Thursday, March 28, 2019

A contradiction in CIP-013: the rerun



While looking for another post today, I ran across this one. I’ve just reread it. Other than looking like a ransom note (I used to have weekly fights with Blogger, the software used by Blogspot, because it seemed to randomly choose different fonts at different places. Now it seems to have calmed down, although I still have a few problems), I think it’s still very valid.

Of course, the contradiction described in this post will remain between the requirements in question (CIP-013-1 R1.2.5 and CIP-010 R1.6). And this is the starkest illustration I know of the difference between a risk-based requirement and a prescriptive one. I’m afraid the latter will win out here, of course. In other words, you’d better be prepared to show you verified integrity and authenticity of every patch for every Medium or High impact BES Cyber System, regardless of the degree of risk it poses for the BES, or for that matter the degree of risk posed by the vendor – even though R1.2.5, as well as the rest of CIP-013, not only allows but practically requires you to take account of risk.

Of course, this isn’t an accident, since FERC in Order 829 directed that the new supply chain security standard be risk-based. And in doing so, they saved NERC from itself, since there is literally no way that all supply chain risks to the BES could be addressed with a prescriptive standard (NERC’s usual modus operandi, of course). Otherwise, NERC entities would probably have to spend about the entire US GDP on CIP 13 compliance (with a small chunk of that still going to CIP 002 - CIP-011 and CIP-014 compliance, of course).


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment