This is the
second (and last) of my two posts on NERC’s draft Data Request on supply chain
risks for Low impact assets. The first one is here
(it includes a link to the draft DR itself). I actually ended up writing two
more posts last week based on comments and questions I received about the issue
of how to define external routable connectivity for Lows; but they weren’t
about the DR itself, which is why I say this is part II (I expect to have
another post or two – or maybe more – on the topic of “erc” in the near
future).
There are
two main parts to the DR. The first part is the long section entitled “BES
Cyber Systems”. In the first post, I discussed at length the many wording
problems in that section, and expressed the opinion that it could be cleaned up
and actually sent out. But I also said that without changes I think it’s just
going to cause a lot of confusion and – most importantly – it’s very unlikely
to yield any usable data.
There are
two issues I want to discuss in this post. The first issue has to do with the
second part of the DR, but the second is strategic: I think NERC is pursuing
exactly the wrong strategy in dealing with what is evidently very strong
pressure from Congress to increase requirements for Lows. I think the DR isn’t
going to satisfy these Congressional hawks at all, and will probably make the
industry’s position with Congress worse, not better. 
To start
with the first issue, let’s go to the second part of the DR, which is much
shorter than the first part. You can find it on pages 7 and 8 of the DR, under
the heading “CIP-013 Cost of Implementation”, but since it’s so short I’ll
reproduce the whole section here:
“Stakeholders, regulators and legislator’s decisions on mitigating and preventing supply chain risk
depend on the costs and benefits associated with those decisions. While utilities would want and share this information, it is not currently available. Therefore, subject matter experts believe it is premature for CIP-013 registered entities to determine, or estimate costs or benefits associated
with the implementation of the standard. 
- The standard is new and there is no historic precedence
     (note: this should be ‘precedent’) for registered entities to pre‐determine costs based on furthering relationships
     with existing and new vendors. 
- These costs and benefits are intangible and depend on a spectrum of actions, from internal
     process refinement costs to extensive costs associated with replacement of blacklisted vendors.
- The cost of compliance is currently unknown as this is a new standard.
- Many utilities are experiencing push back from vendors for CIP‐013 compliance that could require vendor change or increase in cost from such vendors.
Consequently, CIP-013 is causing, and will necessitate many changes for complying utilities from now until the July 1, 2020 implementation date. Therefore, currently
providing any credible cost or benefit information is premature.
      6. Do you agree with the above SME assessment – Yes or No? 
   
Please provide CIP‐013 cost or benefit amounts should you answer “no” to the above question:”
In case
you’re puzzled by this (and if you’re not, I don’t think you’re reading it
closely), this section essentially says “We’re not stupid. We know there’s no
way that a Low impact entity can estimate their costs for compliance with
CIP-013. Do you agree with that statement? But if you don’t, could you give us
your estimate anyway?”
Here’s a
little history: The first draft of the DR that the SCWG received from NERC
asked entities to estimate the cost for complying with CIP-013 for Low impact
assets. At our first meeting with NERC, we pointed out that even Medium and
High entities still can’t give a good estimate of their cost for complying with
CIP-013, so how could Low-only entities possibly do this (although, based on
the fact that I’ve been working on nothing but CIP-013 compliance with three
entities of different sizes since January 1, I have come to realize my initial
estimates of the total cost were too high. I don’t think people understand how
important it is that this is a risk-based standard, not a prescriptive one. That
makes for a huge difference in costs)?
The NERC
people didn’t dispute this, but they pointed out that the Board of Trustees had
ordered them to ask this question, so they felt they had to do it. I suggested
(at a later meeting) that the SCWG might actually be able to come up with a
cost estimate for Lows (since almost all of the NERC entities that are part of
the SCWG have Low impact assets, as well as Highs and/or Mediums). I said it
would be much better to have us estimate costs than the Low-only entities, who
have no experience at all with CIP-013, and probably haven’t thought about it
at all yet.
But no, NERC
said they had to ask a question since the Board had ordered it. So some people
in the SCWG came up with the above “question”. I analogize it this way:
- The Board has asked NERC staff to ask entities how to design
     a perpetual motion machine.
- Instead of simply telling the Board that there’s no way to
     design a perpetual motion machine, the staff members have decided to ask entities
     this ‘question’: “We know there’s no way to design a perpetual motion
     machine. Do you agree with this statement? But if you don’t agree, please
     give us your diagrams.”
My main
objection to this “question” is that it makes NERC and the SCWG look ridiculous
for even asking it. And my other objection is that any data that come out of it
are guaranteed to be garbage. Anyone who answers this is simply going to take a
guess, and they will all understand that if the cost estimates come in low,
this will probably lead to CIP-013 being applied to Lows. So they’ll just estimate
as high as they think is credible. I think this whole question needs to be
removed.
Now I will
discuss my strategic objection to this whole Data Request. It is based on what
the SCWG members were told by NERC staff about the reason for this DR (with a
little inference on my part, to fill in some gaps): 
- Congress and FERC have been leaning very heavily on NERC
     in recent months to increase CIP requirements on Low assets in general. 
- Since the question of Lows and CIP-013 was already on the
     table, that pressure is now focused on requiring Lows to comply with
     CIP-013.
- NERC staff (and maybe the Board) are worried that FERC is
     simply going to put out an Order saying that Lows need to be included in
     CIP-013. To stave off that event (or at least push it back), NERC will do
     this Data Request, which – due to all the steps required to approve it,
     gather answers and then analyze them – will probably take six months to
     complete.
- My guess is that part of the Board’s (and NERC staff’s)
     concern here is showing Low entities that they’re trying to fight this off
     any way they can – and when and if FERC issues their Order, NERC will be
     able to tell the Lows “Well, we tried…”
This
wouldn’t be a terrible strategy if there were any conceivable way it could
work, but I don’t see one. The main problem is that, even if the first question
is cleaned up and sent out, it’s not going to ask for the data that Congress
wants. During one of the SCWG meetings, I asked Lonnie Ratliff of NERC (whose
title is Senior Manager, Cyber and Physical Assurance) what exactly the
Congressional staffers had been asking him about Lows. 
He said they
wanted to know how many Critical Cyber Assets were at Lows. Remember that CCAs
were a single device, so these Congressional staffers were obviously trying to
find out how many computing devices were at Lows. Lonnie told them that term
had been replaced by BES Cyber System, and of course that’s why the first draft
of the DR that NERC showed to the SCWG asked for information about Low BCS. As
I mentioned in the first post, the idea of asking about BCS was finally dropped
when, at one of the SCWG meetings, I pointed out that there were some entities
who have over a thousand BES Cyber Assets in a single BCS, whereas there are
others who are classifying every BCA as a BCS . So asking about BCS isn’t going
to yield any meaningful data about BES Cyber Assets, which is the closest
current term to Critical Cyber Asset – which always referred to an individual
device.
So if NERC
were really going to satisfy Congress, they would need to ask about BES Cyber
Assets in the DR. But to even ask this question would require owners of Low
assets to have to go through a huge effort to identify all Cyber Assets in
every Low asset, then consider each one as to whether it meets the BCA
definition. They would rebel if NERC even asked a question about Low BCS, but
there would probably be blood in the streets if NERC asked about Low BCAs. Even
if NERC just asked Lows to estimate
the number of BCAs, they would still have to go through a lot of effort.
So in
question 1 of the draft DR, NERC is just asking about Low assets – primarily
substations, generating plants, and Control Centers. It would certainly be
interesting to get this data (although a lot of this has already been given to
the Regions, since every Low entity has to state their number of Low assets of
each type). But I see no way this is going to satisfy Congress. They want to
measure the degree of cyber risk posed by Lows based on the number of computing
devices installed. They’re going to be very disappointed when NERC hands them a
list of assets, and when they’re asked how many devices this covers, the NERC
representative will say “Oh, we can’t get that information. Sorry.”
But here’s
an idea, NERC: Instead of making your entities go through a lot of work to
respond to a DR, then six months later give Congress and FERC a list that isn’t
what they wanted, why don’t you get ahead of this issue and say “You know, you
people are right. CIP-013 should be applied to Lows in some way, although we’re
sure you’ll agree there’s no need to make Lows go through everything that Highs
and Mediums need to do. We’ll draft a Low-only requirement and add that into
version 2 of CIP-013, since we’re just now putting together a team to develop
that version.”
And what
should this Low-only requirement be? I think NERC would be well advised to go
back to the first draft of CIP-013, which had this requirement part R5:
"R5. Each
Responsible Entity with at least one asset identified in CIP-002 containing low
impact BES Cyber Systems shall have one or more documented cyber security
policies, which shall be reviewed and approved by the CIP Senior Manager or
delegate at least once every 15 calendar months, that address the following
topics for its low impact BES Cyber Systems: 
5.1. Integrity and authenticity of
software and firmware and any patches, updates, and upgrades to software and
firmware; and 
5.2. Controlling vendor-initiated
remote access, including system-to-system remote access with vendor(s)."
CIP-013
affandicios will recognize 5.1 as being pretty close to CIP-013-1 R1.2.5, while
5.2 is close to R1.2.6. So what would Lows have to do to comply with these two
requirement parts? They would have to develop a policy for Low BCS that
includes these two items (and I would recommend that the new SDT not only
require Lows to have a policy, but to implement
it. CIP-003-5 R2 just required Lows to have four policies, but said nothing
about implementing them. FERC then told NERC to go beyond policies and add
“specific requirements” for Lows in CIP v6. If the v5 SDT had included
“implement” in the v5 requirement in the first place, FERC would probably have
said that was good enough and they wouldn’t have required any more. Instead,
there has been all sorts of anguish over CIP-003-7 R2 , since FERC didn’t like
the CIP-003-6 R2 that NERC came up with. This anguish was reflected in the
emails I received last week about my two erc posts, and it will increase as the
compliance date approaches).
And if
CIP-013-2 includes this requirement, what would Lows not have to do, compared with their Medium and High brethren? The
most important thing they wouldn’t have to do is comply with R1.1, which
requires the entity to consider all of its supply chain cyber risks and
mitigate the most important ones. While – as I mentioned above – I no longer
think this will require of Mediums and Highs the degree of effort that I
estimated originally, it will still be a large amount of work, and will require
that people in supply chain and legal be heavily involved, which wouldn’t be
the case if the Low-only requirement were implemented as described above.
The other
thing Lows wouldn’t have to do is comply with R1.2.1 through R1.2.4. I just
looked at how these parts differ from R1.2.5 and R1.2.6, and it seems the big
difference is that the latter two parts aren’t going to require a lot of heavy
lifting with vendors, while R1.2.1-R1.2.4 will be more difficult to get vendor
agreement on. This may be why the CIP-013 SDT only required that Lows “comply”
with R1.2.5 and R1.2.6 in the first draft of the standard (which went down to
defeat with only a 9% positive vote, due in part to the fact that the Low
requirement was there. There will definitely be opposition if NERC moves to put
a Low requirement in CIP-013-2, but I think it will be much more defensible if
NERC points to what may be the alternative – having FERC require that Lows be
included in scope for all CIP-013
requirements).
Will this
suggested requirement mean that Lows have to keep an inventory of BES Cyber
Systems? Definitely not. Lows will have to show auditors that they have these
policies and have implemented them, but that doesn’t require having evidence
that they were applied in every instance and for every component of a BCS. 
What will
happen if NERC persists in their current course and sends out this Data
Request, then turns the results over to FERC and Congress late this year or
early in 2020? As I’ve said, the data that will be gathered aren’t what
Congress is looking for, so they’re unlikely to be satisfied. Will they all
just give up and focus on getting elected again? I really doubt it. The cyber
security of the grid has become a big concern of Congress, and both parties
agree that electric utilities should be doing more about this. I think they
will pressure FERC to go ahead and tell NERC to simply include Lows in CIP-013,
which probably means having all of the current requirements apply to Lows. I
think that, if NERC made a proactive move like what I’ve suggested above,
they’d very possibly be able to preclude this much more drastic step.
And there’s
another reason why I think this would be a good move. In case you haven’t
noticed, electric power isn’t the most popular industry nowadays (not that it
ever was, of course), and many in Congress feel the industry just isn’t
stepping up to the plate enough to combat cyber threats. At the same time, they
wonder why such an important industry should have the power to write its own
cyber security standards. 
If NERC is
perceived as reflexively fighting all cyber regulation, Congress will soon feel
(and probably are already) that they need to think about taking cyber
regulation of the power industry away from NERC (the O&P standards are a
different deal, of course) and giving it directly to DoE or DHS (or maybe a new
Department
of Cybersecurity). 
So sometimes
it’s better to acknowledge the other party’s concerns and say “We agree. We do need to do more about this. Here’s our proposal…”, rather
than try to simply stonewall them. Especially
when that other party is much more powerful than you are.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment