Tuesday, October 1, 2019

Lew Folkerth: Everything you always wanted to know about CIP-013, but were afraid to ask! (Part 2)



I recently wrote the first of a two-part post about the latest article by Lew Folkerth of RF on supply chain security risk management / CIP-013 compliance. The first part of the first post deals with CIP-010 R1.6, but the second part (much longer) is devoted to answering the first of six questions on CIP-013 that NERC has received. I discussed Lew’s interesting answer to that question (and also my complementary perspective on the issue). Now I’ll discuss his answers to the other five questions.

The second question Lew addresses is “If I buy routers at Office Depot, does that constitute a contract or is that just a procurement?” Lew’s answer is “Any equipment, software, or services whose acquisition is begun on or after July 1, 2020, that will become or will be directly related to a high or medium impact BES Cyber System must be acquired in accordance with your supply chain cyber security risk management plan. The plan must be used whether or not a contract is involved. The only place in the enforceable language of CIP-013-1 where the term “contract” appears is in the note to Requirement R2. Risks incurred by acquisitions from vendors such as Walmart (yes, they do carry business-grade Cisco products) or sellers of new and used equipment on eBay are some of the risks this Standard is intended to mitigate. In particular, there could be an elevated risk of compromised or counterfeit hardware from such sources[i].”

I think Lew’s answer is spot on. A contract is definitely not required for a procurement to be in scope for CIP-013. A contract is simply one means (and an important one, don’t get me wrong) of mitigating procurement risk – but it obviously won’t apply if you buy something from Office Depot, Walmart or eBay. In each procurement, your entity needs to identify the supply chain cyber risks that apply to the procurement and take steps to mitigate the most important of those risks. As Lew points out, some risks are definitely higher from those sources, such as the risk that you’ll acquire compromised or counterfeit hardware.  You’ll need to take all of these into account when you conduct your risk assessment at the start of the procurement (and for more on what constitutes the start of a procurement, see below).

I also want to point out that NERC’s most recent Evidence Request Spreadsheet makes it clear that a big part of the CIP-013 audit will be focused on individual procurements. The auditors will require you to provide a list of the procurements that you started during the audit period (whether or not they’re completed), and they’ll randomly sample some of these. For each procurement that’s chosen, they’ll ask you to “provide evidence of the identification and assessment of cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).” You will need to conduct a risk assessment for every procurement, and document you’ve identified and assessed the risks described.

The risks will vary by the product (or service) being purchased (and installed, since installation is explicitly included in R1.1). In some cases, you may have a contract with the supplier or vendor, but in some cases you won’t – the risks will be somewhat different in each case. In some cases, you’ll be buying from an authorized vendor (e.g. a Cisco dealer) and hopefully you won’t have to worry about the risks of counterfeit or compromised hardware, whereas in other cases you’ll buy on eBay and you will definitely need to worry about those risks. Your assessment needs to take into account the risks that apply to that procurement, and you need to have a defined methodology for identifying those risks (rather than just relying on whoever is doing the assessment to decide for him or herself what the risks are).


The third question Lew addresses is “Will a Responsible Entity be expected to perform and document initial cyber security risk assessments on all its existing vendors that provide their BES Cyber System products and services prior to the compliance effective date?” Lew responds: “No, CIP-013-1 affects only new procurements. This answer is supported by the General Considerations section of the Implementation Plan: ‘In implementing CIP-013-1, responsible entities are expected to use their Supply Chain Cyber Security Risk Management Plans in procurement processes (e.g., Request for Proposal, requests to entities negotiating on behalf of the responsible entity in the case of cooperative purchase agreements, master agreements that the responsible entity negotiates after the effective date, or direct procurements covered under the responsible entity’s plan) that begin on or after the effective date of CIP-013-1. Contract effective date, commencement date, or other activation dates specified in a contract do not determine whether the procurement action is within scope of CIP-013-1.’”

Lew continues “In order to determine the begin date of a procurement, you must document that date in a manner suitable for use as audit evidence. Without such documentation, audit teams will use the earliest date that provides reasonable assurance of the beginning of the procurement process.”


The fourth question is closely related to the third: “If I procured hardware or software from a vendor prior to 7/1/2020, but installed that hardware or software after that date, must I perform a risk assessment of that vendor?”

Lew responds “Risk assessments of vendors that provided equipment, software, or services prior to the CIP-013-1 effective date of July 1, 2020, are not required. Any procurements for high or medium impact BES Cyber Systems equipment, software, or services begun after July 1, 2020, must be performed in accordance with your documented CIP-013-1 R1 supply chain cyber security risk management plan. Any software installed on or after July 1, 2020, must have its identity and integrity verified, regardless of when the software was obtained.”

Of course, Lew’s last sentence refers to R1.2.5. And this bears emphasizing: The risks addressed in R1.2.1 through R1.2.6 all have to do not with the actual procurement of products or services, but the vendor’s actions after your organization has purchased and installed them. So these apply to every Medium or High impact BES Cyber System in your environment, not just those purchased after 7/1/20.


The fifth question is “Contracts for procurement that are in place prior to July 1, 2020, are not in scope for CIP-013. What about contract renewals?” This is a very good question. Lew answers “CIP-013-1 applies to any procurements begun after July 1, 2020, regardless of the existence of a standing contract, and regardless of any revisions to such a contract. You are not required to invalidate or renegotiate any contract, but you must demonstrate that any procurement begun after July 1, 2020, has been performed in accordance with your supply chain cyber security risk management plan. You will need to establish a beginning date for the procurement. The effective date of a contract is not necessarily the beginning of a procurement. The beginning date might be the date of an expenditure authorization or a request for bid, quote, etc. You will then need to show how you followed your risk management plan throughout the acquisition.”

Lew is speaking very carefully here, since he’s not allowed to go beyond what is stated in the standard (or the SDT’s CIP-013 Implementation Guidance, which is the only official guidance on CIP-013). What I think he’s saying is “In the case of standing contracts in which you can buy products at widely separated intervals, you need to determine when you’re actually starting a new procurement, or just taking another delivery as part of an existing procurement.”

This might sound pretty arbitrary to you, and it’s certainly not clearly defined (nor is it meant to be, either). In my opinion, the question should be “Have the risks changed since the last time I ordered this product?” If you just ordered the product three months ago, I doubt the risks have changed very much in that time, and I’d say this isn’t a new procurement. On the other hand, if it’s been two years since you last ordered the product, I would say it’s definitely a new procurement.

Remember, every 15 months you’re obliged to reconsider your whole R1.1 plan, which means re-identifying the risks you will mitigate. Some risks will drop out, but other risks will be added (or at least they should be. If you simply mitigate the same risks year after year, I’d say you’re doing something wrong – you have to “identify and assess” risks every 15 months, which means it’s unlikely you’ll end up with exactly the same set of risks year after year).

Another reason why you might want to declare a new procurement is if the vendor has made some substantial changes in the product since the last time you ordered it. You need to examine if any of those changes have resulted in changes in the risks posed by the product. Or perhaps your own environment has changed, and that has introduced new risks and/or (hopefully) effectively mitigated other risks. You need to consider all of these things in deciding whether this is a new procurement or not.


The last question is interesting. “My source for equipment says that they are not a ‘vendor’, but rather a ‘supplier’, and so they are not subject to CIP-013-1. How do I answer this?”

Lew answers “Any organization or person that supplies equipment, software, or services to your entity must be considered a ‘vendor’ in the meaning of CIP-013-1. Your ‘supplier’ is quite correct to say that they are not subject to CIP-013. Only NERC Registered Entities that are procuring hardware, software, or services that will become or that will directly affect high or medium impact BES Cyber Systems are subject to CIP-013-1. It is your relationship with each vendor, supplier, etc. that is subject to CIP-013-1, not the vendor itself. In managing that relationship you may use many tools, including purchase or acquisition contracts, existing vendor practices such as incident notification, existing or emerging security practices, such as software verification, vendor web site features such as digital certificates and digital signatures, and so forth. Although you may choose to manage your vendors through contracts, CIP-013-1 does not explicitly require this. If your vendor will provide a feature or a service as part of its ongoing security practices, there may be no requirement for a contract for such matters. And you may show that the implementation of your risk management plan accomplishes its goal of reducing supply chain risk by means other than contracts.”

Of course, Lew is very right on all of this. He makes these two important points:

  1. It doesn’t matter what the organization calls itself. If you’re purchasing BCS hardware, software or services from them (that will be used at Medium or High impact BES assets), or if they develop software or manufacture hardware that you buy through another entity (like a dealer),  that procurement is in scope for CIP-013. I would go further to point out that the risks posed by a supplier (the developer or manufacturer) are very different than those posed by the vendor (the dealer, distributor, systems integrator, etc). It’s actually very advantageous to distinguish suppliers from vendors, since doing so let’s you address supply chain risks with a surgical knife, rather than a chain saw.
  2. You shouldn’t get hung up on contracts with CIP-013 (which a lot of people do). Contracts are just one tool for managing risk, but there are a number of other tools you can use for that. I’d go further to say that you’re making a big mistake if you’re planning on making contract language your primary means for mitigating supply chain risks for CIP-013. You’re overusing the most expensive (and contentious) tool in your toolbox. Try to mitigate as much risk as you can with other means, before relying on contract language to solve your problems. And remember: Just getting some language in a contract doesn’t itself show you’ve mitigated any risk. You need to show you’re taking steps to verify the vendor/supplier is actually doing what they promised to do, whether they promised it in contract language, in a letter to you, in a phone call, in a message in a bottle, etc.

This concludes Lew’s article. I asked him what readers who want to ask other questions should do to get answers. He replied “If readers have additional questions they should send them to me. I can’t promise to answer all questions, but I’ll try. RF entities will have first priority. Entities from other regions will either be referred to that region or the answer will be coordinated with their region.” So just email your questions to Lew; the address is in the box at the end of the article. And you should probably mention what Region you’re part of.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.


[i] Lew continues this answer for another paragraph, but I don’t think that’s terribly important to discuss here. You can read it for yourself!

No comments:

Post a Comment