I’ve been
saying for a while
that the biggest flaw in CIP-013 is that it doesn’t provide a list of risks (or
threats, as I prefer to call them, following NIST 800-30) that need to be
addressed in the supply chain cyber security risk management plan required by
R1.1. Because there is no list provided – beyond a very high-level list of
three or four types of risk that need to be addressed – this means it is up to
each entity to decide a) what are the most important supply chain threats that
apply to the electric utility industry, and b) which of those pose the most
risk to their own BES Cyber Systems. Their plan needs to describe how they
identified the highest risks, and how they will mitigate them.
The problem
is that it isn’t an easy task to look through the literature and identify the
most important risks the industry faces. Larger utilities might have the staff
to do this type of work, but smaller utilities definitely don’t. This is why I said a
year and a half ago, in relation to CIP-013 R3, that there should be an
industry body tasked with identifying threats that NERC entities would consider
in developing their CIP-013 plans. This body would publish periodically (at
least annually) a list of cybersecurity threats to the power industry (and
specifically to BES Cyber Systems). NERC entities would need to annually
determine which of these threats posed significant risk to their BCS, and would next need to develop a supply chain cyber
security risk management plan to mitigate those risks.
So if an
industry body developed a list of supply chain cyber security threats (or
risks, to use CIP-013’s term) that are important to the electric power
industry, this list could well provide the starting point for the supply chain
cyber security risk management plan required by CIP-013 R1.1 (which I’ll call
the “CIP-013 plan” from now on). This definitely doesn’t mean that NERC
entities would have to mitigate all of
the threats on the list, since a) some won’t apply to some utilities and b)
some will be determined to carry low enough risk to a particular utility that
no mitigation is called for.
Of course,
if a utility has an unlimited budget for supply chain cyber security risk
mitigation, they can mitigate every threat on the list, no problem. However, for
those that don’t have an unlimited budget, they have to spend the budget they have
where it will do the most good. It will do the most good if they identify the
threats that pose the highest risk, and develop a plan to mitigate those
threats. In fact, I think that all of the CIP standards should work this way.
However,
creating an official body to identify threats for NERC entities to consider in
their CIP-013 plans, along with the required changes to CIP-013 itself, would
take years to accomplish. This does nothing to solve the current problem of
complying with CIP-013-1.
So if there
isn’t going to be an industry body that officially tells NERC entities what
threats they should consider in developing their CIP-013 plans, what’s plan B?
In the middle of last year, I (and a few others) started talking about an
existing industry
group (i.e. not part of NERC) doing that, although industry groups might be a better word. I was
hoping that the trade associations could be convinced to identify the most
important supply chain cyber security threats that their members were likely to
face. Of course, no NERC entity would be compelled to even read the threat list
put out by their trade organization, let alone act on it. But for many (and
probably most) entities, it would be a big help to have a list that would give
them a good start for developing their CIP-013 plans. As it stands now, there
is no obvious starting point for them.
I’m not
discussing some sort of theoretical problem. I’m now working with two NERC
entities on long-term projects to implement CIP-013 compliance, and have
started both projects with workshops where we discuss the issues and the best
way to proceed. It has readily become apparent that the two biggest tasks –
which the entity has to take ultimate responsibility for – are to a) identify
the threats they will consider in their CIP-013 plan; and b) estimate the risk
that each threat poses to their environment, so they can focus their mitigation
efforts on the threats that pose the highest risk. Both of these entities (one
large and one medium-sized) would benefit from having an industry group that
would consider supply chain security threats and let the industry know about
threats that it deems important for NERC entities to consider for mitigation in
their CIP-013 plans. However, until a few days ago I saw no hope that any industry
body might be willing to take up this task.
What changed
my mind was learning earlier this week that a new group I have been nominally
part of for more than a month (although I’ve only been able to attend one phone
meeting of theirs so far) seems to see the need for identification of important
supply chain threats, and is going to start that effort next Wednesday. This is
the NERC Supply Chain Working Group, which is “chartered” by the NERC CIPC (the
industry group that oversees all NERC cyber security activities. The CIPC’s
duties include following – but not having any direct role in – development of
new CIP standards and requirements).
In their
agenda for their first onsite meeting under their new chairman, Tony Eddleman
of the Nebraska Public Power District, the SCWG lists five papers they want to
write, each one focused on a particular area of supply chain security:
ii. Considerations for secure hardware delivery
iii. Considerations for establishing provenance of systems and
components
iv. Considerations for threat-informed procurement language
v. Considerations for supply chain risk management lifecycle
(assessments & reassessments, external dependencies, concluding supplier
relationships)
vi. Considerations for unsupported or open-source technology
Note: I deliberately omitted item i on the
team’s list, which is “Supply Chain risks related to cloud service
providers”. While this is an important
topic for NERC entities nowadays, I don’t call this a CIP-013-related task. CIP-013
currently only applies to BES Cyber Systems, but the CIP standards effectively
forbid entities from implementing actual BES Cyber Systems in the cloud – for example,
outsourced SCADA (at least, this applies to Medium and High impact BCS. There’s
currently nothing to prevent entities from implementing Low impact BCS in the
cloud). However, a growing number of NERC entities is storing information
on BCS (BCSI) in the cloud, as part of outsourced services like configuration
management. But CIP-013 doesn’t apply to BCSI.
Of course,
these are only five areas of threats within the universe of supply chain
security threats; I’m sure that a complete overview of supply chain security
threats would require ten or more additional papers. But all five are difficult
topics, and I commend the committee for taking these on; maybe they will be
persuaded to tackle the others later.
But this is
where the title of this post comes in. The SCWG is open to all, whether or not you
work for a NERC asset owner (you do have to be a user of electricity, but I’m
not sure how you’re reading this post if you’re not!). Their meeting next week
is in Pittsburgh, in conjunction with the CIPC’s quarterly meeting there, but
there will also be a webinar for those who can’t be there in person (I
unfortunately can’t do either, since that is the day I’m participating in a
panel at the RSA Security Conference whose topic is…what else?...supply chain
security for the energy industry).
Whether or
not you can attend next week’s meeting, if you would like to participate in the
CSWG and have a hand in writing one or more of these papers, drop an email to
Tony at tdeddle@nppd.com. Fame and
fortune surely await you[i]!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
[i]
However, I’m not liable if you don’t earn fame or fortune from this. What you
will earn is a good feeling that comes from helping a) the industry and b) your
own organization as they address the issue of supply chain security, which I
believe is easily the biggest worldwide cyber security threat of our time.