This post is
the second of a set of posts on an excellent article by Lew Folkerth of RF (the
NERC Region formerly known as ReliabilityFirst) on CIP-013, the new NERC supply
chain security standard; the first post is here.
That post dealt primarily with how Lew characterizes the standard and started
to discuss what he says about how to comply; this one continues the discussion
about how to comply with the standard. The third post will continue the
compliance discussion and also discuss how CIP-013 will be audited.
I also want
to point out that what I am saying in this series of posts goes beyond what Lew
said in his article, for two reasons:
- Lew doesn’t have much space for his articles, as I do for
my posts. So where he has to use ten words, I can write five paragraphs. And
I have no problem with doing that, as any long-time reader will attest.
- While I firmly believe everything I say in this series of
posts is directly implied by what he said in his article, it’s natural
that I would be able to discuss these topics in more detail, because I’ve
had to figure out a lot of the details already – since I’m currently
working with clients on preparing for CIP-013 compliance. Of course, what
I write in these posts is by necessity very high level; there are details
and there are DETAILS. These posts provide the former (see the italicized
wording at the end of this post to find out how to learn about the latter).
What risks are in scope?
As I have
pointed out in several posts in the past, and also pointed out in part 1 of the
first post in this series (in Section A under the heading “Lew’s CIP-013
compliance methodology, unpacked for the first time!”), CIP-013 R1.1 requires
the entity to assess all supply chain risks to BES Cyber Systems, but it
doesn’t give you any sort of list (even a high-level one) of those risks. So
R1.1 assumes that each entity will be quite well-read in the literature on
supply chain security risks and will always be diligently searching for new
risks; then they’ll put together a list of all of these risks and assess each
one for inclusion (or not) in their plan.
Note: If you're one of the two people that read the previous post closely, you'll remember I pointed out that I have a problem with how CIP-013 uses the word "risk" in two senses. One is in the sense of what I call a threat: a situation that can potentially cause serious harm. The situation itself doesn't have a magnitude, so you can't talk about a big threat or a small threat. But that's where the other sense of "risk" comes in, since you can estimate the magnitude of the risk posed by a particular threat. Because I don't want to confuse people too much, I have mostly used risk in both senses in this post, although I have a few times talked of threats when I felt it was important to do that. To quote Ralph Waldo Emerson, "Consistency is the hobgoblin of little minds." I don't ever want to be accused of having a little mind!
Note: If you're one of the two people that read the previous post closely, you'll remember I pointed out that I have a problem with how CIP-013 uses the word "risk" in two senses. One is in the sense of what I call a threat: a situation that can potentially cause serious harm. The situation itself doesn't have a magnitude, so you can't talk about a big threat or a small threat. But that's where the other sense of "risk" comes in, since you can estimate the magnitude of the risk posed by a particular threat. Because I don't want to confuse people too much, I have mostly used risk in both senses in this post, although I have a few times talked of threats when I felt it was important to do that. To quote Ralph Waldo Emerson, "Consistency is the hobgoblin of little minds." I don't ever want to be accused of having a little mind!
This might
be a good idea if every NERC entity with Medium or High impact BCS had security
staff members who could devote a good part of every day to learning about
supply chain security risks, so that they could always produce a list of the
most important risks whenever required. While this might be true for some of
the larger organizations, I know it’s not true for smaller ones. What are those
people to do?
I’ve
repeatedly expressed the hope that an industry organization like NATF or the
NERC CIPC would put together this list of supply chain risks, although I’ve
seen no sign of that happening yet. Another idea would be if the trade associations,
including APPA, EEI, NRECA and EPSA, each put together a comprehensive list for
their own members. While APPA and NRECA developed a good general discussion of
supply chain security for the members of both organizations, it doesn’t contain
such a list; I hope they will decide to do that in the future as well.
In the
meantime, NERC entities subject to CIP-013 need to figure out on their own what
their significant supply chain security risks are. Where can you go for ideas?
Well, there are lots of documents and lots of ideas – and that’s the problem;
there are far too many. There’s NIST 800-161 and parts of NIST 800-53, for
starters. There’s the NERC/EPRI “Supply Chain Risk Assessment” document,
which was issued in preliminary form in September and will be finalized in
February; there’s the excellent (although too short!) document that Utilities
Technology Council (UTC) put out in 2015 called “Cyber
Supply Chain Risk Management for Utilities”; and there’s the APPA/NRECA paper
I just mentioned. There are others as well. None of these, except for 800-161, can
be considered a comprehensive list, though. And 800-161 is comprehensive to a
fault; if any utility were to seriously try to address every risk found in that
document, they would probably have to stop distributing electric power and
assign the entire staff to implementing 800-161 compliance!
One drawback
of all of these documents, from a CIP-013 compliance perspective, is that they
don’t identify risks directly. Instead, they all describe various mitigations
you can use to address those risks. This means that you need to reword these
mitigations to articulate the risks behind them. To take the UTC document as an
example, one of the mitigations listed is “Establish how you will want to
monitor supplier adherence to requirements”. In other words, while it’s all
well and good to require vendors (through contract language or other forms of
commitment like a letter) to take certain steps, you need to have in place a
program to regularly monitor that they’re taking those steps.
We need to
ask “What is the risk for which this is a mitigation?” The answer would be
something like “The risk that a vendor will not adhere to its commitments regarding cyber security”.
This is one of the risks you may want to add to your list of risks that need to
be considered in your CIP-013 supply chain cyber security risk management plan.
You can get a lot more by going through the documents I just listed.
So – in the
absence of a list being included in Requirement CIP-013 R1.1 itself, and in the
absence of any comprehensive, industry-tailored list put out by an industry
group - this is one way to list the risks you need to assess in your CIP-013
supply chain cyber security risk management plan. The main point of this effort
is that you need to develop a list that comes as close to covering (at least at
a high level) all of the main areas of supply chain cyber risk as possible.
But I know there’s a question hidden in every NERC CIP compliance person’s heart when I bring this point up: If I develop a comprehensive list of risks, am I going to be required by the auditor to address every one of them? In other words, if my list includes Risk X, but I decide this risk isn’t as important as the others, so I won’t invest scarce funds in mitigating it, am I going to receive an NPV for not mitigating it?
And here’s
where Uncle Lew comes to the rescue. He points out “You are not expected to
address all areas of supply chain cyber security. You have the freedom, and the
responsibility, to address those areas that pose the greatest risk to your
organization and to your high and medium impact BES Cyber Systems.” There are
two ways you can do this.
The first
way is that you don’t even list risks in the first place that you believe are
very small in your environment. For example, the risk that a shipment of BCS hardware will
be intercepted and then compromised during a hurricane emergency is very low
for a utility in Wyoming, while it might be at least worth considering for a
utility in South Carolina. The former utility would be justified in leaving it
off its list altogether, and doesn’t need to document why it did that. Any risk
that has almost zero probability doesn’t need to be considered at all – there are
certainly a lot more that have much greater than zero probability!
The second
way in which you can – quite legally – prune your list of risks to a manageable
level is through the risk assessment process itself. R1.1 requires that you
“assess” each risk. What does that mean? It means that you assign it a risk
level. In my book, this means you first determine a) the likelihood that the
risk will be realized, and b) its impact if it is realized. Then you combine
those two measures into what I call a risk score.
Once you’ve assessed
all your risks, you rank them by risk score. And guess what? You now need to
mitigate the highest risks on the list. You can also mitigate some risks below
these (perhaps mitigate them to a lesser degree), but in any case there will be
some level on your risk list below which you won’t even bother to mitigate the
risks at all. And you don't have to justify this by saying anything more than "We decided that the threats whose risk scores are lower than this level will not be mitigated, due to our not having enough funds to mitigate them."
Will you get
into trouble for not mitigating the risks at the bottom? No. As Lew said, you
need to “address those areas that pose the greatest risk to your organization
and to your high and medium impact BES Cyber Systems.” The direct implication
of these words is that you don’t need
to address the risk areas that pose the least risk.
Why are you
justified in not mitigating all of the risks listed in your supply chain cyber
security risk management plan? Because no organization on this planet (or any
other planet I know of) has an unlimited budget for cyber security. Everyone
has limited funds, and the important thing is that you need to allocate them
using a process that will mitigate the most risk possible. That process is the
one I just described (at a very high level, of course).
You may
notice that this is very different from the process to mitigate risk that is implicit
in all of the other NERC standards, as well as the majority of requirements for
the CIP standards. That process – a prescriptive one – tells you exactly what
needs to be done to mitigate a particular risk, period. You either do that or
you get your head cut off.
For example,
in CIP-007 R2, you need to, every 35 days, contact the vendor (or other patch source)
of every piece of software or
firmware installed on every Cyber
Asset within your Electronic Security Perimeter(s), to determine a) whether
there is a new patch available for that software, and b) whether it is applicable
to your systems. Then, 35 days later, you need to either install the patch or
develop a mitigation plan for the vulnerability(ies) addressed by the patch. It
doesn’t matter if a particular system isn’t routably connected to any others,
or if the vendor of a particular software package has never issued a security
patch in 20 years; you still need to check with the vendor every 35 days. You can’t
have two schedules, say every 15 days for the most critical systems and those
routably connected to them, and quarterly for all other systems. Needless to
say, if CIP-007 R2 were a risk-based requirement like CIP-013 R1.1 (or CIP-010
R4 or CIP-003 R2, for that matter), you would have lots of options for
mitigation, not just one.
As an aside,
I do want to point out here that in CIP you never have complete freedom to
choose how you will mitigate a particular risk, even when the requirement
permits consideration of risk, for two reasons:
2. If
you’re using a mitigation different from the one normally used – e.g. you’re
not using patch management to mitigate the threat of unpatched software
vulnerabilities, or you’re not using antivirus or application whitelisting software to
mitigate the threat of malware – you can rightfully be asked to justify why you
took an alternative approach.
A final
question you might ask about identifying risks for R1.1 is “Where do I draw the
line? You said that I can draw a line through the ranked set of risks, so that
all risks below that line don’t need to be mitigated at all. Where do I do that, and how do I justify this to the auditor?"
Of course, if you organization has allocated $X to supply chain security, and you have determined that this amount will cover mitigation of say the top ten supply chain threats on your list, you should point this out as justification for not mitigating threats 11 and below. But what if your utility is particularly short on cash this year - say there has been a natural disaster, for which it's very possible you won't get rate relief - and you only have funds available to mitigate say the top three threats on the list? And further suppose that threats 4-6 on the list pose fairly high risk, and you would definitely want to mitigate these if you could? Could the auditor give you a Notice of Potential Violation for this? And will your mitigation plan for this violation require that you to go back and get more funds to address these risks, by threatening your management with multi-million dollar fines if they don't cough up the funds?
Of course, if you organization has allocated $X to supply chain security, and you have determined that this amount will cover mitigation of say the top ten supply chain threats on your list, you should point this out as justification for not mitigating threats 11 and below. But what if your utility is particularly short on cash this year - say there has been a natural disaster, for which it's very possible you won't get rate relief - and you only have funds available to mitigate say the top three threats on the list? And further suppose that threats 4-6 on the list pose fairly high risk, and you would definitely want to mitigate these if you could? Could the auditor give you a Notice of Potential Violation for this? And will your mitigation plan for this violation require that you to go back and get more funds to address these risks, by threatening your management with multi-million dollar fines if they don't cough up the funds?
It’s
interesting that you bring this up, since I have considered this question a
good deal myself. I think the answer is that it all gets down to reasonableness.
If you can demonstrate to the auditor that your organization really can’t
afford to spend more on supply chain cyber security risk mitigation, they will
hopefully agree this is a reasonable request.
I realize that stating that the auditors will "hopefully agree this is a reasonable request" might cause some of you to laugh cynically, and think that the CIP-013 approach may not be such a great thing after all. But think about what would happen if we were talking about CIP-007 R2 instead. Suppose you were suffering from the same financial constraints, and you decided that you'd have to cut back on the resources devoted to patch management, meaning you'd have to check for new patches once a quarter, not every 35 days. Do you think you'd get a pass on that, even if the auditor personally considered this to be a reasonable request?
I really doubt it. Reasonableness isn’t something an auditor is allowed to consider when auditing a prescriptive requirement (unless we’re talking about a reasonable interpretation of a particular term in the requirement, or something technical like that); on the other hand, it’s inherent in the idea of a risk-based requirement.
I really doubt it. Reasonableness isn’t something an auditor is allowed to consider when auditing a prescriptive requirement (unless we’re talking about a reasonable interpretation of a particular term in the requirement, or something technical like that); on the other hand, it’s inherent in the idea of a risk-based requirement.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
My offer to NERC entities of a free webinar workshop on
CIP-013, described in this
post, is still open! Let me know (at the email address below) if you would like
to discuss that, so we can arrange a time to talk.
Nice blog... This blog post share very important and helpful information on NERC CIP compliance. Thanks for sharing
ReplyDelete