Last week, I
put up this
post that discussed the difference between suppliers and vendors, and how
it can be helpful for CIP0-013 compliance to distinguish between the two. Of course,
in many cases, the same entity both manufactures the hardware / develops the
software and sells it to you; in those cases, it doesn’t matter whether you
call them a supplier or a vendor.
But if the
manufacturer or developer doesn’t sell directly but goes through some sort of
dealer channel, then the vendor is the dealer, and the supplier is the
manufacturer/developer. Big organizations like Microsoft, Cisco and SEL do
this. The upshot is that you won’t have a contract – which is a good way to
mitigate supply chain risk, although not the be-all/end-all that some describe
it to be – with the supplier, just with the vendor. Yet the big risk is usually
with the supplier, not the vendor.
In an end
note, I did say “Even a pure dealer will be the subject of some supply chain
risk – for example, they may not take proper measures to secure the product
before shipment, and it could be tampered with en route; that risk needs to be
mitigated, using contract language or another means. And if the dealer also
installs the product, there’s a lot of risk to mitigate…”
The day
after this post, my longtime friend Brandon Workentin of Forescout Technologies
wrote in to point out that in some cases the Vendor can be a substantial source
of risk. He pointed out that a systems integrator, who can be responsible for
installing and supporting the product (and both installation and ongoing
support – especially patching – are specifically in scope for CIP-013), can
introduce a substantial amount of risk[i].
So it might
have been better for me to distinguish between product risk – which will be
almost entirely the domain of the supplier – and installation/support risk –
which would be the domain of the systems integrator. I can certainly see that
in some cases, the total risk introduced by the integrator/dealer might be
almost as great as that introduced by the supplier.
There are
lots of subtle points like this hidden in CIP-013 – or more generally in supply
chain cyber security risk management planning. Understanding these points can
mean the difference between developing a plan that will efficiently mitigate
supply chain security risk, and one that ends up putting a big burden on your
organization, yet at the same time yields must less risk mitigation.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
[i]
And by “introduce risk”, I don’t mean the integrator is a mope that knows
nothing about security and is bound to leave the system in a very insecure
state. I simply mean that the impact on the BES of their doing something wrong could
be high (think of what might happen if your EMS or SCADA system had been
installed with inadequate security controls). And since risk is a combination
of likelihood and impact, even though the integrator might have greatly reduced
the likelihood of a problem occurring by training their people very well and
implementing very safe procedures (meaning the likelihood component of the risk
would be low), the risk will still be medium or high because the impact would
be high.
No comments:
Post a Comment