The SCWG white papers are up!

I started talking about the NERC CIP Committee's Supply Chain Working Group in this blog back in March, including in this post. In that post, I described the five white papers the SCWG was working on, and I confidently stated that they would be published in June. Well, the wheels of NERC grind slowly, but they grind fine (most of the time). Here it is the last day of September, and they were posted today on NERC’s web site. To find them, go here and drop down “Current/Approved Security Guidelines” under “CIPC Security Guidelines”. Then drop down the “Supply Chain” item.

You’ll see a list of ten PDF files. Each of the five white papers (which are called Guidelines now, of course) has both the paper itself and slides describing the paper, which we presented before the CIPC meeting in Orlando in June.

I led the development of two of the papers: Risk Management Lifecycle and Vendor Risk Management Lifecycle. However, all of the papers are worth reading, whether your organization has to comply with CIP-013 or not; they were all put together in many meetings among SCWG members, including NERC entities and vendors. There are two more papers in the approval process, regarding risks related to cloud computing and vendor cyber incident response plans. These have both been finalized by the SCWG sub-groups that drafted them; however, given the normal approval process (including a comment period for CIPC members), I’d say those probably won’t be out until the end of the year.

The SCWG does plan to create more papers, but they definitely won’t be published this year. In fact, since these papers took six months from start of development to posting, this means any further papers might not be posted before July 1, 2020, when CIP-013 compliance is due.

However, this isn’t the tragedy that I once would have thought it to be. Since CIP-013 R1 just requires the entity to develop a supply chain security risk management plan (which includes the six mitigations in R1.2), almost any plan you develop by 7/1/20 will be compliant. However, every NERC entity should be thinking about more than just CIP-013 compliance, since IMHO supply chain security is the number one cybersecurity problem in the world today, especially for the electric power industry (look at Target, Stuxnet, NotPetya, Delta Airlines, and now Airbus. Look at the Russian attacks on the grid through the supply chain, as detailed by DHS and the Wall Street Journal. Look at last week’s article in the Times by Bruce Schneier).

Even if you think it’s too late to change your course for compliance on 7/1/20, you can still make changes to your CIP-013 program after that date; you just need to document why and what you’re changing. The point is that you want to make your plan as efficient (i.e. it mitigates the most supply chain cyber risk possible, given your available resources) and effective (it mitigates the risks that are most important for your organization’s BES Cyber Systems, which will usually be different from another utility’s) as possible; it’s never too late to do that, and the auditors certainly aren’t going to complain if you make a midcourse correction after 7/1/20 to improve your plan’s efficiency and effectiveness.

I’ve heard that one or two major utility organizations are planning on investing huge sums and lots of hours in CIP-013 compliance.  If that’s true, I suspect that they’re doing something wrong. Everything I’ve seen so far with my CIP-013 clients leads me to believe that mitigating the risks in CIP-013 is almost entirely a matter of policies and procedures, both for your organization and for your vendors/suppliers. Nothing requires you to install expensive systems or deploy legions of consultants. This is very different from the CIP v5 rollout, since CIP-013 is very different from CIP-002 through CIP-011.

A disclaimer on each paper says (with my correction of two improper verbs, which I hope will be corrected soon on NERC’s web site) “Reliability guidelines are not binding norms or parameters to the level that compliance to NERC’s Reliability Standards is monitored or enforced. Rather, their incorporation into industry practices is strictly voluntary.”

I’ll translate this from NERC-speak (and I’m a fluent translator of NERC-speak, although I’ve so far resisted trying to speak it on my own. I’ll leave that to the experts at NERC): It says there’s nothing in these guidelines (or ones to come) that constitutes some sort of binding guidance on NERC entities or auditors as they comply with/audit CIP-013; in fact, the only document that is officially designated as guidance for CIP-013, the Implementation Guidance prepared by the Standards Drafting Team, doesn’t provide anything that’s binding either.

The SCWG’s papers are guidelines to help you develop your plan; they’re not there to tell you how to comply with CIP-013. But guess what? Complying with CIP-013 requires developing and implementing a good supply chain cyber security risk management plan. If you develop a good plan and implement it properly, you’re compliant. Period, end of story. With CIP-013, unlike with any of the current CIP standards, compliance = security. And if that doesn’t make you happy, I don’t know what will.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.