Thursday, April 4, 2019

The best resource for CIP-013 compliance



I want to repeat again (and I’m not being redundant. I mean this is the third post where I’ve said it) that anyone seriously involved in CIP-013 compliance should run, not walk, to join the Supply Chain Working Group of the NERC CIPC. Membership is open to anyone with an interest in CIP-013 or supply chain security, or both (and I know there are at least a few members who aren’t involved with the electric utility industry at all, but are very interested in supply chain cyber security). Just drop me an email at the address below, and I’ll forward your name to the two people in charge of the group, Tony Eddleman of NPPD and Tom Hofstetter of NERC. I know that as of late last week there were over 120 members, and there are more now, I’m sure. To put this in perspective, my guess is most subcommittees of the NERC CIPC (which is what the SCWG is) don’t have more than 10-20 members, so this is certainly some sort of record.

And why am I so interested in getting more members, when there are already so many? Two reasons. First, because I would like to see the whole industry’s awareness of supply chain risk management (SCRM) best practices increase. I feel that will especially help establish a consensus among NERC entities and auditors as to what the requirements mean and how to comply with them. This is badly needed, since right now interpretations of CIP-013 are all over the map. A consensus will allow entities to focus primarily on supply chain security and only secondarily on worrying how the standard will be audited.

The focus of the SCWG now is the sub-groups. There are five sub-groups, each of which is preparing a short white paper (or three short white papers, as the group I’m leading will probably do) on a different aspect of supply chain cyber security. Three of those groups had meetings last week and this week, and they’re all planning on weekly meetings for the near future; the other two groups will start to have meetings next week, I believe. I’ve attended two of these meetings (and will attend another tomorrow), and led two of them as head of the supply chain risk management lifecycle group.

I can attest that all of these meetings have been really excellent, with lots of people volunteering what they know about the topic. For example, there’s a group led by George Masters of SEL, called “Considerations for unsupported or open-source technology”, which is addressing the questions of third-party (and fourth-, fifth-, sixth-, etc. party) components of commercial software platforms, as well as open-source components. It is really good, with a lot of contribution by people who know different aspects of the subject (and nobody knows it all, of course, even George).

My group isn’t too shabby, either. Our two meetings have both included about 25 people, including (at least in this week’s meeting), four vendors – and I can see that having vendors in a supply chain discussion is really helpful.  We’ve decided that we will write three white papers (all 2-3 pages), not just one, since we realized there are at least three lifecycles we wish to discuss:

  1. The supply chain security risk management lifecycle itself. I believe this paper will follow somewhat along the lines of what Lew Folkerth of RF has been writing (and Lew has been in both of our meetings. I hope he can continue, since he has been a big help).
  2. The vendor risk management lifecycle. We had a really good discussion this week on topics like vendor questionnaires and contract language, and we’ll continue that (with other topics) next week.
  3. The product risk management lifecycle. We haven’t discussed this very much so far, but I’m sure it will be much more defined in a month or so.

All of the groups will present and discuss their white papers at a meeting held before the NERC CIPC meeting in Orlando (although location is still officially TBD) in early June (I think it will be Tuesday morning, June 4). I believe the meeting will be webcast by NERC, but you might want to come onsite and also attend the CIPC meeting (you have to register for that, of course. Registration isn’t available yet) – and those have been getting better all the time.

The topics of the five sub-groups are:

  1. Considerations for secure hardware delivery
  2. Considerations for establishing provenance of systems and components
  3. Considerations for threat-informed procurement language
  4. Considerations for supply chain risk management lifecycle
  5. Considerations for unsupported or open-source technology

The white papers for all the groups except mine address a particular area of supply chain security risk (and they’re all meaty topics, with lots of nuances to understand). While I’m not sure that the leaders would all agree with me now, I think it’s inevitable that each group will end up providing two types of compliance “guidelines” for their particular risk area. One is ideas for risks that you should consider in your supply chain cyber security risk management plan; the other is possible mitigations for those risks.

But let’s make it clear: None of these groups, including mine, is providing “interpretation” – nor will the SCWG as a whole. The standard doesn’t need interpretation, since it’s very simple: Develop a supply chain cyber security risk management plan (R1). Implement the plan (R2). Review the plan every 15 months (R3). The question really is, what should a good plan contain? Specifically, what are risks that an entity should consider including in its plan, and what are possible ways of mitigating those risks? The white papers will provide suggestions on those topics, based on our discussions in these meetings.

At 2-3 pages each, the papers will have to treat one idea very well, and other ideas much less or not at all. Even though I wasn’t at the meeting where the SCWG decided to write small white papers, I think it was a good decision. I’d much rather read three short papers discussing one idea each, than one longer paper discussing three ideas. The author will be able to write much more clearly, and the reader will be able to retain that better.

But I can assure you that the meetings are each covering 5-10 ideas at least, and those ideas will probably change every week. In my group at least, I’m deliberately not worrying about the white papers yet. I’d much rather see what comes out of the weekly discussions for the next month, and then look through the notes for all that (my notes for last week’s meeting were four pages long, and this week’s will probably be at least that). My feeling is that after all this discussion, the ideas that should be addressed in the papers will emerge on their own, and the papers will pretty much write themselves.

This is why you should join the meetings now, rather than just read the white papers when they’re published in June. You will only hear the ideas that are raised in the meetings, but don’t make it into the papers themselves, if you’re at the meeting. Even the minutes will at best be a pale reflection of the meeting itself (trust the man who’s written one!).

And now I’ll get to the second reason why I’m so interested in getting new members: There’s a real virtuous cycle here. The more participants there are, the better the conversation is. And the better the conversation, the more participants there will be.

So send me an email at the address below if you’d like to join us. I’ll consolidate these and forward them to Tom Hofstetter and Tony Eddleman, who have proven more than willing to bring new sheep into the fold.

  
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment