Lew Folkerth
of RF published an article about CIP-013 in December in the RF newsletter,
which I wrote about in this
post and in this
one. In that article, Lew said that the supply chain cyber security risk
management plan required by CIP-013 R1.1 needs to demonstrate that it achieves
the objective(s) of the standard. And what are they? In his article, Lew
repeated the four objectives that FERC had outlined, both in their Order 829 of
June 2016 that required NERC to develop a supply chain security standard and in
Order 850 of last October, which approved CIP-013. These objectives are
1.
Software integrity and
authenticity;
2.
Vendor remote access
protections;
3.
Information system
planning; and
4.
Vendor risk management
and procurement controls.
However,
being very bright (and to prove that’s true, my mother always said I was bright!)
and an astute reader, I pointed out that there’s an even simpler statement of CIP-013’s
purpose, in Section 3 near the beginning of the standard: “To mitigate cyber
security risks to the reliable operation of the Bulk Electric System (BES) by
implementing security controls for supply chain risk management of BES Cyber
Systems.” I pointed out that all of FERC’s four items are included in this
statement, so I thought this should really be the objective that entities must
achieve in their plan(s).
But, after
having done some pretty intensive reading of various documents having to do
with CIP-013 and supply chain security, I came to realize that FERC’s statement
is pretty good after all, and has the advantage of at least providing some
substance to the meaning of the words “cyber security risks” in the Purpose
statement. In other words, the Purpose statement is pretty broad, and doesn’t
provide a lot of guidance to the entity in developing the plan, or to the
auditor in auditing it. With FERC’s four things, the auditor has at least
something to go on in the audit, while at the same time the entity has a (very)
broad outline of what its plan needs to address. So I am now fine with Lew’s
statement that FERC’s four objectives constitute the purpose of CIP-013.
Of course, these
four things are far from being a roadmap to compliance with CIP-013! Lew’s article
does give some clues to that roadmap as well, which I elaborated on in the two posts
already linked. I’ll continue to elaborate on the roadmap in the next post in
that series. But I do want to point out now that these four items don’t have
equal standing, in my opinion. The last two constitute the two broad areas of
risk that must be addressed in the supply chain risk management plan, while the
first two are simply two of the individual risks that are included under the
third objective. So FERC’s four objectives could be summarized by just listing
the last two.
This all
means that your CIP-013 R1.1 supply chain cyber security risk management plan
must address risks of “information system[i] planning”
and “vendor risk management and procurement controls”. And you need to show the
auditors that your plan addresses both types of risk.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013; we also work with security product or service vendors that need help
articulating their message to the power industry. To discuss this, you can
email me at the same address.
[i]
It’s unfortunate that FERC used the term “information system”, when they should
really have said “control system” (although I initially thought there might be
some significance to the fact that they did, as I discussed in this
post after FERC issued Order 829 in 2016). Of course, NERC CIP doesn’t deal
at all with information systems, whose purpose is to store and process
information. The power grid, and other critical infrastructures, is controlled
by control systems. These are what CIP protects.
No comments:
Post a Comment