Two weeks
ago, I wrote a post pointing out a unique
opportunity to anybody in or associated with the North American electric power
industry. This opportunity is to join the Supply Chain Working Group (SCWG) of
the NERC CIPC. The bar to joining is pretty high, though: You have to be a user
of electricity in North America. No others need apply.
The post is
a little long-winded (imagine that!), although I still recommend you read it.
But here is a Cliff Notes version, which I’ve augmented since I realize I left out
an important consideration: Joining the SCWG provides you the opportunity to do
your job better, if you’re involved with helping a NERC entity come into
compliance with CIP-013:
- I like CIP-013 a lot because it states up front exactly
what it’s about. The purpose of CIP-013 (stated in Section 3) is “To
mitigate cyber security risks to the reliable operation of the Bulk
Electric System (BES) by implementing security controls for supply chain
risk management of BES Cyber Systems.” And R1.1 clarifies that by saying the
entity needs to develop a plan “to identify and assess cyber security
risk(s) to the Bulk Electric System from vendor products or services
resulting from: (i) procuring and installing vendor equipment and
software; and (ii) transitions from one vendor(s) to another vendor(s).”
- That’s the good news. The bad news is… that’s all there is. There’s
no list of risks that you need to consider in your plan, and there’s no
list of actions you can take to mitigate those risks (the exception to
this is R1.2, which lists six mitigations that you have to include in your
plan. These are there because FERC ordered they be included in Order
829). Where can NERC entities get that information?
- I discussed various possibilities for this in my first
post on the SCWG, but the bottom line is that there isn’t going to be any “official”
list of risks and mitigations for you to consider including in your CIP 13
plan – just disjointed guidance from one group or another. However, I’m
quite pleased with the way the SCWG is already quickly turning into the
crowdsourced implementation guidance provider for CIP-013. Since their
white papers are from the people in the trenches, what they produce will
be both authoritative and useful, and its value will increase with each person
who joins the discussions.
- As I mentioned in the first post, there are five
sub-groups in the SCWG, each developing a white paper that deals with an
important area of supply chain security (I’m leading one of those groups,
dealing with the “supply chain risk management lifecycle”). The groups are
starting to have web meetings, and based on the first of those meetings
that I attended last week, I can say they will be extremely useful – both
to the industry, because there is some really good discussion and debate
going on that is likely to result in very useful guidance, and to the
people who participate, because they will take home a lot of good
information that will help them develop their CIP-013 plans.
- And how are these groups providing guidance? They may not
all know it yet, but I predict they will all be providing discussions of
a) risks that apply in the particular area they’re addressing, and b) mitigations
that can be applied for those risks. That is, exactly what I just said is
needed!
- I’ve become a big fan of crowdsourced intelligence, mainly
because of Yelp. I travel a lot, and usually rely on Yelp to point me to
good (and inexpensive) restaurants. I can truthfully say I have never
eaten at a restaurant that was near the top of the Yelp search that led me
to it, that wasn’t good. When you have so many people contributing reviews
(although I’ll admit I’ve almost never done that. Hey, freeloading is a
time-honored tradition!), they’re just not going to be all wrong. I feel
the same about the SCWG sub-groups: the more people that give input to the
papers they write, the more useful and high-quality they will be. And
meanwhile, those people will benefit tremendously from the discussions
(since a lot more is said on the phone than will ever make it into the
white papers).
So if you
would like to join the SCWG, drop me an email at tom@tomalrich.com, and I’ll get this to
Tony Eddleman of NPPD (the chairman) and Tom Hofstetter of NERC (the NERC facilitator).
They will put you on the list, and get you invitations to the upcoming
sub-group meetings (including the first meeting of my group, at 12 PM Eastern
Time this Wednesday) as well as to the monthly phone calls for the whole group.
I’d like you to email me rather than Tony and Tom directly, since I don’t want
to inundate them with separate emails. I sent them seven names just today, and
I did that with four or five separate emails, since I thought each person who
emailed me was probably the last for the day. I’d like to consolidate them and
send them just one or two emails a day, since they both have day jobs (and
Tony, who’s with the Nebraska Public Power District, is helping deal with the
consequences of the severe flooding in that state).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment