After my
last post,
I received emails from a couple of people who understand NERC CIP very well. They
were disturbed that I seemed to be saying we should throw away mandatory cyber
security standards for the power sector altogether, due to the huge cost of
compliance with CIP. Rest assured, I’m not saying that. I think mandatory
standards are absolutely essential, since – as everyone admits – the only
sure-fire way to get adequate funding for cybersecurity in almost any
organization is if there are mandatory standards in place.
However, I
think it’s possible to design standards that wouldn’t lead to the majority of
total industry spending on CIP going to activities that have little to no
impact on security, but which are required for compliance - as an informal “poll”
that I have been taking over the past few years leads me to believe is the case
today. In fact, we have such a design in front of us. CIP-013-1, while
certainly not perfect, comes very close to being my model for how all of the
CIP standards should be rewritten.
But the fact
that it is so economically inefficient is just one of five problems that I see
with the current CIP standards regime (i.e. the standards currently in effect).
I have mentioned all of these problems in posts at various times in recent years,
but I have never written about them together in one place. Last summer, I got
about two thirds of the way through a book that tries to do that, as well as
propose a solution. However, since then I’ve been too busy to finish it.
Last spring I
was fortunate enough to be asked by the editor of Cybersecurity: A
Peer-Reviewed Journal (a UK-based publication) to write an article for this
year’s journal, which is actually published in quarterly 100+-page editions. I
chose the topic of “How can we effectively regulate grid security?” The article
describes – at a very high level, of course – the five problems I see with the
current NERC CIP compliance regime (which includes more than the standards
themselves), and very briefly outlines how I’d address them.
I’d love to
be able to finish my book so I can fill in the details on these topics, but at
the moment I feel that putting food on the table is more important (I have this
funny thing about food…).[i]
Fortunately, I just reread the article and I think it provides a very good
summary of what I will say in the book – in about 1/25 of the space!
Going by the
articles from previous years that I was provided as samples, the journal
publishes very high-quality work; so you may feel you would like to invest the
$295 to subscribe for this year (there is no online version). However, if you
don’t want to do that (or you’d like to try before you buy), I was given permission
to make my article available a month after it was published, which was last
month. I’m now doing that (using a proof copy I was sent).
Since I can’t
attach PDFs to this blog (only JPEGs, and I’ve only done that once), I need you
to drop me an email at tom@tomalrich.com
if you would like to read the article (it’s 10 pages). I promise that no
salesman will email you back and I’ll send it to everybody who asks, whether or
not you’re a competitor to my huge consulting business (however, if you work
for a Russian
or Chinese state-sponsored organization, I won’t send it to you - although I
don’t expect anybody from one of those organizations to send me an email from
their official account! Of course, there’s nothing in the article that could in
any way guide attacks on the North American power grid).
And I’d like
to hear comments on the article! I think it’s becoming more relevant all the
time, especially since NERC needs to soon make some pretty fundamental
decisions about what they want CIP to be when it grows up. I hope to have a
post out on that subject within a couple weeks.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
[i]
I’ve also decided that I would like to put out a book on supply chain cyber
security risk management and CIP-013, before I go back to the other book. This
one will be much easier to write, since I’m currently “writing” it as part of
my work (at the moment all of my work is on CIP-013).
No comments:
Post a Comment