Monday, September 9, 2019

Are you still unsure what it means to comply with CIP-013?



If so, you’re certainly not alone. Many NERC entities are still trying to work this out. I’ve been helping multiple entities develop their CIP-013 programs for almost the last year, and in doing that I’ve developed a methodology that applies to a NERC entity of any size or type. Now I’m offering a free two-hour webinar to any NERC entity that wishes to learn about this. The webinar is open to any employees involved with CIP-013 compliance and/or BES supply chain security risk management.[i] 

CIP-013 fundamentally requires that a NERC entity do four things:

  1. Develop a supply chain cyber security risk management plan for its BES Cyber Systems (R1);
  2. Include the six items in R1.2 in the plan, along with risks identified in R1.1;
  3. Implement the plan (R2); and
  4. Review the plan every 15 months (R3).
This is all there is in the language of the three requirements. A lot of people find it very hard to believe there isn’t a lot more hidden in CIP-013, and – especially if they’ve had unfortunate audit experiences with the current CIP standards – they dread that an auditor will come onsite three years from now and nail them for something they had no idea was required.

But those people are asking the wrong question. The question isn’t what needs to be in the plan in order for it to be judged compliant. Because R1 provides very little detail on what should be in the plan, there are lots of different plans that could be compliant. As long as an entity puts thought and effort into their plan (and includes the few things that are required, including the six items in R1.2), it will be compliant, at least for the first two or three years of enforcement.

So if compliance isn’t the issue with CIP-013, what is? CIP-013, which is described as a “supply chain cyber security risk management” standard, is at basis about risk management; the subject matter of the risks it deals with is supply chain security. What’s important is a) managing your supply chain risks (and of course, we’re just talking about risks to Medium and High impact BES Cyber Systems) so that you mitigate only the most important risks to you and accept the others; and b) targeting your mitigation efforts so that you only mitigate risks in cases where they haven’t already been mitigated, by you or your vendor.

So the goal of my methodology isn’t just compliance – almost any well-thought-out methodology will be compliant – but mitigating only the most important risks and targeting mitigations so they aren’t wasted. Doing this will ensure that your organization mitigates the greatest total BES supply chain risk possible, given the resources you have available. You definitely don’t want to apply all or most of your resources toward mitigating risks that aren’t very important for your organization and its BES assets, or that have already been mitigated.

This webinar is open to anybody in your organization that may be involved in the supply chain risk management/CIP-013 compliance effort, including people from procurement, legal, cybersecurity and – oh, yes – NERC compliance. The agenda is very flexible; we’ll develop it in a call before the webinar to make sure I’m addressing what you would like to discuss. If you’re interested in this offer, please drop me an email at tom@tomalrich.com, and I’ll send you more information. 



[i] Last year I made a similar offer, and a number of entities took me up on it. The difference now is that the new webinar incorporates what I and my clients have learned as we’ve worked to develop their CIP-013 programs. The most important thing I’ve learned is that the basis of the methodology is the same for all NERC entities. Implementing it at a particular entity is essentially a process of tailoring the methodology for them, rather than re-creating it from scratch each time. This leads to a lot of efficiencies, since later clients have the advantage of building on what I created with earlier clients.

And what if you’ve already seen v1 of this webinar? I’d be glad to present V2!

No comments:

Post a Comment