If so,
you’re certainly not alone. Many NERC entities are still trying to work this
out. I’ve been helping multiple entities develop their CIP-013 programs for almost
the last year, and in doing that I’ve developed a methodology that applies to a
NERC entity of any size or type. Now I’m offering a free two-hour webinar to any
NERC entity that wishes to learn about this. The webinar is open to any employees involved with CIP-013 compliance and/or BES supply chain security risk management.[i]
CIP-013
fundamentally requires that a NERC entity do four things:
- Develop a supply chain cyber security risk management plan
for its BES Cyber Systems (R1);
- Include the six items in R1.2 in the plan, along with
risks identified in R1.1;
- Implement the plan (R2); and
- Review the plan every 15 months (R3).
This is all
there is in the language of the three requirements. A lot of people find it
very hard to believe there isn’t a lot more hidden in CIP-013, and – especially
if they’ve had unfortunate audit experiences with the current CIP standards –
they dread that an auditor will come onsite three years from now and nail them
for something they had no idea was required.
But those
people are asking the wrong question. The question isn’t what needs to be in
the plan in order for it to be judged compliant. Because R1 provides very
little detail on what should be in the plan, there are lots of different plans
that could be compliant. As long as an entity puts thought and effort into their
plan (and includes the few things that are required, including the six items in
R1.2), it will be compliant, at least for the first two or three years of
enforcement.
So if
compliance isn’t the issue with CIP-013, what is? CIP-013, which is described
as a “supply chain cyber security risk management” standard, is at basis about
risk management; the subject matter of the risks it deals with is supply chain
security. What’s important is a) managing your supply chain risks (and of
course, we’re just talking about risks to Medium and High impact BES Cyber
Systems) so that you mitigate only the most important risks to you and accept
the others; and b) targeting your mitigation efforts so that you only mitigate
risks in cases where they haven’t already been mitigated, by you or your vendor.
So the goal
of my methodology isn’t just compliance – almost any well-thought-out
methodology will be compliant – but mitigating only the most important risks
and targeting mitigations so they aren’t wasted. Doing this will ensure that
your organization mitigates the greatest total BES supply chain risk possible,
given the resources you have available. You definitely don’t want to apply all
or most of your resources toward mitigating risks that aren’t very important
for your organization and its BES assets, or that have already been mitigated.
This webinar
is open to anybody in your organization that may be involved in the supply
chain risk management/CIP-013 compliance effort, including people from
procurement, legal, cybersecurity and – oh, yes – NERC compliance. The agenda
is very flexible; we’ll develop it in a call before the webinar to make sure
I’m addressing what you would like to discuss. If you’re interested in this
offer, please drop me an email at tom@tomalrich.com,
and I’ll send you more information.
[i]
Last year I made a similar offer, and a number of entities took me up on it.
The difference now is that the new webinar incorporates what I and my clients
have learned as we’ve worked to develop their CIP-013 programs. The most
important thing I’ve learned is that the basis of the methodology is the same
for all NERC entities. Implementing it at a particular entity is essentially a
process of tailoring the methodology for them, rather than re-creating it from
scratch each time. This leads to a lot of efficiencies, since later clients
have the advantage of building on what I created with earlier clients.
And what if you’ve already seen v1 of this webinar? I’d
be glad to present V2!
No comments:
Post a Comment