Friday, April 6, 2018

Will the Real CIP-013 Please Stand Up?

I’ve come to realize that there are now two distinct schools of thought on what CIP-013 is. Since, as some other person from Illinois once said, a house divided cannot stand, I feel this issue needs to be resolved soon. One way to resolve it would be the American Way – that is, with guns. However, I don’t think that’s really the best way to deal with this problem, although - as you’ll see soon - I’m not sure there’s any better way available.

It’s quite easy to differentiate these two schools of thought. One school believes that CIP-013 R1.1 is what the standard is all about, with R1.2 taking a minor role; the other believes that R1.2 is the full story. And who are in these two camps? In the R1.1 camp there’s…well, there’s me and…FERC Order 829, although the four FERC Commissioners who approved that Order are all gone (the lone dissenter, Cheryl LaFleur, is still on the Commission. Her dissent had nothing to do with this question, though). So it’s just me and a two-year-old piece of paper. I would almost certainly have the support of my cats, but they died years ago.

In the R1.2 camp, there’s just about everybody (or so it seems) at NERC and the Regions. And given this, it’s certain that close to 100% of NERC entities will also be in this camp, since any NERC compliance professional who took a position in direct opposition to NERC and their region would (and should) be fired immediately. Given these two lineups, why am I even raising this issue? Why aren’t I simply conceding that the R1.2 camp has won the day?

I could at this point make a noble statement about being willing to defend my position to the death, and start comparing myself to Joan of Arc. But that’s not really it. Whatever I think is the correct interpretation of CIP-013, I’m not willing to burn at the stake to defend it. But I think most people involved with NERC CIP – including many if not most at NERC as well as the Regions – don’t understand that there really is a choice in interpretations here. I would like to lay out the fact that there is a choice, so that at least these people can make a conscious decision on what constitutes the better interpretation of CIP-013. And I will be quite happy to live with whatever NERC says on this matter.

So what is the choice? Let’s start with the first camp (me). CIP-013 R1.1 (including the opening paragraph of R1) reads

Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. The plan(s) shall include: 
1.1. One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).

I have analyzed this part of R1 in mind-numbing detail in this post, so I won’t repeat all of that. As I mentioned early in that post, the opening paragraph of CIP-013 says that the entity needs to develop a “supply chain cyber security risk management plan”, period. It doesn’t say you’re supposed to do one thing or the other, and within 35 or 60 days. It just says you have to have this plan.

The rest of R1 – that is, R1.1 and R1.2 – is presumably there to tell you what should be in the plan. And, to get back to my idea of there being two schools of thought regarding CIP-013, the R1.1 school believes that this part defines what the standard itself means – although this school (meaning Tom Alrich and his dead cats) readily admits that the six things in R1.2 must also be in the plan. So what does R1.1 tell us about CIP-013? You can read the whole story in the post I just referenced, but here’s a quick summary:

R1.1 lists three “risk areas” in supply chain security, each of which must be addressed in the plan. The first is (with a slight rewording of the requirement) “cyber security risks to the Bulk Electric System from vendor products or services resulting from procuring vendor equipment and software.” The second is “cyber security risks to the Bulk Electric System from vendor products or services resulting from installing vendor equipment and software.” The third is “cyber security risks to the Bulk Electric System from vendor products or services resulting from transitions from one vendor(s) to another vendor(s).” This means your plan needs to identify risks in all three of these areas, and say how you intend to mitigate[i] them. Also note that the risks to be addressed are from “vendor products or services” (my emphasis). They’re not just risks from stuff that you bought, but also from services that you bought.

So what do you need to do to comply with CIP-013, assuming that R1.1 is the right way to understand the standard? You “just” need to a) identify all of the important risks from each of the three areas; and b) mitigate those risks. Of course, I put ‘just’ in quotation marks because identifying all of the risks seems like a daunting task. How can one entity possibly identify all the risks in each of the three areas?

The answer is it can’t. However, this wouldn’t pose a big problem if CIP-013 were going to be audited in a “non-prescriptive” way – that is, if the auditors were simply going to ascertain whether you made a good effort to identify all risks, and then confirm that your plan discussed how you might effectively mitigate all of those risks[ii], based on the degree of risk they pose.

But, as we all well know, NERC auditing doesn’t work this way. Ideally, the NERC auditor will have a checklist of what is required; they will then go down this list to confirm whether or not you have done each of these things.  Obviously, R1.1 can’t be audited this way. This is why last December I wrote a post saying that CIP-013 wasn’t auditable, except for R1.2. What I was thinking was that this might be a wake-up call, so that NERC might think about how CIP-013 could be audited, while still preserving the principle that it requires a plan for managing supply chain risks – as R1.1 says.

But if R1.1 can’t be audited, the result is inevitable: NERC, the Regions and the entities will all ignore it. Instead, they’ll focus simply on the six things that are required in R1.2. These can be audited. So this brings us to the second school of thought: R1.2 is all that matters in CIP-013. The six things that are required in that part are all the entity needs to worry about as they implement compliance with CIP-013, and they’re all the auditors will look at. Very few entities are going to go to the trouble of trying to identify a full set of risks in R1.1 if they aren’t going to be audited on how well they’ve identified them. Because – as all CIP compliance professionals know by now – if you say in your plan that you’re going to mitigate a particular set of risks, then you’re likely to receive violations if you don’t do that. It’s better not to list any risks at all in R1.1.

For evidence of this belief (that NERC intends to ignore R1.1 and focus almost entirely on R1.2), I point to three sources:

  1. The Implementation Guidance for CIP-013 focuses almost the entire discussion of R1 on the six things required by R1.2. Yes, there is a discussion of how the entity can put together a team to brainstorm about supply chain risks, and there is a fairly random collection of bullet points of things that the team might consider. But there is no guidance on what types of risks to look for, how to determine whether they’re real risks, etc. Most importantly, there isn’t a list of risks that need to be addressed (for why this is important, see the end of this post). Meanwhile, the R1.2 discussion is very focused and detailed. This is clearly what the drafting team has in mind when they talk about implementing compliance with CIP-013.
  2. You may have seen NERC’s webinar on CIP-013 a few weeks ago (although I haven’t seen any recording or slides being made available from it, which is too bad). As I pointed out in my post about that webinar, there was little (and really no) discussion of anything else being required in CIP-013, other than the six items in R1.2.
  3. During the CIP-013 discussion at WECC’s CIP Workshop last week, when I asked the auditors whether anything else was required beyond the six things in R1.2, I was told – using a few more words, but meaning the same thing – no.

If I’m so sure that NERC doesn’t intend to enforce anything more than compliance with R1.2, and if I say I’m OK with that, why am I even writing this post? Why not just go forth and tell people to focus solely on R1.2 and they’ll have all they need to comply with CIP-013? The reason is that, after all, R1.1 is in the standard. If an entity just focuses on R1.2, will they receive a PNC (potential non-compliance) finding in an audit three years from now because they ignored R1.1?

In other words, I can’t believe that it’s really going to be this easy: that FERC, NERC, the Regions and the entities will all come to some magical – and completely unspoken – agreement that R1.2 is all there is in CIP-013 and R1.1 can be ignored. There needs to be some statement or guidance to that effect, presumably from NERC. Otherwise, the CIP people at the entities will have trouble sleeping for the next few years, wondering if they really did the right thing by completely ignoring R1.1.

How could this problem have been avoided? I used to think that CIP-013 was almost the perfect standard, since it doesn’t prescribe any particular activities, but simply requires the entity to develop and implement a risk management plan. But I now realize that this isn’t enough. The entity can’t be simply told to go off and find some risks, then go mitigate them; given how NERC audits are conducted, they will inevitably find few or no risks, since for each risk they find, they now have to develop and implement a plan to mitigate it – and there is huge compliance risk attendant on that.

As I discussed in this post, I think the drafters of CIP-010 R4, the “CIP v6” requirement for Transient Cyber Assets and Removable Media, came upon the solution to this problem (and by the way, CIP-014 also suffers from this problem. This has shown up in audits, as discussed in this post. I’ve heard some talk of NERC deciding to rewrite the standard to fix the problem. This would be nice if it happened, but is probably wishful thinking). This requirement is plan-based, just like CIP-013 is. But the requirement doesn’t just tell the entity to go out and identify some risks and put them in their plan, as CIP-013 R1.1 does. Instead, Attachment 1 (which is part of the requirement itself, not just guidance) lists a number of items that must be included in the plan, for example, mitigating the risk of introducing malicious code from a laptop. So the entity knows that its plan must include mitigating the risks posed by malicious code; in fact, Attachment 1 provides suggestions for two ways to do this (antivirus software and application whitelisting), while allowing for “other methods” as well.

Now the auditors have something they can audit: They can go down the items in Attachment 1 and make sure the TCA/RM plan addresses each one of them. And not only that, they can determine whether the plan for mitigating each risk in Attachment 1 is effective. If the entity doesn’t include one of the risks in Attachment 1 in their plan, or if they propose a mitigation strategy for one of the risks that is clearly ineffective, they can receive a violation.

So the problem with CIP-013 is that this approach wasn’t followed when the standard was drafted, partly because nobody suggested it (I certainly never did, even though I attended several meetings in person or on the phone) but more importantly because they were under a very unrealistic deadline from FERC to deliver the standard to them in one year (which I hope to address in another post soon).

So what would I like NERC to do? I’d like them to do one of two things. The better course would be to a) admit that R1.1 lacks a list of risks that should be addressed in the plan, but at the same time b) either draw up themselves, or authorize another entity like the CIPC or NATF, to draw up a set of risks that entities should include in their plans. Entities couldn’t be issued a violation if they didn’t include one or more of these risks in their plans, but my guess is almost all of them would, since they’ll want to stay on the good side of NERC and the regions - and besides, it’s The Right Thing to Do. Supply chain risk management is something every organization should be doing anyway; this will give NERC entities that aren’t currently doing it a push to do so. Then, once FERC approves CIP-013 and (as I expect) includes a mandate to make changes (like including Lows and EACMS) in a new version, NERC can include in the Standards Authorization Request a mandate to draw up something for R1.1 like Attachment 1 of CIP-010 R4. This would then make R1.1 auditable, starting with the next version.

And what’s the not-so-good course? If NERC doesn’t like this idea and is fine with having R1.2 be all that’s required in CIP-013, they should say that is the case, and that they’re going to ignore R1.1. That way, entities will be able to sleep at night

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.

[i] As I pointed out in the post referenced above this passage, the word “mitigate” seems to have been left out of R1.1, so that strictly speaking the entity is only required to “identify and assess” risks, not actually do anything about them. Of course, this makes no sense (and very much contradicts everything else that NERC and FERC have said about this), so I’m assuming it’s simply an error. It would be nice if it could be fixed before CIP-013-1 comes into effect, but it will most likely have to wait until at least v2.

[ii] And, as I’ve said before, since CIP-013 is a risk-management standard, the entity can base all of the actions in its plan on the level of risk. For higher risks, more mitigation would be required. For lower risks, little or no mitigation would be required. In other words, just because the entity is required to identify “all” of the risks from each of the three risk areas in R1.1, this doesn’t mean they need to devote the same level of resources (or even any resources at all) to mitigation of each risk. In fact, they will do what they would do in the absence of a mandatory standard (but with the same budget available): mitigate the highest risks to the highest degree, and devote fewer or even no resources to mitigating the lesser risks.

No comments:

Post a Comment