Nowadays, I try
to avoid multi-part posts, since it seems that most of the time I never deliver
all of the parts I promised. But I think I might actually do that this time,
since I want to tell you about three documents that should be quite interesting
to anybody trying to figure out how they can put together a good supply chain
cyber security risk management plan – either to prepare for CIP-013 compliance
or just because they know their organization needs to have one anyway
I often say
nowadays that threats through the supply chain are the number one source of cyber
security threats, for just about any industry – I say it because I believe it’s
true. And it’s especially true for the electric power industry, since our good
friends the Russians have figured out that the supply chain is the soft
underbelly of the US grid. They may have actually gotten into the grid itself this
way (as the CIA and FBI have
said), although we haven’t yet gotten up the nerve to find
out whether or not this actually happened. It seems we don’t want to be
impolite, or something like that.
And of
course, another reason why supply chain security is very important for the
power industry is that the NERC CIP-013 standard will come into effect in about
15 months, which isn’t very long considering what has to be done (especially by
larger utilities). Besides currently working full time on CIP 13 in my day job,
I’m also very involved with the Supply
Chain Working Group of the NERC CIPC, which has formed five sub-groups to
write white papers on various aspects of supply chain security/CIP 13
compliance (and believe it or not, with CIP 13, security literally equals
compliance and vice versa. As everyone in the industry knows, this is very far
from being the case with the other CIP standards).
I’m in charge
of one of those sub-groups that’s looking at the vendor risk management
lifecycle. We’ve been ranging far afield, looking for ideas that we can bring
back to the industry in our white paper. I’ve known for two or three years
that the medical device industry already had mandatory supply chain cyber
regulations in place, so I invited a former colleague of mine, Nick Sikorski of
Deloitte, to talk to our group a couple weeks ago about what hospitals due to
secure their medical device supply chain.
Nick has
been working in this area for maybe four or five years and is quite
knowledgeable about it, so he didn’t disappoint. Everyone in the meeting found
what he said to be quite interesting, and the questions went on for half an
hour or so[i]. Plus Nick
provided us with three really interesting documents, which seem to hold a lot
of ideas for what the power industry could be doing in supply chain security. I
was thinking I might discuss all of this in one longish post, but after going
through the documents I realized that each one could be the subject of its own
post.
First some
background: For five or six years, the US Food and Drug Administration (FDA) has
published mandatory guidance for cyber security of medical devices sold to
hospitals (and sometimes provided to patients by the hospitals, such as
pacemakers). You might think that “mandatory guidance” is an oxymoron, like
“British cuisine” or “jumbo shrimp”. Either it’s mandatory or it’s guidance,
but it can’t be both. However, the FDA has a unique position among regulators;
it needs to approve medicines and medical devices for sale in the US. A device
maker that wants to be able to sell their product here would be very well
advised to follow the FDA’s “voluntary” guidance (and of course the FDA
publishes guidance in many areas besides cyber security, and not just for
medical devices).
The biggest
difference between the FDA’s guidance and CIP-013 is that the former applies to
the vendors, not to the end users (which in this case are hospitals). It would
be nice if there could be direct regulation of power industry vendors, but
since neither NERC nor FERC has any jurisdiction over vendors, this isn’t
possible. The industry is left with the situation where a large part of the
effort required for CIP-013 compliance depends for its success on getting
vendors to do certain things, but in the end the electric utilities are on the
hook for compliance, not the vendors. The hospitals aren’t in the same
situation.
But this
doesn’t mean utilities can’t learn a lot from what hospitals have done to help
them secure their supply chains. Perhaps the poster child for this is the
Manufacturer Disclosure Statement for Medical Device Security[ii] or
MDS2. It’s been around since 2013 (although a successor is being developed now).
It was drawn up by the hospitals (not the FDA), and I believe it is filled out
religiously by most (all?) medical device makers. In fact, if you Google the
name of the document, you’ll find some filled-out forms from vendors like GE
Healthcare.
The document
is an Excel spreadsheet with about 150 questions divided among 20 categories.
Some sections don’t have relevance to CIP 13, since they deal with data privacy
(and privacy isn’t a concern for control systems. Of course, data privacy is
different from confidentiality of BES Cyber System Information, which is quite
definitely a concern of the CIP standards, although not so much of CIP 13). But
other sections are quite relevant, such as “System and Application Hardening”
and “Security Capabilities”.
I think anyone
(almost) involved in CIP 13 compliance should find these questions interesting.
Through my work on CIP-013 compliance so far, I have come to see a vendor
questionnaire as a key component of a good SCCSRMP (I’ll let you guess what
that stands for, although if you go to CIP 13 R1, I think you’ll find out).
This is because it can be a great way to assess a vendor’s cyber program,
without sending out a team of inspectors to each of say 50 vendors. Of course,
it would be nice if some industry body would draw up an “official”
questionnaire (as we’ve been discussing in my group) – and maybe that will
happen, since at the same meeting where Nick spoke, Tobias Whitney of EPRI
discussed a vendor questionnaire they’re currently drawing up, although he can’t
provide a draft of it now.
But for the
time being I would recommend that each entity draw up its own questionnaire. It
should be based on the set of supply chain threats that you have “identified and
assessed”, as called for in R1.1, then decided you would mitigate in your
SCCSRMP; but it shouldn’t go beyond those. You shouldn’t just throw a bunch of questions
in that sound like they’re good ones. If they don’t address threats you’ve
chosen to mitigate in your plan, then you’re going to make vendors jump through
hoops to answer a lot of questions, when you don’t really care about those
answers.
Of course,
your vendor might complain that they’re getting a bunch of different
questionnaires thrown at them, and they might point you to some standardized
description of their cyber security program for your answers (I know some
vendors are doing this now. It’s certainly a good idea, but it probably isn’t
going to answer all of the questions you need to ask, and more importantly it
may be hard to actually get the answers that you need out of the general
verbiage). It’s up to you to decide whether whatever answers you get from the
vendor are adequate – and if you don’t think they’re being responsive with some
of the questions, then you may want to consider the vendor to be high risk for
those threats, and hence use appropriate mitigations. Because that’s really
what the questionnaire is about – assessing the risk your vendor poses to BES
security, as personified in your own little “corner” of the BES.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
[i]
This is just one example of the great discussions that my group – and the other
four sub-groups of the SCWG – have been having on different aspects of supply
chain security. If you want to join the SCWG, you should send me an email and I’ll
forward it to the right people.
[ii]
I’d like to provide a direct link to the document, but as soon as you click on
the Google result, the document downloads – so I can’t capture the URL. You can
get it by searching on “mds2 form hn 1-2013”, then clicking on the link that
starts “HIMSS/NEMA Standard…”. You can find a “guidance” document on it at this
link.
A retired NERC auditor pointed out to me that there is a direct link to the MDS2 spreadsheet. You just have to click "I agree".
ReplyDeletehttps://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx#download
The mystery auditor has let me use his name: It's Kevin Perry, former Chief CIP Auditor of the former SPP RE.
Delete