While
looking for another post today, I ran across this one.
I’ve just reread it. Other than looking like a ransom note (I used to have
weekly fights with Blogger, the software used by Blogspot, because it seemed to
randomly choose different fonts at different places. Now it seems to have
calmed down, although I still have a few problems), I think it’s still very
valid.
Of course, the contradiction described in this post will remain between the requirements in question (CIP-013-1 R1.2.5 and CIP-010 R1.6). And this is the starkest illustration I know of the difference
between a risk-based requirement and a prescriptive one. I’m afraid the latter will win out here, of course. In other
words, you’d better be prepared to show you verified integrity and authenticity
of every patch for every Medium or High impact BES Cyber
System, regardless of the degree of risk it poses for the BES, or for that
matter the degree of risk posed by the vendor – even though R1.2.5, as well as the
rest of CIP-013, not only allows but practically requires you to take account
of risk.
Of course,
this isn’t an accident, since FERC in Order
829 directed that the new supply chain security standard be risk-based. And
in doing so, they saved NERC from itself, since there is literally no way that
all supply chain risks to the BES could be addressed with a prescriptive
standard (NERC’s usual modus operandi,
of course). Otherwise, NERC entities would probably have to spend about the entire US GDP on
CIP 13 compliance (with a small chunk of that still going to CIP 002 - CIP-011 and CIP-014 compliance, of course).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment