Recently,
the North American Transmission Forum released their “CIP-013-1
Implementation Guidance”, which they have submitted for possible NERC
approval as official guidance (although of course NERC won’t approve the
content of any guidance document, only say that it was properly drafted, or
something like that). While I think this is an interesting (and useful) document,
it isn’t in any way a complete guide to how to comply with CIP-013, which it
seems to aspire to being.
The document
first describes how a NERC entity can a) ask vendors to get an “independent
assessment…from a certified auditor” to evaluate the vendor’s controls to meet
the criteria found in CIP-013 R1.2 (what I call the “six things”. These were
originally mandated by FERC in their Order
829); b) assess the results; and c) document any mitigating actions that
need to be performed by the vendor.
Fair enough.
I agree that this would be a good thing to do, and would help with compliance
with R1.2 and R2. But the document goes on to say “A Responsible Entity could
choose to include this process as the only R1 process in its overall R1 plan or
it could be one of several processes that meet the R1 requirements in its
overall R1 plan.” So it is saying that implementing this process alone will constitute
compliance with R1 in its entirety. Is that really the case?
Let’s look
at what R1 requires, sticking just to what the words say. First, R1 itself says
“Each Responsible Entity shall develop one or more documented supply chain
cyber security risk management plan(s) for high and medium impact BES Cyber
Systems. The plan(s) shall include:” (this is followed by R1.1 and R1.2). Let’s
stop there and see what this says about what we should do. It says we should
develop a plan that needs to include R1.1 and R1.2. Fair enough, what should
this plan contain?
R1.1 reads “One
or more process(es) used in planning for the procurement of BES Cyber Systems
to identify and assess cyber security risk(s) to the Bulk Electric System from
vendor products or services resulting from: (i) procuring and installing vendor
equipment and software; and (ii) transitions from one vendor(s) to another
vendor(s).” In other words, your plan should a) identify and assess[i] cyber
security risks to the BES from procuring vendor equipment and software; b) identify
and assess cyber security risks to the BES from installing vendor equipment and
software; and c) identify and assess cyber security risks to the BES from
transitions between vendors.
NATF is
saying the entity can choose to designate the third-party vendor assessment
process as the only R1 process in its
plan – meaning that the plan could consist entirely of this process. Since
that’s the case, then this process should also be enough to comply with R1.1.
How well does it do this, for each of the three plan elements just identified
from the R1.1 wording?
Let’s start
with element a) above. Will implementing the vendor assessment process help the
entity identify and assess risks from procuring vendor equipment and software?
How could it possibly do that? A process to get vendors to have third-party
assessments isn’t a process to identify and assess risks from procurement. This
might be part of the mitigation plan for some
of the risks identified, but that’s it. In itself, this process neither
identifies nor assesses any procurement risks. The same thing can be said for
element b); that is, the process neither identifies nor assesses any
installation risks (and I can’t think of how it would even be part of the
mitigation plan for installation risks). And as for c)…well, the vendor
assessment process has nothing to do with identifying, assessing or mitigating
risks of transition between vendors. So we can safely say that including the
third-party vendor assessment process in your plan won’t in any significant way
help with compliance with R1.1.
R1.2 reads “One
or more process(es) used in procuring BES Cyber Systems that address the
following..” Of course, we should preface this with “The plan(s) shall
include…” from R1. Let’s ask the same question here. Does the third-party
vendor assessment process help the entity comply with R1.2?
It does that
partially, but not entirely. To understand what I mean, you need to understand
why the six items in R1.2 are there: It’s because FERC explicitly ordered that
these six things be mandated by the new supply chain security standard. But
these six things aren’t included in CIP-013 as prescriptive requirements;
rather, they’re supposed to be included in the overall plan mandated by R1 (of
course, this is a good thing, since having six prescriptive requirements in a
standard that is supposed to be entirely based on having a plan would create a
very uncomfortable mix, both for entities that need to comply and for auditors).
And since
the overall plan is a plan for risk management, the six items need to all be
considered as mitigations of particular risks. Therefore, what R1.2 is really
saying is “The risks of which these six items are mitigations must be included in your plan”. Of
course, most of the risks in the plan will be those that the entity itself
identifies in R1.1; but the six risks behind the six R1.2 items have to be
included in the plan as well – and therefore have to be mitigated.
For example,
R1.2.3 reads “Notification by vendors when remote or onsite access should no
longer be granted to vendor representatives”. This is a mitigation of a risk[ii] which
could be (fairly roughly) said to be “the risk that a terminated vendor employee
will take out his unhappiness on your BES Cyber Systems”. So we will list this
as the risk “behind” R1.2.3; and we’ll do the same for each of the other five
items in R1.2.
Let’s say
we’ve listed the risks behind each of the items in R1.2. Of course, the plan
needs to include mitigation of each risk. Can the third-party vendor assessment
discussed by NATF serve as the mitigation for these six risks? It can certainly
provide part of the mitigation, but
it isn’t the entire mitigation process by any means.
To go back
to our example, if the assessor determines that the vendor does in fact
endeavor to provide notice within 24 hours – and sooner if possible – whenever
an employee who had access to a customer’s systems leaves, this would certainly
be a big step toward mitigating the “risk that a terminated vendor employee
will take out his unhappiness on your BES Cyber Systems”. But is this all
that’s required? What happens if there’s a big management change at the vendor
soon after the assessment, and the new management doesn’t care at all about the
notification policy? If this happens, what if anything does the entity need to
do to make sure this risk is mitigated?
There are a
lot of things the entity can then do: When they first realize the policy has
changed, they can call up the vendor and threaten to terminate their business –
and then make good on that threat if the vendor doesn’t change their policy.
And if it isn’t possible to terminate this vendor (which it often isn’t), the
entity can at least terminate all remote access for this vendor and require
that representatives who want physical access be accompanied at all times by an
employee of the entity. These aren’t easy steps to take, but the point is that
the entity has to have a plan to mitigate each risk, and simply getting a good
assessment won’t always be enough to mitigate a risk.
At this
point, someone might point out that “vendor performance and adherence to a
contract” is explicitly stated to be out of scope in CIP-013 R2 (and implicitly
in R1 as well). So if the entity had not only had the vendor get the
third-party assessment, but they had also had them agree in their contract to
implement whatever mitigations were indicated in the assessment, the entity
wouldn’t be found in violation if the vendor didn’t perform.
This is very
true. But this is very different from saying that, if the vendor doesn’t
perform an obligation in their contract, the entity doesn’t need to take any
more steps to mitigate the risk in question. The goal of CIP-013 is risk management,
not vendor assessment and not contract language. Those are both useful tools
for mitigating risk, but the risk must be mitigated regardless of what the
vendor does or doesn’t do.
So is NATF’s
statement that “A Responsible Entity could choose to include this process (i.e.
the third-party vendor assessment) as the only R1 process in its overall R1
plan” accurate? No. This process can contribute very little to R1.1 compliance;
for R1.2, it can contribute maybe half of the mitigation required. This process
is far from being the “only R1 process” in an entity’s CIP-013 R1 plan. However,
the clause that follows this says “or it could be one of several processes that
meet the R1 requirements in its overall R1 plan.” I certainly agree with that,
although I think there will usually be a good number of processes in an entity’s
CIP-013 R1 plan – not just “several”. I think there will need to be a process
to mitigate each of the risks the entity identifies in R1.1; and I would think
that any entity that wanted to put together a credible plan would need to
mitigate more than “several” risks.
Now let’s
move on to R2. This requirement reads in its entirety “Each Responsible Entity
shall implement its supply chain cyber security risk management plan(s)
specified in Requirement R1.” And since NATF has stated that the third-party
vendor assessment process by itself meets an entity’s compliance obligations
under R1, it’s not hugely surprising that they say that implementing that
process is all that’s needed to comply with R2, specifically “The documentation
maintained by the entity would demonstrate that the entity used its supply
chain cyber security risk management plan required in R1 and, therefore, met
its requirements under R2.”
So is NATF’s
statement true? Oddly, I’d say it is. There are two cases here. First, suppose
that the entity’s auditor has already decided that just describing the
third-party vendor assessment process constitutes compliance with R1. If the R1
plan has been found compliant, then the R2 implementation of that plan will
also be found compliant (assuming the plan was actually implemented). Second,
suppose the entity’s R1 plan hasn’t been found compliant. Even then, the R2
implementation might still be found compliant, since R2 doesn’t require that
the entity rethink its R1 plan, but simply implement it.
So the
important question is whether the R1 plan will be found to be compliant, if the
entity has simply followed NATF’s advice and based their whole plan on a
third-party vendor assessment. That is a real question, but in my opinion there’s
an even more important question that needs to be asked. Since this post is
already pretty long, I will save it for the next[iii] post.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss any of this, you can email me at the same address.
[i]
As I first noticed when I wrote a post
that analyzed R1.1 in excruciating detail, the drafting team seems to have left
out the word “mitigate” here. There’s certainly no point in developing a plan
to just identify and assess risks, without doing anything to mitigate them! I
don’t particularly blame the SDT for this error, since they were under a really
tight deadline from FERC to develop and approve this standard in one year; and
CIP-013 is probably the first non-military mandatory supply chain cyber
security standard in the world. Unfortunately, this also seems to have happened
with CIP-014,
which faced a three-month deadline. The result is that both standards are in
some way un-auditable. I’ll elaborate this more in a post soon on CIP-014, as
well as in my next post on CIP-013.
[ii]
I have a problem with R1, in that it uses the word “risk” where I would use
“threat”. Forgetting about CIP for the moment and just thinking of the process
a CISO goes through in deciding how to allocate her budget for the year, she
must first identify a threat like malware, then assess the degree of risk it
poses. Once she has identified all of the major threats and decided their
degree of risk, then she can allocate her resources to particular threats based
on their individual risks. If you substitute the word risk for threat in the
above two sentences, you’ll see that “risk” will be used with two entirely
different meanings – which of course is very unhelpful. But CIP-013 uses the
word risk, and that’s because FERC used that word in Order 829. I’m not going
to fight that here, but it will become important when an entity actually sets
out to comply with CIP-013; then they will have
to have these terms straight.
[iii]
Even though I believe this will be the topic of my next post, there have been a
number of other times when I’ve been sure I knew what my next post would be,
only to have some other event intervene that I thought was more important to
address. So if my next post is on a completely different topic, you can’t sue
me.
No comments:
Post a Comment