FERC approved CIP-013 this morning. You can find the press release here and the Order here. The only change they ordered was that EACMS be included in the scope for CIP-013. However, rather than ordering NERC to do this very quickly - as their January NOPR seemed to suggest they would - they gave NERC two years to do it (i.e. twice as long as they gave NERC to develop the standard in the first place!). They left some other big questions on the table pending the final version of the NERC/EPRI report I mentioned in my post on Tuesday. I’ll have a full post on Order 850 early next week, after I’ve been able to spend some quality time with it.
I haven’t had time to read the Order (and won’t until the weekend), because I’m still at NERC’s GridSecCon, which – once again – has proved to be a great event. Bill Lawrence and his E-ISAC team have again done a wonderful job of programming the sessions and bringing interesting vendors to the exhibition. You should try to attend GridSecCon 2019, which will be this same week next October, at a location TBD (they will make the decision soon, since some people make their travel plans a year in advance of GridSecCon – it’s so good).
However, while you’re anxiously awaiting my post on the full Order, you should consider the great offer below:
Because FERC didn’t order any change in the Implementation plan (as they also intimated they would do in the NOPR), the compliance date for CIP-013 will be July 1, 2020. However, as I said in this post in January, you really need to aim to have your supply chain cyber security risk management plan (which is the main “deliverable” of CIP-013, of course) finished six months before the compliance date, to give you time to have it reviewed by your Region – and then to make whatever changes they suggest.[i]
So I recommend you consider January 1, 2020 to be your “plan completion date” (although I’ll give you ‘til Jan. 2. I don’t want to spoil anybody’s New Year’s Day!). Once your Region has given you their comments on your plan and you’ve adjusted the plan to address those comments, you should then put it into place, with hopefully at least a little time before the July 1 compliance date. And if you’re one of the entities that likes to come into complete compliance at least 90 days before the compliance date (as did a number of entities for CIP version 5), then you need to aim for October 1, 2019 – which of course is less than a year away.
Fortunately, Tom Alrich LLC can help you get a good start on developing your program. We are offering a free two-hour webinar workshop for your organization on CIP-013 and what you will need to do to comply with it.
The purpose of the workshop is to get the different groups that will be involved in complying with CIP-013 – supply chain, legal, cyber security and NERC compliance - thinking about the issues that are involved; and in case you haven’t been reading my posts on this subject, complying with CIP-013 will be very different from complying with any of the previous CIP standards. Some of the topics to be addressed in the workshop include:
- CIP-013 is really the first risk-based NERC standard. While it’s not mandatory, it is highly advised to classify both BES Cyber Systems and vendors by the degree of risk they pose, with different plan strategies corresponding to different degrees of risk. How can you do this?
- The standard doesn’t list the particular risks that you need to address in your supply chain cyber security risk management plan. How can you compile a credible yet manageable list of risks[ii] for your plan?
- CIP-013 is the first CIP standard that doesn’t prescribe any particular actions - it simply requires that you develop and implement a plan[iii]. How will the plan and its implementation be audited?
- While attention has mostly focused on the requirement to mitigate vendor risk, the entity also needs to mitigate implementation risks and risks of transition between vendors, as well as risks posed by services vendors. What are possible strategies for these?
- While much of the discussion of CIP-013 has focused on the question of getting vendors to agree to contract language, it is a fact that contract language isn’t the only way – or even the preferred way – to get vendor agreement to take actions required by CIP-013. What are good strategies for obtaining vendor commitment, so that the high-cost (both cost in money and cost in ill-feelings between you and the vendor) option of demanding contract language can be avoided, except in cases where it is really needed?
- How do you document that vendors followed through on their promises? And what do you do if a vendor doesn’t keep its promise, or won’t make any promise to you in the first place?
If you would like to discuss the workshop with me, please drop me an email at firstname.lastname@example.org or call me at 312-515-8996. Thanks!
[i] As the post points out, it will be a great help to you – Mr/Ms NERC CIP compliance professional – to have your CIP-013 plan reviewed by your NERC Region before the compliance date – since that’s when it needs to be fully implemented. Another reason to review the plan before that date is that most of the Regions won’t want to review any plans after the date, since at that point it becomes auditable and they’ll be worried about auditor independence issues. And I say you should aim for six months before the date, because if you wait until say three months before (i.e. April 1, 2020), there might be a big queue of plans to be reviewed – and the Regions won’t feel compelled to get them all reviewed before the compliance date.
[ii] It would be nice if the drafting team (or somebody else like NERC or the Regions or NATF) had put together a set of risks that should be considered in the plan (but not necessarily mitigated, if the entity thinks they pose low risk to the BES), but that didn’t happen. However, there are certainly other ways to develop a fairly comprehensive list of the important risks; we’ll discuss that in the free workshop.
[iii] CIP-013 R1.2 lists six general risk mitigation goals that must be addressed in your plan, but doesn’t require you to take specific steps to achieve any of these six goals. So the risks behind these goals need to be included in your R1.1 plan – but this doesn’t mean the six goals are all that needs to be included. FERC’s Order 829 made clear they are looking for the entity to at least consider all important supply chain cyber risks, then use its available resources to mitigate those that pose the highest level of risk, in order of their importance.