vendor to the power industry, a vendor is going to have to do everything they can to help their customers comply. It
is inevitable that the vendor’s larger clients will have to comply with
CIP-013, and they will need help in doing so.
I do want to
emphasize that, if you’re part of a NERC entity who has to comply with CIP-013,
you shouldn’t stop reading this post (or the subsequent ones in this series),
on the idea that it doesn’t really have anything to do with you. This has
everything to do with you, since – as I emphasized in the first
post in the series – the only way I see a CIP-013 compliance program
succeeding is if the NERC entity at least tries to partner with their vendors
for compliance. You need to understand their position as much as they need to
understand yours.[i]
In the first
post in this series, I suggested that power industry vendors would be well
advised to reach out to their customers before
the customers reach out to them. I made this suggestion because I think it’s
very likely that if the customer reaches out to the vendor first, it will probably
be the lawyers and/or purchasing people who do this. This is because most of
the discussion so far on CIP-013 compliance (with this blog hopefully being an
exception!) has revolved around the question of contract language. But contract
language is just one of the ways in which a utility can fulfill its obligations
under CIP-013, and it’s probably the bluntest instrument available to the NERC
entity to fulfill those obligations. I think that any NERC entity that focuses
on contract language first, before even looking at all the options available to
it to comply with R1.2, has already done both itself and its vendors a big
disservice.
So the
vendor should absolutely try to reach out first to their customers. How can
they do that? There are of course lots of media available for this: notice on
web site, email, USPS, phone call, webinar, onsite meeting, etc. While these
are all good, I always favor the more personal ones above all. A webinar might
be the ideal first step, since it’s delivered by a person(s) but it still has a
structured content. Then the vendor could follow up with each customers by
phone or in-person meeting to discuss next steps.
But before
you can do a webinar, Mr./Ms. Vendor, you need to know what you’re going to
say! And that means you need to have figured out your CIP-013 strategy[ii] – so
that’s really the first step. How can you figure out your strategy?
This is of
course rough and preliminary, but it seems to me that a vendor’s strategy
should be to try to make the CIP-013 compliance process as easy as possible for
the customer, period. I can assure you that your customers will be feeling
every bit as uncertain and fearful about CIP-013 as you do. If you can convince
them that you know the right way to cooperate for compliance, and you follow
through on what you say you’ll do, what could possibly go wrong – except,
perhaps, if you don’t in fact know the right way to cooperate and both of you
end up at some sort of regulatory dead end?
How do you
stay away from dead ends? By having a good methodology for designing your
CIP-013 strategy. And what should you do first? Well, it seems to me that, if
you’re going to design a strategy to help your customers do something, you need
to figure out what they have to do. There’s a quick answer to that: They have
to comply with CIP-013. Now that we have that out of the way, how do they comply with CIP-013?
As I
discussed (at length) in this
post, CIP-013 requires the NERC entity to develop and implement a supply
chain cyber security risk management plan. Specifically, the plan has to
address the three areas of risk listed in R1.1: (a) procuring vendor equipment
and software; (b) installing vendor equipment and software; and (c) transitions
from one vendor(s) to another vendor(s).
I suggest
you start your CIP-013 strategy effort by brainstorming on how you can help
your customers address all three of these areas of risk. To be honest, you
might decide you can help customers in some ways that are either too expensive
to be practical or not likely to yield a lot of benefit compared to the effort
required; you can drop these ideas from your strategy.
For
procuring vendor equipment and software, the NERC entity needs to address risk
in six specific areas; these are listed in R1.2. The reason they are
specifically listed in CIP-013 is because FERC specifically required – in Order
829 - that these areas all be addressed in the new standard. The NERC
entity needs to do a lot more than simply address these six areas of risk, of
course, but because they’re specifically called out you can be sure the
auditors will all make sure they’ve been properly addressed in the entity’s
plan, probably before they even get around to looking at anything else.
Let’s choose
one of the areas in R1.2 as an example:
R1.2.4.
Disclosure by vendors of known vulnerabilities related to the products or
services provided to the Responsible Entity;
How can you
help your customers address this area of risk? This is of course a particularly
difficult one for software vendors, since what might seem like the obvious way
to help – disclosing to your customers all of the vulnerabilities in your
software that you know about – would be the height of irresponsibility. If a
vulnerability hasn’t been patched yet, the last thing you want to do is
broadcast the existence of that vulnerability to all of your customers.
On the other
hand, you might decide that you do need to provide information on all
vulnerabilities (not just the ones that have already been patched, which of
course can be advertised to the whole
world) to at least your largest and most trusted customers. You need to decide
internally in what cases you will do this, what safeguards you will require on
the customer end, what alternatives to full disclosure you might suggest to customers
for whom you don’t want to take the “Full Monty” approach, etc.
I hope you
understand what I’m getting at here. For each of the six items in R1.2, you
need to figure out a complete strategy for dealing with all of your customers
(and as you can see, you will probably want to deal with particular types of
customers in different ways, although the way you break down your customers is
likely to vary according to the item in question). This will be an important
component of your strategy, Mr./Ms. Vendor.
But this isn’t
the only component of your strategy. My next post in this series will go over
what else needs to be in your strategy.
If
you are with a vendor to the electric power industry, and your company is
trying to figure out what you will have to do to comply with CIP-013, Tom
Alrich LLC would be pleased to offer you a free one-day (2-6 hours) workshop to
review a) what CIP-013 requires, b) what you are likely to get asked to do by
your clients, and c) what they should be asking you to do (since b and c won’t
usually be the same thing). There will be no charge for my time, but I will
require you to pay travel expenses at cost. Please email or call me if you
would like to discuss this.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
And of course, I’m also doing a series of posts on how NERC entities can comply
with CIP-013. Here
is the most recent post in that series. Vendors should read this series of
posts as well!
[ii]
And by the way, NERC entities also need a CIP-013 compliance strategy, which I
am gradually laying out in my other series of posts. A lot of elements in both
strategies should be the same – just told from different points of view. But a
NERC entity’s strategy will inherently include a lot of elements that have
nothing to do with vendors, since vendor risk is just one of three areas of
supply chain risk that need to be addressed in the supply chain cyber security
risk management plan. See this
post for a short summary of those three areas, and see this
post for a long, painful discussion of that topic – but which ultimately might
be more enlightening.
No comments:
Post a Comment