I want to
repeat again (and I’m not being redundant. I mean this is the third post where
I’ve said it) that anyone seriously involved in CIP-013 compliance should run,
not walk, to join the Supply Chain Working Group of the NERC CIPC. Membership
is open to anyone with an interest in CIP-013 or supply chain security, or both
(and I know there are at least a few members who aren’t involved with the
electric utility industry at all, but are very interested in supply chain cyber
security). Just drop me an email at the address below, and I’ll forward your
name to the two people in charge of the group, Tony Eddleman of NPPD and Tom
Hofstetter of NERC. I know that as of late last week there were over 120
members, and there are more now, I’m sure. To put this in perspective, my guess
is most subcommittees of the NERC CIPC (which is what the SCWG is) don’t have
more than 10-20 members, so this is certainly some sort of record.
And why am I
so interested in getting more members, when there are already so many? Two reasons.
First, because I would like to see the whole industry’s awareness of supply
chain risk management (SCRM) best practices increase. I feel that will
especially help establish a consensus among NERC entities and auditors as to
what the requirements mean and how to comply with them. This is badly needed,
since right now interpretations of CIP-013 are all over the map. A consensus
will allow entities to focus primarily on supply chain security and only
secondarily on worrying how the standard will be audited.
The focus of
the SCWG now is the sub-groups. There are five sub-groups, each of which is preparing
a short white paper (or three short white papers, as the group I’m leading will
probably do) on a different aspect of supply chain cyber security. Three of
those groups had meetings last week and this week, and they’re all planning on
weekly meetings for the near future; the other two groups will start to have
meetings next week, I believe. I’ve attended two of these meetings (and will
attend another tomorrow), and led two of them as head of the supply chain risk
management lifecycle group.
I can attest
that all of these meetings have been really excellent, with lots of people
volunteering what they know about the topic. For example, there’s a group led
by George Masters of SEL, called “Considerations for unsupported or open-source
technology”, which is addressing the questions of third-party (and fourth-,
fifth-, sixth-, etc. party) components of commercial software platforms, as
well as open-source components. It is really
good, with a lot of contribution by people who know different aspects of the
subject (and nobody knows it all, of course, even George).
My group isn’t
too shabby, either. Our two meetings have both included about 25 people, including
(at least in this week’s meeting), four vendors – and I can see that having
vendors in a supply chain discussion is really
helpful. We’ve decided that we will
write three white papers (all 2-3 pages), not just one, since we realized there
are at least three lifecycles we wish to discuss:
- The supply chain security risk management lifecycle
itself. I believe this paper will follow somewhat along the lines of what
Lew Folkerth of RF has been writing
(and Lew has been in both of our meetings. I hope he can continue, since
he has been a big help).
- The vendor risk management lifecycle. We had a really good
discussion this week on topics like vendor questionnaires and contract
language, and we’ll continue that (with other topics) next week.
- The product risk management lifecycle. We haven’t
discussed this very much so far, but I’m sure it will be much more defined
in a month or so.
All of the
groups will present and discuss their white papers at a meeting held before the
NERC CIPC meeting in Orlando (although location is still officially TBD) in
early June (I think it will be Tuesday morning, June 4). I believe the meeting
will be webcast by NERC, but you might want to come onsite and also attend the
CIPC meeting (you have to register for that, of course. Registration isn’t
available yet) – and those have been getting better all the time.
The topics
of the five sub-groups are:
- Considerations for secure hardware delivery
- Considerations for establishing provenance of
systems and components
- Considerations for threat-informed procurement
language
- Considerations for supply chain risk management
lifecycle
- Considerations for unsupported or open-source
technology
The white
papers for all the groups except mine address a particular area of supply chain
security risk (and they’re all meaty topics, with lots of nuances to understand).
While I’m not sure that the leaders would all agree with me now, I think it’s
inevitable that each group will end up providing two types of compliance
“guidelines” for their particular risk area. One is ideas for risks that you
should consider in your supply chain cyber security risk management plan; the
other is possible mitigations for those risks.
But let’s
make it clear: None of these groups, including mine, is providing “interpretation”
– nor will the SCWG as a whole. The standard doesn’t need interpretation, since
it’s very simple: Develop a supply chain cyber security risk management plan
(R1). Implement the plan (R2). Review the plan every 15 months (R3). The
question really is, what should a good plan contain? Specifically, what are risks
that an entity should consider including in its plan, and what are possible
ways of mitigating those risks? The white papers will provide suggestions on
those topics, based on our discussions in these meetings.
At 2-3 pages
each, the papers will have to treat one idea very well, and other ideas much
less or not at all. Even though I wasn’t at the meeting where the SCWG decided
to write small white papers, I think it was a good decision. I’d much rather
read three short papers discussing one idea each, than one longer paper
discussing three ideas. The author will be able to write much more clearly, and
the reader will be able to retain that better.
But I can
assure you that the meetings are each covering 5-10 ideas at least, and those
ideas will probably change every week. In my group at least, I’m deliberately
not worrying about the white papers yet. I’d much rather see what comes out of
the weekly discussions for the next month, and then look through the notes for
all that (my notes for last week’s meeting were four pages long, and this week’s
will probably be at least that). My feeling is that after all this discussion,
the ideas that should be addressed in the papers will emerge on their own, and
the papers will pretty much write themselves.
This is why
you should join the meetings now, rather than just read the white papers when
they’re published in June. You will only hear the ideas that are raised in the
meetings, but don’t make it into the papers themselves, if you’re at the
meeting. Even the minutes will at best be a pale reflection of the meeting
itself (trust the man who’s written one!).
And now I’ll
get to the second reason why I’m so interested in getting new members: There’s
a real virtuous cycle here. The more participants there are, the better the
conversation is. And the better the conversation, the more participants there
will be.
So send me
an email at the address below if you’d like to join us. I’ll consolidate these
and forward them to Tom Hofstetter and Tony Eddleman, who have proven more than
willing to bring new sheep into the fold.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment