In the NERC
CIPC Supply
Chain Working Group, we’ve had an ongoing discussion about vendors vs.
suppliers. It started when someone from a prominent power industry supplier
pointed out that his CEO hated it when his company was called a vendor.
“Vendors sell hot dogs” was his CEO’s memorable statement. The company now
officially refers to itself as a supplier. This person requested that the SCWG
stop using the term vendor and refer to any provider of BES Cyber Systems or
services as a supplier.
However, he
didn’t get very far in his argument. The first time we had the discussion, I
pointed out that, while “vendor” isn’t a defined term in the NERC Glossary, it
is used everywhere in CIP-013, and definitely in the majority of articles and
papers written about CIP-013, to designate entities that provide BCS components
to NERC entities. It would be very hard for the SCWG to single-handedly try to
change this.[i]
At the
SCWG’s meeting last week, held the day before the CIPC meeting started in
Orlando, the subject came up again. Once again, there was very little support
for trying to change the usage (and in response to the same statement that
vendors sell hot dogs, I pointed out – a little meanly, I now admit – that I
thought of crack dealers as suppliers, not vendors).
However,
during that discussion, my good friend John Work of the Western Area Power
Administration emailed me (he was listening to the webcast of the discussion, being
unable to get to Orlando for it) that there was a good case to be made for
using both terms: A supplier is the manufacturer of the hardware or the
developer of the software, while the vendor is the organization that sells it.
I admit that
at first I didn’t see that this distinction was going to make a difference, but
this week, in the course of working with a client on their CIP-013 methodology,
I began to realize it can be very helpful to use both terms, in the way John
suggested.
The reason
for this becomes evident when you think about having a contract with a vendor
(in the original all-inclusive sense), and inserting cybersecurity provisions
into it. If the organization both develops and sells the product, in my opinion
it doesn’t matter what you call them – your contract is with the organization.
But what
about the case where one organization manufactures or develops the product and
another sells it? Big companies like Cisco, Microsoft and SEL develop or
manufacture their products, but they don’t sell them; a dealer does that. So
while your organization certainly has a contract with the dealer, is that
really useful as a tool for implementing supply chain cyber risk management
mitigations? Of course not; you really would need a contract with Cisco,
Microsoft or SEL[ii].
But good luck getting one!
In such
cases, using contract language to mitigate risks by requiring certain vendor
security practices is simply impossible. You will need to admit that, while all
of these companies have very good security practices now (and in fact Edna
Conway of Cisco almost single-handedly invented the field of supply chain cyber
security risk management), and they will all certainly try to address the
concerns of the power industry with specific position papers describing their
controls, in the end there is no utility that’s big enough to force one of
these companies to do something it really doesn’t want to do. Ultimately, if a
utility thinks that, for example, Cisco’s cyber risk controls are woefully
insufficient for mitigating the risks that Cisco faces, it will need to either
find another vendor or simply accept these risks (which BTW is allowed
in CIP-013, while it’s still strictly verboten
in the other CIP standards). There’s no other choice.
And now you
may see what I just saw in the last day or two: It can really help if you
distinguish suppliers from vendors. If your contract is with the vendor (e.g.
the Cisco dealer), it simply isn’t going to be a vehicle for mitigating much
supply chain cyber risk, although it’s certainly necessary for other reasons.
It’s only if your contract is with the supplier (or if the supplier is also the
vendor) that you will be able to use it to mitigate a lot of supply chain cyber
risk.
Of course,
whether you distinguish vendors from suppliers, whether you call them all
vendors (as CIP-013 does now), or whether you call them all suppliers (as the
CEO of the industry supplier wanted. And BTW, that company sells direct to
utilities, so they are both a supplier and a vendor in John’s nomenclature),
there is no compliance implication. You can call them anything you want in your
compliance documentation, since “vendor” isn’t a NERC Glossary term. But I
think it’s very helpful to distinguish vendors from suppliers as you develop
your supply chain cyber risk management plan, because you will probably need to
take different actions in the two cases.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
[i]
The CIP-013 drafting team originally drafted a definition, but they withdrew
this after it – I assume – received a lot of negative comments on the first
ballot. After that, the term was defined in one of the notorious blue boxes in
the later CIP-013 versions. A lot of people had the impression that these boxes
were actually part of the standard (and it may have influenced how they voted),
since they were found in the middle of the requirements. However, NERC – which
was at the time going through one of its periodic identity crises, this time
regarding what kinds of “guidance” they could provide – ended up declaring that
the items in the blue boxes weren’t officially part of the standard. They were
moved to another area (not officially a part of the standard) when CIP-013 was
approved by NERC and submitted to FERC for their approval.
[ii]
Even a pure dealer will be the subject of some supply chain risk – for example,
they may not take proper measures to secure the product before shipment, and it
could be tampered with en route; that
risk needs to be mitigated, using contract language or another means. And if
the dealer also installs the product, there’s a lot of risk to mitigate (which
of course is also covered by CIP-013, since risks of installation need to be
mitigated just as much as pure procurement risks).
No comments:
Post a Comment