I’ve come to
realize that there are now two distinct schools of thought on what CIP-013 is.
Since, as some other person from Illinois once said, a house divided cannot
stand, I feel this issue needs to be resolved soon. One way to resolve it would
be the American Way – that is, with guns. However, I don’t think that’s really
the best way to deal with this problem, although - as you’ll see soon - I’m not
sure there’s any better way available.
It’s quite
easy to differentiate these two schools of thought. One school believes that CIP-013
R1.1 is what the standard is all about, with R1.2 taking a minor role; the
other believes that R1.2 is the full story. And who are in these two camps? In
the R1.1 camp there’s…well, there’s me and…FERC Order 829, although the four
FERC Commissioners who approved that Order are all gone (the lone dissenter,
Cheryl LaFleur, is still on the Commission. Her dissent had nothing to do with
this question, though). So it’s just me and a two-year-old piece of paper. I
would almost certainly have the support of my cats, but they died years ago.
In the R1.2
camp, there’s just about everybody (or so it seems) at NERC and the Regions.
And given this, it’s certain that close to 100% of NERC entities will also be
in this camp, since any NERC compliance professional who took a position in
direct opposition to NERC and their region would (and should) be fired
immediately. Given these two lineups, why am I even raising this issue? Why
aren’t I simply conceding that the R1.2 camp has won the day?
I could at
this point make a noble statement about being willing to defend my position to
the death, and start comparing myself to Joan of Arc. But that’s not really it.
Whatever I think is the correct interpretation of CIP-013, I’m not willing to
burn at the stake to defend it. But I think most people involved with NERC CIP
– including many if not most at NERC as well as the Regions – don’t understand
that there really is a choice in interpretations here. I would like to lay out
the fact that there is a choice, so
that at least these people can make a conscious decision on what constitutes
the better interpretation of CIP-013. And I will be quite happy to live with
whatever NERC says on this matter.
So what is
the choice? Let’s start with the first camp (me). CIP-013 R1.1 (including the
opening paragraph of R1) reads
Each Responsible Entity shall develop
one or more documented supply chain cyber security risk management plan(s) for
high and medium impact BES Cyber Systems. The plan(s) shall include:
1.1.
One or more process(es) used in planning for the procurement of BES Cyber
Systems to identify and assess cyber security risk(s) to the Bulk Electric
System from vendor products or services resulting from: (i) procuring and
installing vendor equipment and software; and (ii) transitions from one
vendor(s) to another vendor(s).
I have
analyzed this part of R1 in mind-numbing detail in
this
post, so I won’t repeat all of that. As I mentioned early in that post, the
opening paragraph of CIP-013 says that the entity needs to develop a “supply
chain cyber security risk management plan”, period. It doesn’t say you’re
supposed to do one thing or the other, and within 35 or 60 days. It just says
you have to have this plan.
The rest of
R1 – that is, R1.1 and R1.2 – is presumably there to tell you what should be in
the plan. And, to get back to my idea of there being two schools of thought
regarding CIP-013, the R1.1 school believes that this part defines what the
standard itself means – although this school (meaning Tom Alrich and his dead
cats) readily admits that the six things in R1.2 must also be in the plan. So
what does R1.1 tell us about CIP-013? You can read the whole story in the post
I just referenced, but here’s a quick summary:
R1.1 lists
three “risk areas” in supply chain security, each of which must be addressed in
the plan. The first is (with a slight rewording of the requirement) “cyber
security risks to the Bulk Electric System from vendor products or services
resulting from procuring vendor equipment and software.” The second is “cyber
security risks to the Bulk Electric System from vendor products or services
resulting from installing vendor equipment and software.” The third is “cyber
security risks to the Bulk Electric System from vendor products or services
resulting from transitions from one vendor(s) to another vendor(s).” This means
your plan needs to identify risks in all three of these areas, and say how you
intend to mitigate
[i]
them. Also note that the risks to be addressed are from “vendor products
or services” (my emphasis). They’re not
just risks from stuff that you bought, but also from services that you bought.
So what do
you need to do to comply with CIP-013, assuming that R1.1 is the right way to
understand the standard? You “just” need to a) identify all of the important
risks from each of the three areas; and b) mitigate those risks. Of course, I
put ‘just’ in quotation marks because identifying all of the risks seems like a
daunting task. How can one entity possibly identify all the risks in each of
the three areas?
The answer is
it can’t. However, this wouldn’t pose a big problem if CIP-013 were going to be
audited in a “non-prescriptive” way – that is, if the auditors were simply
going to ascertain whether you made a good effort to identify all risks, and then
confirm that your plan discussed how you might effectively mitigate all of
those risks
[ii], based
on the degree of risk they pose.
But, as we
all well know, NERC auditing doesn’t work this way. Ideally, the NERC auditor
will have a checklist of what is required; they will then go down this list to
confirm whether or not you have done each of these things.
Obviously, R1.1 can’t be audited this way. This
is why last December I wrote a
post
saying that CIP-013 wasn’t auditable, except for R1.2. What I was thinking was
that this might be a wake-up call, so that NERC might think about how CIP-013
could be audited, while still preserving
the principle that it requires a plan for managing supply chain risks – as R1.1
says.
But if R1.1
can’t be audited, the result is inevitable: NERC, the Regions and the entities
will all ignore it. Instead, they’ll focus simply on the six things that are
required in R1.2. These can be
audited. So this brings us to the second school of thought: R1.2 is all that
matters in CIP-013. The six things that are required in that part are all the
entity needs to worry about as they implement compliance with CIP-013, and they’re
all the auditors will look at. Very few entities are going to go to the trouble
of trying to identify a full set of risks in R1.1 if they aren’t going to be
audited on how well they’ve identified them. Because – as all CIP compliance
professionals know by now – if you say in your plan that you’re going to
mitigate a particular set of risks, then you’re likely to receive violations if
you don’t do that. It’s better not to list any risks at all in R1.1.
For evidence
of this belief (that NERC intends to ignore R1.1 and focus almost entirely on
R1.2), I point to three sources:
- The Implementation Guidance for CIP-013 focuses almost the
entire discussion of R1 on the six things required by R1.2. Yes, there is
a discussion of how the entity can put together a team to brainstorm about
supply chain risks, and there is a fairly random collection of bullet
points of things that the team might consider. But there is no guidance on
what types of risks to look for, how to determine whether they’re real
risks, etc. Most importantly, there isn’t a list of risks that need to be
addressed (for why this is important, see the end of this post). Meanwhile,
the R1.2 discussion is very focused and detailed. This is clearly what the
drafting team has in mind when they talk about implementing compliance
with CIP-013.
- You may have seen NERC’s webinar on CIP-013 a few weeks
ago (although I haven’t seen any recording or slides being made available
from it, which is too bad). As I pointed out in my post
about that webinar, there was little (and really no) discussion of
anything else being required in CIP-013, other than the six items in R1.2.
- During the CIP-013 discussion at WECC’s CIP Workshop last
week, when I asked the auditors whether anything else was required beyond the
six things in R1.2, I was told – using a few more words, but meaning the
same thing – no.
If I’m so
sure that NERC doesn’t intend to enforce anything more than compliance with
R1.2, and if I say I’m OK with that, why am I even writing this post? Why not
just go forth and tell people to focus solely on R1.2 and they’ll have all they
need to comply with CIP-013? The reason is that, after all, R1.1 is in the standard. If an entity just
focuses on R1.2, will they receive a PNC (potential non-compliance) finding in
an audit three years from now because they ignored R1.1?
In other
words, I can’t believe that it’s really going to be this easy: that FERC, NERC,
the Regions and the entities will all come to some magical – and completely unspoken
– agreement that R1.2 is all there is in CIP-013 and R1.1 can be ignored. There
needs to be some statement or guidance to that effect, presumably from NERC.
Otherwise, the CIP people at the entities will have trouble sleeping for the
next few years, wondering if they really did the right thing by completely
ignoring R1.1.
How could
this problem have been avoided? I
used
to think that CIP-013 was almost the perfect standard, since it doesn’t
prescribe any particular activities, but simply requires the entity to develop
and implement a risk management plan. But I now realize that this isn’t enough.
The entity can’t be simply told to go off and find some risks, then go mitigate
them; given how NERC audits are conducted, they will inevitably find few or no
risks, since for each risk they find, they now have to develop and implement a
plan to mitigate it – and there is huge compliance risk attendant on that.
As I
discussed in
this
post, I think the drafters of CIP-010 R4, the “CIP v6” requirement for
Transient Cyber Assets and Removable Media, came upon the solution to this
problem (and by the way, CIP-014 also suffers from this problem. This has shown
up in audits, as discussed in
this
post. I’ve heard some talk of NERC deciding to rewrite the standard to fix
the problem. This would be nice if it happened, but is probably wishful
thinking). This requirement is plan-based, just like CIP-013 is. But the
requirement doesn’t just tell the entity to go out and identify some risks and
put them in their plan, as CIP-013 R1.1 does. Instead, Attachment 1 (which is
part of the requirement itself, not just guidance) lists a number of items that
must be included in the plan, for example, mitigating the risk of introducing malicious
code from a laptop. So the entity knows that its plan
must include mitigating the risks posed by malicious code; in fact,
Attachment 1 provides suggestions for two ways to do this (antivirus software
and application whitelisting), while allowing for “other methods” as well.
Now the
auditors have something they can audit: They can go down the items in
Attachment 1 and make sure the TCA/RM plan addresses each one of them. And not
only that, they can determine whether the plan for mitigating each risk in
Attachment 1 is
effective.
If the entity doesn’t include one of the risks in Attachment 1 in their plan,
or if they propose a mitigation strategy for one of the risks that is clearly ineffective,
they can receive a violation.
So the
problem with CIP-013 is that this approach wasn’t followed when the standard
was drafted, partly because nobody suggested it (I certainly never did, even
though I attended several meetings in person or on the phone) but more
importantly because they were under a very unrealistic deadline from FERC to
deliver the standard to them in one year (which I hope to address in another
post soon).
So what
would I like NERC to do? I’d like them to do one of two things. The better
course would be to a) admit that R1.1 lacks a list of risks that should be
addressed in the plan, but at the same time b) either draw up themselves, or
authorize another entity like the CIPC or NATF, to draw up a set of risks that
entities should include in their plans. Entities couldn’t be issued a violation
if they didn’t include one or more of these risks in their plans, but my guess
is almost all of them would, since they’ll want to stay on the good side of
NERC and the regions - and besides, it’s The Right Thing to Do. Supply chain
risk management is something every organization should be doing anyway; this
will give NERC entities that aren’t currently doing it a push to do so. Then,
once FERC approves CIP-013 and (
as
I expect) includes a mandate to make changes (like including Lows and
EACMS) in a new version, NERC can include in the Standards Authorization
Request a mandate to draw up something for R1.1 like Attachment 1 of CIP-010
R4. This would then make R1.1 auditable, starting with the next version.
And what’s the
not-so-good course? If NERC doesn’t like this idea and is fine with having R1.2
be all that’s required in CIP-013, they should say that is the case, and that
they’re going to ignore R1.1. That way, entities will be able to sleep at night
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you
would like to comment on what you have read here, I would love to hear from
you. Please email me at tom@tomalrich.com.
Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post. To discuss this, you can email
me at the same address or call me at 312-515-8996.
[i]
As I pointed out in the post referenced above this passage, the word “mitigate”
seems to have been left out of R1.1, so that strictly speaking the entity is
only required to “identify and assess” risks, not actually do anything about
them. Of course, this makes no sense (and very much contradicts everything else
that NERC and FERC have said about this), so I’m assuming it’s simply an error.
It would be nice if it could be fixed before CIP-013-1 comes into effect, but
it will most likely have to wait until at least v2.
[ii]
And, as I’ve said
before,
since CIP-013 is a risk-management standard, the entity can base all of the
actions in its plan on the level of risk. For higher risks, more mitigation would
be required. For lower risks, little or no mitigation would be required. In other
words, just because the entity is required to identify “all” of the risks from
each of the three risk areas in R1.1, this doesn’t mean they need to devote the
same level of resources (or even any resources at all) to mitigation of each
risk. In fact, they will do what they would do in the absence of a mandatory
standard (but with the same budget available): mitigate the highest risks to
the highest degree, and devote fewer or even no resources to mitigating the
lesser risks.