I first
attended GridSecCon in its third year (2013), and after that I vowed I wouldn’t
miss any more. In fact, I can say without hesitation that each year it gets
better – and I have no doubt that this
year’s (October 22-25 in Atlanta) will be the best yet. It’s the most
important security conference/exhibition (and that applies to physical as well
as cyber security) for the North American electric power industry, period.
So I was
quite happy to be invited to lead a panel devoted to supply chain security at
this year’s conference. The panel is entitled “Supply Chain Threat Vector”, and
it will take place on Wednesday (Oct. 24) afternoon from 3:15 to 4:00. The
description of the panel is concise: “Where risk managers should start in
identifying their operational technology supply chain security risk.” Of
course, when the panel is constituted and has a phone meeting, I’m sure we’ll
flesh out exactly how we’re interpreting that mandate.
The other members of the panel still haven't been finalized; I'll anounce them when I know them. I’ll also
announce the objective of our panel, once we've had a chance to meet and discuss
it (I have my ideas for that, but I don’t want to state them now and constrain
what the panel decides on).
However, I
can now give an answer to what some people might naturally ask: Is
this panel about supply chain security or CIP-013 compliance? My unequivocal
answer to that question is Yes; it is about both security and compliance. Some
might then ask: How can this be? After all, every person working in NERC CIP
compliance is taught from day one that security doesn’t equal compliance, and
compliance doesn’t equal security. Why is CIP-013 different?
CIP-013 is
different from the other approved CIP standards, because it doesn’t require the
NERC entity to take any specific actions except:
- Develop a good supply chain cyber security risk management
plan (R1);
- Implement that plan (R2); and
- Review that plan every 15 months (R3).
That’s it.
The plan needs to include the six risks listed in R1.2 (and it’s really eight
risks, since R1.2.5 and R1.2.6 both include two risks – kind of a “two for the
price of one” deal), but R1.1 makes it clear that the plan needs to address all
important supply chain cyber risks, not just those six (although addressing a
risk will in most cases mean accepting
it). You comply with CIP-013 by developing and implementing a good supply chain
cyber security risk management plan, period and end of story. In other words,
with CIP-013, compliance equals security and security equals compliance.
This means
that the whole question of CIP-013 compliance is what constitutes a good supply
chain cyber security risk management plan for important BES Cyber Systems. On
this question, the standard itself is silent. The single official guidance
document from NERC (developed by the SDT in 2017) simply gives suggestions
for what could be included in the plan, so it’s up to the NERC entity to decide
what a good plan is. Our GridSecCon panel will aim to provide some suggestions
for elements of a good plan. I hope to see you there!*
* I inserted
this asterisk to point out an unfortunate circumstance that will require that a
lot of people who are involved with NERC CIP compliance (including a
substantial number of NERC Regional CIP auditors and enforcement people) be
elsewhere the week of GridSecCon. This circumstance is that, for either the
third or fourth time, WECC’s semi-annual compliance workshops (including CIP
compliance) – called the Reliability and Security Workshop - are scheduled for
that week, this time in Las Vegas.
The previous
two or three times this happened were the first two or three GridSecCon’s. I
know that many entities in WECC complained about this, especially some of their
CIP auditors, and WECC finally found a way to keep this from happening. In
fact, last year WECC hosted the conference in Las Vegas (and held their
workshops the next week in San Diego). I thought the problem had been solved
for good.
And now it’s
happened again. I don’t know whose fault it is, or what other circumstances may
have required that WECC schedule their conference for the same week as
GridSecCon, but it’s quite unfortunate that this has happened again, given the
number of people that I’m sure would like to attend both events. Once again,
these people are forced to choose between the two events – and for someone
heavily involved in CIP compliance at a WECC entity, there really is no choice
at all.
The WECC CIP
workshops host easily 4-500 people. I know not all of them would want, or be
able, to attend GridSecCon, but I’m sure that as a result of the scheduling
conflict, the conference will be short at least 100 people who could have
contributed immensely to the discussions, both during the official sessions and
between attendees at other times.
And while
I’m on it, I want to lodge another complaint with WECC. This year, the
workshops in Las Vegas will cost $650, with no discount if someone wants to attend
just the one day devoted to CIP and cyber security. This is far out of
proportion (in fact, infinitely so) with what most of the other Regions charge
for their CIP workshops, which is $0.00. And at the current rate of escalation
(I think the one this spring cost around $450), it won’t be long before they
reach $1,000.
Of course,
even $1,000 isn’t too much to pay in order to get good compliance information
on standards that carry penalties of up to $1 million per day for
non-compliance (I admit there is good food at the WECC meetings, but most other
Regions provide good food as well, at little or no cost to attendees. When I
attended WECC’s spring workshop in spring 2018 in Boise, there was grumbling
over the fee then, which I think was in the range of $250-$350. In their survey
forms, WECC anticipated this grumbling by asking responders whether they would
be willing to give up refreshments during the meeting – not the breakfast and
lunch, of course – in exchange for a lower fee. Give me a break!).
But I think
WECC could certainly figure out a way to reduce the fee in the future (let
alone not escalate it to $1,000). Here’s a suggestion: Since WECC brings a
small army of employees to this meeting (which is appropriate, given the size
of their Region. For example, I know they have – or have openings for – over
ten CIP auditors), they could probably save most of that cost by simply holding all compliance
workshops in Salt Lake City from now on. SLC is a wonderful place to visit at
any time of the year.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And Tom continues to offer a free two-hour webinar on CIP-013 to your
organization; the content is now substantially updated based on Tom’s nine
months of experience working with NERC entities to design and begin to implement
their CIP-013 programs. To discuss this, you can email me at the same address.
No comments:
Post a Comment