I have
pointed out many times in this blog that by far the best coverage of cyber
security issues in the energy industry is that provided by the web-based Energy and Environment News.
Unfortunately, the subscription cost for that is out of the range of us
non-one-percenters, but you should look into having your organization subscribe
(not just for cyber, but all energy news).
So it’s not
surprising that E&E News provided the only coverage that I have seen
so far of FERC’s approval of CIP-013 last week. I recommend you read this
article (if you are asked to do a free trial subscription, I highly recommend
it, since they have good articles every day, with cyber articles about the
power industry usually at least a couple times a week. At least you’ll be able
to read all the articles while your trial lasts).
In my last post
(on Thursday, the day FERC approved CIP-013) I provided a brief summary of FERC’s
Order
850 and said I’d have more to say after I had time to read it carefully
over the weekend. Well, guess what? What I have to say now isn’t terribly
different from what I said in my brief summary:
- FERC left the implementation period at 18 months, rather than order it be shortened to 12 months, as they had suggested in their NOPR in January.
- As they also suggested in January, they ordered that NERC add Medium and High impact Electronic Access Control and Monitoring Systems to the applicability of the standard, beyond the current Medium and High impact BES Cyber Systems. They are giving NERC 24 months to do this, which is twice as long as they gave NERC to develop the entire standard in the first place (however, when I say “They”, I need to point out that there is only one Commissioner still in office from when FERC issued Order 829 in July 2016. And that Commissioner – Cheryl LaFleur – dissented from the Order, since she very rightly didn’t believe that one year was enough time for NERC to do a good job of drafting the standard and going through the long and politically fraught approval process).
- Regarding the other items that FERC suggested in their NOPR should be considered for applicability in CIP-013 – Physical Access Control Systems, Protected Cyber Assets and Low impact BES Cyber Systems – FERC said on Thursday that they will hold any decision until they see the final version of NERC’s supply chain security study, which is due early next year.
- To be honest, the most interesting part of Order 850 was at the end, in paragraphs 78 and 79. Paragraph 78 discussed comments FERC received about the meaning of “vendor”; FERC’s answer mistakenly said that NERC had defined the term. Actually, the story behind that is a lot more nuanced, and points to a larger problem with the NERC CIP standards in general. Since I specialize in Larger Problems in this blog, I will dig into this later, although I have a number of other posts in the queue before that can happen.
- Paragraph 79 was sparked by comments suggesting that NERC entities would be on the hook for deficiencies in cyber security practices by their vendors. FERC correctly pointed out that the standard specifically states that entities won’t be on the hook, although they are still responsible for mitigating the risk that the vendor presumably didn’t mitigate. For example, if your vendor agrees (in contract language or just in a letter) that they will help you mitigate new vulnerabilities that affect their products and then doesn’t do that in one case, you still have to take other steps to mitigate the risk caused by that new vulnerability.
But, through
work I am currently doing with a vendor to the power industry, I’ve come to see
that there’s a very neat, elegant solution to the problem of obligating vendors
to take certain steps - and penalizing them if they don’t. What is really cool,
though, is that this is also a solution to the vendors’ problem (which I mentioned
in the E&E News article) that
some NERC entities are downloading contract language from various sources on
the internet and sending it to the vendors, demanding that they include that in
their contracts. Of course, there’s no way the vendor can deal with this big
variety of requests. My solution will also solve that problem. Not bad – two big
problems nailed with one solution! Next up: a neat single solution for the two big problems of
global poverty and people who talk loudly on their cell phone on trains.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013; we also work with security product or service vendors that need help
articulating their message to the power industry. To discuss this, you can
email me at the same address.
No comments:
Post a Comment