I have come to realize that CIP-013 suffers from a very serious flaw. It would be a fatal one, were it not that the human spirit is infinitely resourceful, and I think the NERC Regions will rise to the occasion and develop a work-around for this flaw. While I have kinda sorta known of this flaw for a while, it’s only recently that I’ve been able to articulate it, and also realized what the solution is.
I want to emphasize that I still stand by what I said in a post last September: CIP-013 is the closest to my idea of the ideal NERC CIP standard of all the CIP standards, both those currently in effect and those that have “retired”. However, it nevertheless does suffer from the serious flaw, which I will describe in this post.
To understand the flaw, I need to go back to my series of posts late last year that discussed “plan-based” requirements (which includes the requirements in CIP-013, of course). In those posts, I came to the conclusion that a requirement to develop a plan can’t simply tell the NERC entity to develop a plan to mitigate a certain class of threats (in the case of CIP-013, these are supply chain threats), then leave it up to the entity to determine what threats they should address in their plan. The requirement to develop the plan needs to include a list of threats (although I called them “criteria” in one or two of the posts on plan-based requirements) that should be addressed in the plan. This should be a comprehensive list of all the threats that the drafting team felt should be included. Of course, the entity is always welcome to add to it, but the drafting team needs to assume that a threat that isn’t on their list usually won’t be addressed in the plans.
So does CIP-013 R1, which mandates that the entity develop a supply chain cyber security risk management plan, provide a list of threats that need to be addressed in the plan? As I pointed out in this post, R1.2 does list six types of mitigation (ordered by FERC) that need to be included in the plan – and these mitigations correspond to six particular supply chain threats. However, R1.1 says that the entity must “identify and assess” risks resulting from “(i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).” And I believe the word “all” needs to be assumed after “risks”, since otherwise it wouldn’t make sense (if you’re not going to address all risks, what are you going to address? Just those that begin with the letter A?)
I rephrase this list as (i) risks from procuring vendor equipment and software; (ii) risks from installing vendor equipment and software; and (iii) risks from transitions between vendors. The six mitigations in R1.2 all fall under the heading of procuring vendor software, and even then they hardly exhaust all the possible risks just in that one category; they don’t do anything to address risks in the other two categories.
So the serious flaw in CIP-013 R1 is that it requires development of a plan to mitigate supply chain threats (the requirement uses the word risks, but I prefer “threat” for several reasons) but doesn’t provide a list – beyond the six items in R1.2 – of threats that should be included in the plan. This means that someone auditing compliance with R1 only has two choices:
a) Make up their own criteria for what should be in a plan and audit against that; or
b) Restrict the audit to only the six items in R1.2. If these items are all sufficiently addressed in the plan, the entity doesn’t get a PNC. If they aren’t all sufficiently addressed, the entity is likely to get a PNC.
To be honest, neither of these is an acceptable choice. Clearly, for the auditor to make up their own criteria is completely unacceptable, meaning a) is off the table. But b) is also unacceptable, since R1.1 wants the plans to address a lot more threats than just the six threats that are implied by R1.2. Moreover, FERC said the same thing in Order 829, and NERC said it in the Implementation Guidance for CIP-013.
Option b) might be acceptable if it were likely that NERC entities would bend over backwards to identify supply chain risks that go well beyond the six items (threats) in R1.2. In that case, the auditor still couldn’t give the entity a PNC for not including a particular threat in the list, but they could certainly ding them if they listed a threat in their plan developed for R1 but didn’t take any steps to mitigate[i] that threat as they implemented the plan in R2.
However, I have two pieces of bad news for anyone who thinks this will happen:
- There is no Easter Bunny; and
- NERC entities aren’t going to bend over backwards to identify supply chain threats beyond the six threats referenced in R1.2. While they may identify particular threats that their Region told them they should identify (or that might be included in a future “NERC-approved” guidance document, say from the North American Transmission Forum), they simply aren’t going to search high and low for every threat they can think of and include it in their list. Even if they are already addressing a threat outside of the compliance process, just including it in the list will entail new paperwork, as well as compliance risk if their auditor decides their implementation of mitigations of that threat in R2 is inadequate.
So neither of the above options is acceptable. And it is very unlikely that the FERC commissioners will all read this post and immediately order that CIP-013 be rewritten to include a list of supply chain threats that must be addressed in the plan, since this would delay implementation for probably 2-3 years. What is likely to happen? I (optimistically) think the Regions will develop a CIP-013 process roughly like what I outlined in this post at the end of last year – namely, that an entity will be allowed to have their Region review and suggest changes to their CIP-013 plan prior to starting implementation, and that the entity will also be able to request that their Region review and advise on their implementation of the plan, after they have started implementing it.
As part of the review of the entity’s plan, the Region will be able to suggest that there are threats (aka risks) the entity should address in their plan, which they haven’t addressed. It’s a good bet that, if an entity’s Region suggests they should add threats X, Y and Z to their plan, they will add them![ii] That’s why I think this is an acceptable solution to the problem posed by this serious flaw in CIP-013.
Let’s cut to the chase: Is what I’m suggesting completely “legal” by the NERC Rules of Procedure? I’ll bet it isn’t. But as far as I can see, the only other alternatives are the a) and b) options listed above. So there’s a choice between the somewhat illegal and the completely unacceptable. Which will it be?
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
[i] There’s a slight problem here, which I only discovered while writing this post: R1.1 requires the entity to develop a plan to “identify and assess” supply chain risks, but it doesn’t require the plan to mitigate them! So in theory, the entity could develop a plan that simply listed a bunch of risks but didn’t propose to do anything about them. Of course, it’s clear that CIP-013 was ordered and developed in order to mitigate supply chain risks, so I can’t see this omission shutting down the implementation of CIP-013. But this omission does need to be fixed by amending the standard, assuming FERC orders other changes (in a second version, of course) when they approve CIP-013-1.
[ii] This arrangement will only work if the Region develops a standard set of threats that it wants included in CIP-013 plans, so that individual auditors can’t develop their own. If I were new to this business, I would also suggest that each region publish a list of threats that need to be included in the plans, but that would go way beyond what NERC would allow them to do. So the advice will need to be provided on a one-on-one verbal basis with individual entities. The compliance advice the Regions currently provide for other CIP standards is delivered in the same way, e.g. in the SGAS.