My post
yesterday called attention to a post by Monta Elkins of FoxGuard Solutions on
the problem of “retropatches” – patches that carry a date that is sometimes
months before the actual release date of the patch. These can play havoc with a
NERC entity’s audit of CIP-007 R2 compliance, since an auditor may well inquire
why the entity didn’t apply a patch dated January until May. The post got a lot
of attention, despite the slow holiday week.
One person
who paid attention to the post was Kevin Perry, who recently retired after 21
years with SPP, including nine years as the Chief CIP Auditor of SPP RE. He
sent me the following email, which NERC entities should find to be helpful:
If you use a patch service, then you can
readily maintain records of when the patch actually showed up on the
applicable, not installed list. That solves the problem. If you
receive email or snail mail notifications of available patches, again no
issue. Just keep the notice. If you manually check, you need to
keep evidence that you checked anyhow, so make sure your date-stamped evidence
shows no patch was available until it actually shows up. Where you get
into trouble is when your program documentation consists of an attestation that
you checked and found nothing, but you have no supporting evidence. You
cannot prove you did not miss a backdated patch.
Most entities I dealt with used a patch
service for most of their software and received email notifications for the
rest. Very few applications required a manual site visit.
The entities that eschew available
technology and do everything manually are the ones with the greatest burden and
risk.
By the way, there is another nuance.
You upgrade a system and all of a sudden a bunch of old patches are now
applicable. Again, good record keeping of the upgrade addresses that
“discrepancy.”
Most auditors are reasonable as long as you
can tell your story without the “deer in the headlights” look. We really
do understand these issues occur.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013; we also work with security product or service vendors that need help
articulating their message to the power industry. To discuss this, you can
email me at the same address.
No comments:
Post a Comment