FERC approved CIP-013 this morning. You can
find the press release here
and the Order here.
The only change they ordered was that EACMS be included in the scope for
CIP-013. However, rather than ordering NERC to do this very quickly - as their
January NOPR seemed to suggest they would - they gave NERC two years to do it
(i.e. twice as long as they gave NERC to develop the standard in the first
place!). They left some other big questions on the table pending the final
version of the NERC/EPRI report I mentioned in my post
on Tuesday. I’ll have a full post on Order 850 early next week, after I’ve been
able to spend some quality time with it.
I haven’t had time to read the Order (and won’t
until the weekend), because I’m still at NERC’s GridSecCon, which – once again
– has proved to be a great event. Bill Lawrence and his E-ISAC team have again
done a wonderful job of programming the sessions and bringing interesting
vendors to the exhibition. You should try to attend GridSecCon 2019, which will
be this same week next October, at a location TBD (they will make the decision
soon, since some people make their travel plans a year in advance of GridSecCon
– it’s so good).
However, while you’re anxiously awaiting my
post on the full Order, you should consider the great offer below:
Because FERC didn’t order any change in the
Implementation plan (as they also intimated they would do in the NOPR), the
compliance date for CIP-013 will be July 1, 2020. However, as I said in this
post in January, you really need to aim to have your supply chain cyber
security risk management plan (which is the main “deliverable” of CIP-013, of
course) finished six months before the compliance date, to give you time to
have it reviewed by your Region – and then to make whatever changes they
suggest.[i]
So I recommend you consider January 1, 2020
to be your “plan completion date” (although I’ll give you ‘til Jan. 2. I don’t
want to spoil anybody’s New Year’s Day!). Once your Region has given you their
comments on your plan and you’ve adjusted the plan to address those comments,
you should then put it into place, with hopefully at least a little time before
the July 1 compliance date. And if you’re one of the entities that likes to
come into complete compliance at least 90 days before the compliance date (as
did a number of entities for CIP version 5), then you need to aim for October
1, 2019 – which of course is less than a year away.
Fortunately, Tom Alrich LLC can help you get
a good start on developing your program. We are offering a free two-hour webinar
workshop for your organization on CIP-013 and what you will need to do to comply
with it.
The purpose of the workshop is to get the
different groups that will be involved in complying with CIP-013 – supply
chain, legal, cyber security and NERC compliance - thinking about the issues
that are involved; and in case you haven’t been reading my posts on this
subject, complying with CIP-013 will be very
different from complying with any of the previous CIP standards. Some of the
topics to be addressed in the workshop include:
- CIP-013 is really the first risk-based NERC standard. While it’s not mandatory, it is highly advised to classify both BES Cyber Systems and vendors by the degree of risk they pose, with different plan strategies corresponding to different degrees of risk. How can you do this?
- The standard doesn’t list the particular risks that you need to address in your supply chain cyber security risk management plan. How can you compile a credible yet manageable list of risks[ii] for your plan?
- CIP-013 is the first CIP standard that doesn’t prescribe any particular actions - it simply requires that you develop and implement a plan[iii]. How will the plan and its implementation be audited?
- While attention has mostly focused on the requirement to mitigate vendor risk, the entity also needs to mitigate implementation risks and risks of transition between vendors, as well as risks posed by services vendors. What are possible strategies for these?
- While much of the discussion of CIP-013 has focused on the question of getting vendors to agree to contract language, it is a fact that contract language isn’t the only way – or even the preferred way – to get vendor agreement to take actions required by CIP-013. What are good strategies for obtaining vendor commitment, so that the high-cost (both cost in money and cost in ill-feelings between you and the vendor) option of demanding contract language can be avoided, except in cases where it is really needed?
- How do you document that vendors followed through on their promises? And what do you do if a vendor doesn’t keep its promise, or won’t make any promise to you in the first place?
If you would like to discuss the workshop
with me, please drop me an email at tom@tomalrich.com
or call me at 312-515-8996. Thanks!
[i]
As the post points out, it will be a great help to you – Mr/Ms NERC CIP
compliance professional – to have your CIP-013 plan reviewed by your NERC
Region before the compliance date – since that’s when it needs to be fully
implemented. Another reason to review the plan before that date is that most of
the Regions won’t want to review any plans after the date, since at that point
it becomes auditable and they’ll be worried about auditor independence issues. And
I say you should aim for six months before the date, because if you wait until
say three months before (i.e. April 1, 2020), there might be a big queue of
plans to be reviewed – and the Regions won’t feel compelled to get them all
reviewed before the compliance date.
[ii]
It would be nice if the drafting team (or somebody else like NERC or the Regions
or NATF) had put together a set of risks that should be considered in the plan
(but not necessarily mitigated, if the entity thinks they pose low risk to the
BES), but that didn’t happen. However, there are certainly other ways to
develop a fairly comprehensive list of the important risks; we’ll discuss that
in the free workshop.
[iii]
CIP-013 R1.2 lists six general risk mitigation goals that must be addressed in
your plan, but doesn’t require you to take specific steps to achieve any of
these six goals. So the risks behind these goals need to be included in your
R1.1 plan – but this doesn’t mean the six goals are all that needs to be
included. FERC’s Order 829 made clear they are looking for the entity to at
least consider all important supply chain cyber risks, then use its available
resources to mitigate those that pose the highest level of risk, in order of
their importance.
Good blog... This blog share very good information on NERC CIP compliance. I appreciate this blog. Very helpful.
ReplyDelete