NERC’s draft Data Request on supply chain risks for Lows, part II

This is the second (and last) of my two posts on NERC’s draft Data Request on supply chain risks for Low impact assets. The first one is here (it includes a link to the draft DR itself). I actually ended up writing two more posts last week based on comments and questions I received about the issue of how to define external routable connectivity for Lows; but they weren’t about the DR itself, which is why I say this is part II (I expect to have another post or two – or maybe more – on the topic of “erc” in the near future).

There are two main parts to the DR. The first part is the long section entitled “BES Cyber Systems”. In the first post, I discussed at length the many wording problems in that section, and expressed the opinion that it could be cleaned up and actually sent out. But I also said that without changes I think it’s just going to cause a lot of confusion and – most importantly – it’s very unlikely to yield any usable data.

There are two issues I want to discuss in this post. The first issue has to do with the second part of the DR, but the second is strategic: I think NERC is pursuing exactly the wrong strategy in dealing with what is evidently very strong pressure from Congress to increase requirements for Lows. I think the DR isn’t going to satisfy these Congressional hawks at all, and will probably make the industry’s position with Congress worse, not better.

To start with the first issue, let’s go to the second part of the DR, which is much shorter than the first part. You can find it on pages 7 and 8 of the DR, under the heading “CIP-013 Cost of Implementation”, but since it’s so short I’ll reproduce the whole section here:

“Stakeholders, regulators and legislator’s decisions on mitigating and preventing supply chain risk depend on the costs and benefits associated with those decisions. While utilities would want and share this information, it is not currently available. Therefore, subject matter experts believe it is premature for CIP-013 registered entities to determine, or estimate costs or benefits associated with the implementation of the standard.

• The standard is new and there is no historic precedence (note: this should be ‘precedent’) for registered entities to pre‐determine costs based on furthering relationships with existing and new vendors. 
• These costs and benefits are intangible and depend on a spectrum of actions, from internal process refinement costs to extensive costs associated with replacement of blacklisted vendors.
• The cost of compliance is currently unknown as this is a new standard.
• Many utilities are experiencing push back from vendors for CIP‐013 compliance that could require vendor change or increase in cost from such vendors. 

Consequently, CIP-013 is causing, and will necessitate many changes for complying utilities from now until the July 1, 2020 implementation date. Therefore, currently providing any credible cost or benefit information is premature.

      6. Do you agree with the above SME assessment – Yes or No?    

Please provide CIP‐013 cost or benefit amounts should you answer “no” to the above question:”

In case you’re puzzled by this (and if you’re not, I don’t think you’re reading it closely), this section essentially says “We’re not stupid. We know there’s no way that a Low impact entity can estimate their costs for compliance with CIP-013. Do you agree with that statement? But if you don’t, could you give us your estimate anyway?”

Here’s a little history: The first draft of the DR that the SCWG received from NERC asked entities to estimate the cost for complying with CIP-013 for Low impact assets. At our first meeting with NERC, we pointed out that even Medium and High entities still can’t give a good estimate of their cost for complying with CIP-013, so how could Low-only entities possibly do this (although, based on the fact that I’ve been working on nothing but CIP-013 compliance with three entities of different sizes since January 1, I have come to realize my initial estimates of the total cost were too high. I don’t think people understand how important it is that this is a risk-based standard, not a prescriptive one. That makes for a huge difference in costs)?

The NERC people didn’t dispute this, but they pointed out that the Board of Trustees had ordered them to ask this question, so they felt they had to do it. I suggested (at a later meeting) that the SCWG might actually be able to come up with a cost estimate for Lows (since almost all of the NERC entities that are part of the SCWG have Low impact assets, as well as Highs and/or Mediums). I said it would be much better to have us estimate costs than the Low-only entities, who have no experience at all with CIP-013, and probably haven’t thought about it at all yet.

But no, NERC said they had to ask a question since the Board had ordered it. So some people in the SCWG came up with the above “question”. I analogize it this way:

1. The Board has asked NERC staff to ask entities how to design a perpetual motion machine.
2. Instead of simply telling the Board that there’s no way to design a perpetual motion machine, the staff members have decided to ask entities this ‘question’: “We know there’s no way to design a perpetual motion machine. Do you agree with this statement? But if you don’t agree, please give us your diagrams.”

My main objection to this “question” is that it makes NERC and the SCWG look ridiculous for even asking it. And my other objection is that any data that come out of it are guaranteed to be garbage. Anyone who answers this is simply going to take a guess, and they will all understand that if the cost estimates come in low, this will probably lead to CIP-013 being applied to Lows. So they’ll just estimate as high as they think is credible. I think this whole question needs to be removed.

Now I will discuss my strategic objection to this whole Data Request. It is based on what the SCWG members were told by NERC staff about the reason for this DR (with a little inference on my part, to fill in some gaps):

1. Congress and FERC have been leaning very heavily on NERC in recent months to increase CIP requirements on Low assets in general.
2. Since the question of Lows and CIP-013 was already on the table, that pressure is now focused on requiring Lows to comply with CIP-013.
3. NERC staff (and maybe the Board) are worried that FERC is simply going to put out an Order saying that Lows need to be included in CIP-013. To stave off that event (or at least push it back), NERC will do this Data Request, which – due to all the steps required to approve it, gather answers and then analyze them – will probably take six months to complete.
4. My guess is that part of the Board’s (and NERC staff’s) concern here is showing Low entities that they’re trying to fight this off any way they can – and when and if FERC issues their Order, NERC will be able to tell the Lows “Well, we tried…”

This wouldn’t be a terrible strategy if there were any conceivable way it could work, but I don’t see one. The main problem is that, even if the first question is cleaned up and sent out, it’s not going to ask for the data that Congress wants. During one of the SCWG meetings, I asked Lonnie Ratliff of NERC (whose title is Senior Manager, Cyber and Physical Assurance) what exactly the Congressional staffers had been asking him about Lows.

He said they wanted to know how many Critical Cyber Assets were at Lows. Remember that CCAs were a single device, so these Congressional staffers were obviously trying to find out how many computing devices were at Lows. Lonnie told them that term had been replaced by BES Cyber System, and of course that’s why the first draft of the DR that NERC showed to the SCWG asked for information about Low BCS. As I mentioned in the first post, the idea of asking about BCS was finally dropped when, at one of the SCWG meetings, I pointed out that there were some entities who have over a thousand BES Cyber Assets in a single BCS, whereas there are others who are classifying every BCA as a BCS . So asking about BCS isn’t going to yield any meaningful data about BES Cyber Assets, which is the closest current term to Critical Cyber Asset – which always referred to an individual device.

So if NERC were really going to satisfy Congress, they would need to ask about BES Cyber Assets in the DR. But to even ask this question would require owners of Low assets to have to go through a huge effort to identify all Cyber Assets in every Low asset, then consider each one as to whether it meets the BCA definition. They would rebel if NERC even asked a question about Low BCS, but there would probably be blood in the streets if NERC asked about Low BCAs. Even if NERC just asked Lows to estimate the number of BCAs, they would still have to go through a lot of effort.

So in question 1 of the draft DR, NERC is just asking about Low assets – primarily substations, generating plants, and Control Centers. It would certainly be interesting to get this data (although a lot of this has already been given to the Regions, since every Low entity has to state their number of Low assets of each type). But I see no way this is going to satisfy Congress. They want to measure the degree of cyber risk posed by Lows based on the number of computing devices installed. They’re going to be very disappointed when NERC hands them a list of assets, and when they’re asked how many devices this covers, the NERC representative will say “Oh, we can’t get that information. Sorry.”

But here’s an idea, NERC: Instead of making your entities go through a lot of work to respond to a DR, then six months later give Congress and FERC a list that isn’t what they wanted, why don’t you get ahead of this issue and say “You know, you people are right. CIP-013 should be applied to Lows in some way, although we’re sure you’ll agree there’s no need to make Lows go through everything that Highs and Mediums need to do. We’ll draft a Low-only requirement and add that into version 2 of CIP-013, since we’re just now putting together a team to develop that version.”

And what should this Low-only requirement be? I think NERC would be well advised to go back to the first draft of CIP-013, which had this requirement part R5:

"R5. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall have one or more documented cyber security policies, which shall be reviewed and approved by the CIP Senior Manager or delegate at least once every 15 calendar months, that address the following topics for its low impact BES Cyber Systems: 

5.1. Integrity and authenticity of software and firmware and any patches, updates, and upgrades to software and firmware; and 

5.2. Controlling vendor-initiated remote access, including system-to-system remote access with vendor(s)."

CIP-013 affandicios will recognize 5.1 as being pretty close to CIP-013-1 R1.2.5, while 5.2 is close to R1.2.6. So what would Lows have to do to comply with these two requirement parts? They would have to develop a policy for Low BCS that includes these two items (and I would recommend that the new SDT not only require Lows to have a policy, but to implement it. CIP-003-5 R2 just required Lows to have four policies, but said nothing about implementing them. FERC then told NERC to go beyond policies and add “specific requirements” for Lows in CIP v6. If the v5 SDT had included “implement” in the v5 requirement in the first place, FERC would probably have said that was good enough and they wouldn’t have required any more. Instead, there has been all sorts of anguish over CIP-003-7 R2 , since FERC didn’t like the CIP-003-6 R2 that NERC came up with. This anguish was reflected in the emails I received last week about my two erc posts, and it will increase as the compliance date approaches).

And if CIP-013-2 includes this requirement, what would Lows not have to do, compared with their Medium and High brethren? The most important thing they wouldn’t have to do is comply with R1.1, which requires the entity to consider all of its supply chain cyber risks and mitigate the most important ones. While – as I mentioned above – I no longer think this will require of Mediums and Highs the degree of effort that I estimated originally, it will still be a large amount of work, and will require that people in supply chain and legal be heavily involved, which wouldn’t be the case if the Low-only requirement were implemented as described above.

The other thing Lows wouldn’t have to do is comply with R1.2.1 through R1.2.4. I just looked at how these parts differ from R1.2.5 and R1.2.6, and it seems the big difference is that the latter two parts aren’t going to require a lot of heavy lifting with vendors, while R1.2.1-R1.2.4 will be more difficult to get vendor agreement on. This may be why the CIP-013 SDT only required that Lows “comply” with R1.2.5 and R1.2.6 in the first draft of the standard (which went down to defeat with only a 9% positive vote, due in part to the fact that the Low requirement was there. There will definitely be opposition if NERC moves to put a Low requirement in CIP-013-2, but I think it will be much more defensible if NERC points to what may be the alternative – having FERC require that Lows be included in scope for all CIP-013 requirements).

Will this suggested requirement mean that Lows have to keep an inventory of BES Cyber Systems? Definitely not. Lows will have to show auditors that they have these policies and have implemented them, but that doesn’t require having evidence that they were applied in every instance and for every component of a BCS.

What will happen if NERC persists in their current course and sends out this Data Request, then turns the results over to FERC and Congress late this year or early in 2020? As I’ve said, the data that will be gathered aren’t what Congress is looking for, so they’re unlikely to be satisfied. Will they all just give up and focus on getting elected again? I really doubt it. The cyber security of the grid has become a big concern of Congress, and both parties agree that electric utilities should be doing more about this. I think they will pressure FERC to go ahead and tell NERC to simply include Lows in CIP-013, which probably means having all of the current requirements apply to Lows. I think that, if NERC made a proactive move like what I’ve suggested above, they’d very possibly be able to preclude this much more drastic step.

And there’s another reason why I think this would be a good move. In case you haven’t noticed, electric power isn’t the most popular industry nowadays (not that it ever was, of course), and many in Congress feel the industry just isn’t stepping up to the plate enough to combat cyber threats. At the same time, they wonder why such an important industry should have the power to write its own cyber security standards.

If NERC is perceived as reflexively fighting all cyber regulation, Congress will soon feel (and probably are already) that they need to think about taking cyber regulation of the power industry away from NERC (the O&P standards are a different deal, of course) and giving it directly to DoE or DHS (or maybe a new Department of Cybersecurity).

So sometimes it’s better to acknowledge the other party’s concerns and say “We agree. We do need to do more about this. Here’s our proposal…”, rather than try to simply stonewall them. Especially when that other party is much more powerful than you are.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.