If you’re a
CIP-013 groupie, you may have noticed that I focus on CIP-013 R1.1 a lot in
this blog, and not so much on the other CIP-013 requirements. In fact, I’ve
only discussed R3 once, and I’ve
never discussed R2, since all it says is “Each Responsible Entity shall
implement its supply chain cyber security risk management plan(s) specified in
Requirement R1.” Not much to discuss there!
And in R1, I
focus on R1.1, instead of R1.2. Is this because I don’t like big words like “authenticity”
and “Interactive Remote Access” – both of which are found in R1.2? No. While it’s
true that I don’t approve of excessive polysyllabilality, I myself have been
known to use long words at times. The reason I focus on R1.1 is that this is
without doubt the heart of CIP-013. In R1.1, the entity draws up their Supply
Chain Cyber Security Risk Management plan, while in R2 and R3 the plan is
implemented and then reviewed annually. If
the entity doesn’t draw up a good plan because they don’t know what to put in
it, they obviously won’t implement anything worth implementing, or review
anything worth reviewing. For that entity, the whole CIP-013 exercise will be a
waste of time and money.
But the loss
will go beyond the entity. As the Russian cyber attacks recently brought into
the open by DHS show,
the bad guys have figured out that the best way into every large organization nowadays
– and most certainly electric utilities – isn’t to mount a full assault on the
front gate of the castle, with its myriad protections. It’s to go around to the
back door with a single lock on it that the tradesmen use. To continue the somewhat
strained metaphor, if the attackers can find a place to hide in the cart that
brings in the hay for the animals, they stand a much better chance of breaking
in to the castle. So supply chain attacks are already becoming the vector of
choice for the discriminating cyber hacker. This is the biggest vulnerability for the electric sector, even though as of now there haven't been any successful supply chain attacks on control networks, except for two wind turbines.
In this
post from August, I stated that I think CIP-013 R1.1 is un-auditable, because
it provides nothing for the entity to key on to include in their plan – and I
used CIP-010 R4 Attachment 1 as my poster child for a good plan-based
requirement. As long as NERC auditors are only allowed to focus on whether the entity has
complied strictly with the specific wording of a requirement (which is the case
now, unfortunately), a requirement that doesn’t have some specific
wording for the auditors to key on is simply un-auditable. CIP-010 R4
Attachment 1 provides specific (although not prescriptive) criteria for what
should be in the plan; CIP-013 R1.1 doesn’t.
However, I’m
exaggerating when I imply that R1.1 provides no help at all to the entity as
they develop their plan; there is some information in there, and it is enough to get you started in writing your plan. This post
will list the information that I have found in R1.1. It doesn't provide anything near
a workable guide to developing a CIP-013 plan, but it at least is a start.
Here’s the
full text of R1.1:
(The plan(s) shall include)…one or more
process(es) used in planning for the procurement of BES Cyber Systems to
identify and assess cyber security risk(s) to the Bulk Electric System from
vendor products or services resulting from: (i) procuring and installing vendor
equipment and software; and (ii) transitions from one vendor(s) to another
vendor(s).
And here’s
what I get out of this all-too-brief text:
- The last
time I took a close look at R1.1 in this blog, I decided there was no
significance to be assigned to the fact that it begins by mandating “..processes
used in planning..” That seems to be the Department of Redundancy
Department at work. You are developing a plan for supply chain cyber
security risk management. You aren’t developing a plan for “processes used
in planning supply chain cyber security risk management”. So ignore these
words.
- The plan is to “identify and assess cyber risks to the BES
from vendor products and services…” You may notice that there’s nothing
about mitigating those risks. I assume this is just an oversight. Of
course, being required to identify and assess risks, but not having to do anything to mitigate those risks, wouldn’t make any sense. So
you need to read this as a requirement to “identify, assess and mitigate”
risks.
- But what are these risks you have to mitigate? Aye, there’s
the rub. CIP-010 R4 also requires you to develop a risk management plan.
In Attachment 1 to that requirement, you find a list of types of risk that you need to
mitigate in the plan, as well as high-level suggestions for how to
mitigate these risks. What do you find in CIP-013 R1.1? You find the two bullet
points (i) and (ii). What are these? Are these risks to be mitigated, too?
- No, I call these “risk areas”. They are essentially
subdivisions of the overall world of supply chain cyber security. They
aren’t risks themselves, so you still need to find risks to address within each one
of these areas. But this does at least provide guidance on where to start.
- What specifically are the risk areas? Even though there
are two bulleted points, there are actually five risk areas. Notice that
the two points are preceded by the words “risks…from vendor products or
services..” This means you need to
consider each of the two bullet points from the points of view of both vendor
products and vendor services.
- Next, notice that bullet (i) is “procuring and installing
vendor equipment and software”. Breaking this up yields “procuring vendor
equipment and software” and “installing vendor equipment and software”. Each
of these is itself a risk area, but remember that we are supposed to look
at these from the points of view of both products (which means hardware
and software) and services. So this means we have to add “procuring vendor
services” and “installing vendor services” to the list of risk areas.
- Of course, you don’t “install” services! But you do
utilize them. So I reword the second of these as “utilizing vendor
services”.
- As for bullet point (ii), it’s already sufficiently
general that we don’t need to list separate risks areas for products and
services.
So here’s my
list of risk areas that need to be addressed in your CIP-013 plan (and these
are enforceable, since they are explicitly stated in the requirement, even if
they’re a little hard to see initially):
a) Procuring
vendor equipment and software;
b) Installing
vendor equipment and software;
c) Procuring
vendor services;
d) Utilizing
vendor services; and
e) Transitions
between vendors.
Now you know at least where to begin as you develop your plan. Your plan needs to
address each of these five risk areas. From there, you need to find important risks to mitigate in each area. There’s more information for your plan, to be
gleaned from R1.2. I’ll discuss that in another post soon.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
Down-selecting vendors and potential vendors based on the ability to provide MD5 or SHA file hashes for their firmware / software updates is one of the measures we are adding. Not all vendors and components will have sufficient competition to allow it, but it is one of the measures we considered.
ReplyDelete