Your chance to make history and learn valuable stuff at the same time!

Two weeks ago, I wrote a post pointing out a unique opportunity to anybody in or associated with the North American electric power industry. This opportunity is to join the Supply Chain Working Group (SCWG) of the NERC CIPC. The bar to joining is pretty high, though: You have to be a user of electricity in North America. No others need apply.

The post is a little long-winded (imagine that!), although I still recommend you read it. But here is a Cliff Notes version, which I’ve augmented since I realize I left out an important consideration: Joining the SCWG provides you the opportunity to do your job better, if you’re involved with helping a NERC entity come into compliance with CIP-013:

1. I like CIP-013 a lot because it states up front exactly what it’s about. The purpose of CIP-013 (stated in Section 3) is “To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.” And R1.1 clarifies that by saying the entity needs to develop a plan “to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).”
2. That’s the good news. The bad news is…              that’s all there is. There’s no list of risks that you need to consider in your plan, and there’s no list of actions you can take to mitigate those risks (the exception to this is R1.2, which lists six mitigations that you have to include in your plan. These are there because FERC ordered they be included in Order 829). Where can NERC entities get that information?
3. I discussed various possibilities for this in my first post on the SCWG, but the bottom line is that there isn’t going to be any “official” list of risks and mitigations for you to consider including in your CIP 13 plan – just disjointed guidance from one group or another. However, I’m quite pleased with the way the SCWG is already quickly turning into the crowdsourced implementation guidance provider for CIP-013. Since their white papers are from the people in the trenches, what they produce will be both authoritative and useful, and its value will increase with each person who joins the discussions.
4. As I mentioned in the first post, there are five sub-groups in the SCWG, each developing a white paper that deals with an important area of supply chain security (I’m leading one of those groups, dealing with the “supply chain risk management lifecycle”). The groups are starting to have web meetings, and based on the first of those meetings that I attended last week, I can say they will be extremely useful – both to the industry, because there is some really good discussion and debate going on that is likely to result in very useful guidance, and to the people who participate, because they will take home a lot of good information that will help them develop their CIP-013 plans.
5. And how are these groups providing guidance? They may not all know it yet, but I predict they will all be providing discussions of a) risks that apply in the particular area they’re addressing, and b) mitigations that can be applied for those risks. That is, exactly what I just said is needed!
6. I’ve become a big fan of crowdsourced intelligence, mainly because of Yelp. I travel a lot, and usually rely on Yelp to point me to good (and inexpensive) restaurants. I can truthfully say I have never eaten at a restaurant that was near the top of the Yelp search that led me to it, that wasn’t good. When you have so many people contributing reviews (although I’ll admit I’ve almost never done that. Hey, freeloading is a time-honored tradition!), they’re just not going to be all wrong. I feel the same about the SCWG sub-groups: the more people that give input to the papers they write, the more useful and high-quality they will be. And meanwhile, those people will benefit tremendously from the discussions (since a lot more is said on the phone than will ever make it into the white papers).

So if you would like to join the SCWG, drop me an email at tom@tomalrich.com, and I’ll get this to Tony Eddleman of NPPD (the chairman) and Tom Hofstetter of NERC (the NERC ­facilitator­). They will put you on the list, and get you invitations to the upcoming sub-group meetings (including the first meeting of my group, at 12 PM Eastern Time this Wednesday) as well as to the monthly phone calls for the whole group. I’d like you to email me rather than Tony and Tom directly, since I don’t want to inundate them with separate emails. I sent them seven names just today, and I did that with four or five separate emails, since I thought each person who emailed me was probably the last for the day. I’d like to consolidate them and send them just one or two emails a day, since they both have day jobs (and Tony, who’s with the Nebraska Public Power District, is helping deal with the consequences of the severe flooding in that state).

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.