An (ex-) auditor weighs in on “retropatches”

My post yesterday called attention to a post by Monta Elkins of FoxGuard Solutions on the problem of “retropatches” – patches that carry a date that is sometimes months before the actual release date of the patch. These can play havoc with a NERC entity’s audit of CIP-007 R2 compliance, since an auditor may well inquire why the entity didn’t apply a patch dated January until May. The post got a lot of attention, despite the slow holiday week.

One person who paid attention to the post was Kevin Perry, who recently retired after 21 years with SPP, including nine years as the Chief CIP Auditor of SPP RE. He sent me the following email, which NERC entities should find to be helpful:

If you use a patch service, then you can readily maintain records of when the patch actually showed up on the applicable, not installed list.  That solves the problem.  If you receive email or snail mail notifications of available patches, again no issue.  Just keep the notice.  If you manually check, you need to keep evidence that you checked anyhow, so make sure your date-stamped evidence shows no patch was available until it actually shows up.  Where you get into trouble is when your program documentation consists of an attestation that you checked and found nothing, but you have no supporting evidence.  You cannot prove you did not miss a backdated patch.

Most entities I dealt with used a patch service for most of their software and received email notifications for the rest.  Very few applications required a manual site visit.

The entities that eschew available technology and do everything manually are the ones with the greatest burden and risk.

By the way, there is another nuance.  You upgrade a system and all of a sudden a bunch of old patches are now applicable.  Again, good record keeping of the upgrade addresses that “discrepancy.”

Most auditors are reasonable as long as you can tell your story without the “deer in the headlights” look.  We really do understand these issues occur.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013; we also work with security product or service vendors that need help articulating their message to the power industry. To discuss this, you can email me at the same address.