Wednesday, October 30, 2019

An ex-auditor makes a point about CIP-013 plans



In my post on Monday, I suggested that any NERC entity who has to comply with CIP-013-1 by July 1, 2020 submit their R1 plan to their Region to review by March of next year. The reason for this suggestion is that many regions won’t want to review plans after the compliance date, and it’s important to get it in to them in time to make sure it gets reviewed – since there will presumably be a lot of other entities with the same idea.

Kevin Perry, former Chief CIP Auditor of SPP RE, emailed and pointed out to me that March might well be too late. For one, the auditors have day jobs to do, and given the likely crush of entities wanting plan review, it’s very possible they won’t be able to review all of the plans by July 1. But even more importantly, you want to have enough time to make whatever changes the auditor suggested, before the compliance date. So I’m going back to my original suggestion that you should aim to submit your plan to your Region by January. And if you can’t make that date, do your best.

However, as I said in Monday’s post, I think the Regions that tell you they can’t review your CIP-013 plan after the compliance date don’t understand that the principle of auditor independence shouldn’t apply to a standard that requires you simply to develop and implement a supply chain cyber security risk management plan – a requirement (R1.1) that provides just about zero guidance (in the requirement itself, which is of course the only “guidance” that counts in NERC – i.e. is binding on both auditor and entity) on what should be in the plan.

However, this isn’t necessarily a problem with CIP 13. The problem is with most of the other CIP requirements, which are prescriptive and create the illusion that it’s possible to mitigate cybersecurity risks in the same way that you address electric operational risks. The latter are based on the laws of physics, which – as far as I know – don’t change from year to year or entity to entity. Cyber risks, on the other hand, can never be specified to any degree of rigor, which is why prescriptive requirements make very little sense in cyber. For the same reason, IMHO auditor independence also doesn’t make sense when it comes to CIP. And it especially doesn’t make any sense when it comes to CIP-013, since the standard doesn’t prescribe anything in particular.

This, by the way, is partially a statement of what I’ll be talking about in my webinar on Nov. 7. You might want to check it out.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.


No comments:

Post a Comment