I started
talking about the NERC CIP Committee's Supply Chain Working Group in this blog back in March, including in this
post. In that post, I described the five white papers the SCWG was working on,
and I confidently stated that they would be published in June. Well, the wheels
of NERC grind slowly, but they grind fine (most of the time). Here it is the
last day of September, and they were posted today on NERC’s web site. To find
them, go here
and drop down “Current/Approved Security Guidelines” under “CIPC Security Guidelines”.
Then drop down the “Supply Chain” item.
You’ll see a
list of ten PDF files. Each of the five white papers (which are called
Guidelines now, of course) has both the paper itself and slides describing the
paper, which we presented before the CIPC meeting in Orlando in June.
I led the development
of two of the papers: Risk Management Lifecycle and Vendor Risk Management
Lifecycle. However, all of the papers are worth reading, whether your
organization has to comply with CIP-013 or not; they were all put together in
many meetings among SCWG members, including NERC entities and vendors. There
are two more papers in the approval process, regarding risks related to cloud
computing and vendor cyber incident response plans. These have both been
finalized by the SCWG sub-groups that drafted them; however, given the normal
approval process (including a comment period for CIPC members), I’d say those
probably won’t be out until the end of the year.
The SCWG
does plan to create more papers, but they definitely won’t be published this
year. In fact, since these papers took six months from start of development to
posting, this means any further papers might not be posted before July 1, 2020,
when CIP-013 compliance is due.
However,
this isn’t the tragedy that I once would have thought it to be. Since CIP-013
R1 just requires the entity to develop a supply chain security risk management
plan (which includes the six mitigations in R1.2), almost any plan you develop
by 7/1/20 will be compliant. However, every NERC entity should be thinking
about more than just CIP-013 compliance, since IMHO supply chain security is
the number one cybersecurity problem in the world today, especially for the
electric power industry (look at Target, Stuxnet, NotPetya, Delta
Airlines, and now Airbus.
Look at the Russian attacks on the grid through the supply chain, as detailed
by DHS
and the Wall
Street Journal. Look at last week’s article
in the Times by Bruce Schneier).
Even if you
think it’s too late to change your course for compliance on 7/1/20, you can
still make changes to your CIP-013 program after that date; you just need to
document why and what you’re changing. The point is that you want to make your
plan as efficient (i.e. it mitigates the most supply chain cyber risk possible,
given your available resources) and effective (it mitigates the risks that are
most important for your organization’s BES Cyber Systems, which will usually be
different from another utility’s) as possible; it’s never too late to do that,
and the auditors certainly aren’t going to complain if you make a midcourse
correction after 7/1/20 to improve your plan’s efficiency and effectiveness.
I’ve heard
that one or two major utility organizations are planning on investing huge sums
and lots of hours in CIP-013 compliance. If that’s true, I suspect that they’re doing
something wrong. Everything I’ve seen so far with my CIP-013 clients leads me
to believe that mitigating the risks in CIP-013 is almost entirely a matter of
policies and procedures, both for your organization and for your vendors/suppliers.
Nothing requires you to install expensive systems or deploy legions of
consultants. This is very different from the CIP v5 rollout, since CIP-013 is
very different from CIP-002 through CIP-011.
A disclaimer
on each paper says (with my correction of two improper verbs, which I hope will
be corrected soon on NERC’s web site) “Reliability guidelines are not binding
norms or parameters to the level that compliance to NERC’s Reliability Standards
is monitored or enforced. Rather, their incorporation into industry practices
is strictly voluntary.”
I’ll translate this from NERC-speak
(and I’m a fluent translator of NERC-speak, although I’ve so far resisted
trying to speak it on my own. I’ll leave that to the experts at NERC): It says there’s
nothing in these guidelines (or ones to come) that constitutes some sort of
binding guidance on NERC entities or auditors as they comply with/audit
CIP-013; in fact, the only document that is officially designated as guidance
for CIP-013, the Implementation
Guidance prepared by the Standards Drafting Team, doesn’t provide anything
that’s binding either.
The SCWG’s papers are guidelines to
help you develop your plan; they’re not there to tell you how to comply with
CIP-013. But guess what? Complying with CIP-013 requires developing and implementing
a good supply chain cyber security risk management plan. If you develop a good
plan and implement it properly, you’re compliant. Period, end of story. With
CIP-013, unlike with any of the current CIP standards, compliance = security.
And if that doesn’t make you happy, I don’t know what will.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, has received a
great response, and remains open to NERC entities and vendors of hardware or
software components of BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment