I recently
wrote the first
of a two-part post about the latest article by Lew Folkerth of RF on supply
chain security risk management / CIP-013 compliance. The first part of the
first post deals with CIP-010 R1.6, but the second part (much longer) is
devoted to answering the first of six questions on CIP-013 that NERC has
received. I discussed Lew’s interesting answer to that question (and also my
complementary perspective on the issue). Now I’ll discuss his answers to the
other five questions.
The second
question Lew addresses is “If I buy routers at Office Depot, does that
constitute a contract or is that just a procurement?” Lew’s answer is “Any
equipment, software, or services whose acquisition is begun on or after July 1,
2020, that will become or will be directly related to a high or medium impact
BES Cyber System must be acquired in accordance with your supply chain cyber
security risk management plan. The plan must be used whether or not a contract
is involved. The only place in the enforceable language of CIP-013-1 where the
term “contract” appears is in the note to Requirement R2. Risks incurred by acquisitions
from vendors such as Walmart (yes, they do carry business-grade Cisco products)
or sellers of new and used equipment on eBay are some of the risks this
Standard is intended to mitigate. In particular, there could be an elevated
risk of compromised or counterfeit hardware from such sources[i].”
I think Lew’s
answer is spot on. A contract is definitely not required for a procurement to
be in scope for CIP-013. A contract is simply one means (and an important one,
don’t get me wrong) of mitigating procurement risk – but it obviously won’t
apply if you buy something from Office Depot, Walmart or eBay. In each
procurement, your entity needs to identify the supply chain cyber risks that
apply to the procurement and take steps to mitigate the most important of those
risks. As Lew points out, some risks are definitely higher from those sources,
such as the risk that you’ll acquire compromised or counterfeit hardware. You’ll need to take all of these into account
when you conduct your risk assessment at the start of the procurement (and for
more on what constitutes the start of a procurement, see below).
I also want
to point out that NERC’s most recent Evidence Request Spreadsheet makes it
clear that a big part of the CIP-013 audit will be focused on individual
procurements. The auditors will require you to provide a list of the
procurements that you started during the audit period (whether or not they’re
completed), and they’ll randomly sample some of these. For each procurement
that’s chosen, they’ll ask you to “provide evidence of the identification and
assessment of cyber security risk(s) to the Bulk Electric System from vendor
products or services resulting from: (i) procuring and installing vendor
equipment and software; and (ii) transitions from one vendor(s) to another
vendor(s).” You will need to conduct a risk assessment for every procurement,
and document you’ve identified and assessed the risks described.
The risks
will vary by the product (or service) being purchased (and installed, since
installation is explicitly included in R1.1). In some cases, you may have a contract
with the supplier or vendor, but in some cases you won’t – the risks will be
somewhat different in each case. In some cases, you’ll be buying from an
authorized vendor (e.g. a Cisco dealer) and hopefully you won’t have to worry
about the risks of counterfeit or compromised hardware, whereas in other cases
you’ll buy on eBay and you will definitely need to worry about those risks.
Your assessment needs to take into account the risks that apply to that
procurement, and you need to have a defined methodology for identifying those
risks (rather than just relying on whoever is doing the assessment to decide
for him or herself what the risks are).
The third
question Lew addresses is “Will a Responsible Entity be expected to perform and
document initial cyber security risk assessments on all its existing vendors
that provide their BES Cyber System products and services prior to the
compliance effective date?” Lew responds: “No, CIP-013-1 affects only new
procurements. This answer is supported by the General Considerations section of
the Implementation Plan: ‘In implementing CIP-013-1, responsible entities are
expected to use their Supply Chain Cyber Security Risk Management Plans in
procurement processes (e.g., Request for Proposal, requests to entities
negotiating on behalf of the responsible entity in the case of cooperative
purchase agreements, master agreements that the responsible entity negotiates
after the effective date, or direct procurements covered under the responsible
entity’s plan) that begin on or after the effective date of CIP-013-1. Contract
effective date, commencement date, or other activation dates specified in a
contract do not determine whether the procurement action is within scope of CIP-013-1.’”
Lew
continues “In order to determine the begin date of a procurement, you must
document that date in a manner suitable for use as audit evidence. Without such
documentation, audit teams will use the earliest date that provides reasonable assurance
of the beginning of the procurement process.”
The fourth
question is closely related to the third: “If I procured hardware or software
from a vendor prior to 7/1/2020, but installed that hardware or software after
that date, must I perform a risk assessment of that vendor?”
Lew responds
“Risk assessments of vendors that provided equipment, software, or services prior
to the CIP-013-1 effective date of July 1, 2020, are not required. Any procurements
for high or medium impact BES Cyber Systems equipment, software, or services
begun after July 1, 2020, must be performed in accordance with your documented
CIP-013-1 R1 supply chain cyber security risk management plan. Any software
installed on or after July 1, 2020, must have its identity and integrity verified,
regardless of when the software was obtained.”
Of course,
Lew’s last sentence refers to R1.2.5. And this bears emphasizing: The risks
addressed in R1.2.1 through R1.2.6 all have to do not with the actual
procurement of products or services, but the vendor’s actions after your
organization has purchased and installed them. So these apply to every Medium or High impact BES Cyber System
in your environment, not just those purchased after 7/1/20.
The fifth
question is “Contracts for procurement that are in place prior to July 1, 2020,
are not in scope for CIP-013. What about contract renewals?” This is a very
good question. Lew answers “CIP-013-1 applies to any procurements begun after
July 1, 2020, regardless of the existence of a standing contract, and
regardless of any revisions to such a contract. You are not required to
invalidate or renegotiate any contract, but you must demonstrate that any
procurement begun after July 1, 2020, has been performed in accordance with
your supply chain cyber security risk management plan. You will need to
establish a beginning date for the procurement. The effective date of a
contract is not necessarily the beginning of a procurement. The beginning date
might be the date of an expenditure authorization or a request for bid, quote,
etc. You will then need to show how you followed your risk management plan
throughout the acquisition.”
Lew is
speaking very carefully here, since he’s not allowed to go beyond what is
stated in the standard (or the SDT’s CIP-013 Implementation Guidance, which is
the only official guidance on CIP-013). What I think he’s saying is “In the
case of standing contracts in which you can buy products at widely separated
intervals, you need to determine when you’re actually starting a new
procurement, or just taking another delivery as part of an existing
procurement.”
This might
sound pretty arbitrary to you, and it’s certainly not clearly defined (nor is
it meant to be, either). In my opinion, the question should be “Have the risks
changed since the last time I ordered this product?” If you just ordered the
product three months ago, I doubt the risks have changed very much in that
time, and I’d say this isn’t a new procurement. On the other hand, if it’s been
two years since you last ordered the product, I would say it’s definitely a new
procurement.
Remember,
every 15 months you’re obliged to reconsider your whole R1.1 plan, which means
re-identifying the risks you will mitigate. Some risks will drop out, but other
risks will be added (or at least they should be. If you simply mitigate the
same risks year after year, I’d say you’re doing something wrong – you have to “identify
and assess” risks every 15 months, which means it’s unlikely you’ll end up with
exactly the same set of risks year after year).
Another
reason why you might want to declare a new procurement is if the vendor has
made some substantial changes in the product since the last time you ordered
it. You need to examine if any of those changes have resulted in changes in the
risks posed by the product. Or perhaps your own environment has changed, and
that has introduced new risks and/or (hopefully) effectively mitigated other risks.
You need to consider all of these things in deciding whether this is a new
procurement or not.
The last
question is interesting. “My source for equipment says that they are not a ‘vendor’,
but rather a ‘supplier’, and so they are not subject to CIP-013-1. How do I
answer this?”
Lew answers “Any
organization or person that supplies equipment, software, or services to your
entity must be considered a ‘vendor’ in the meaning of CIP-013-1. Your ‘supplier’
is quite correct to say that they are not subject to CIP-013. Only NERC Registered
Entities that are procuring hardware, software, or services that will become or
that will directly affect high or medium impact BES Cyber Systems are subject
to CIP-013-1. It is your relationship with each vendor, supplier, etc. that is
subject to CIP-013-1, not the vendor itself. In managing that relationship you
may use many tools, including purchase or acquisition contracts, existing vendor
practices such as incident notification, existing or emerging security practices,
such as software verification, vendor web site features such as digital certificates
and digital signatures, and so forth. Although you may choose to manage your
vendors through contracts, CIP-013-1 does not explicitly require this. If your
vendor will provide a feature or a service as part of its ongoing security
practices, there may be no requirement for a contract for such matters. And you
may show that the implementation of your risk management plan accomplishes its
goal of reducing supply chain risk by means other than contracts.”
Of course,
Lew is very right on all of this. He makes these two important points:
- It doesn’t matter what the organization calls itself. If you’re
purchasing BCS hardware, software or services from them (that will be used
at Medium or High impact BES assets), or if they develop software or
manufacture hardware that you buy through another entity (like a dealer), that procurement is in scope for CIP-013.
I would go further to point out that the risks posed by a supplier (the developer
or manufacturer) are very different than those posed by the vendor (the
dealer, distributor, systems integrator, etc). It’s actually very
advantageous to distinguish suppliers
from vendors, since doing so let’s you address supply chain risks with
a surgical knife, rather than a chain saw.
- You shouldn’t get hung up on contracts with CIP-013 (which
a lot of people do). Contracts are just one tool for managing risk, but
there are a number of other tools you can use for that. I’d go further to
say that you’re making a big mistake if you’re planning on making contract
language your primary means for mitigating supply chain risks for CIP-013.
You’re overusing the most expensive (and contentious) tool in your
toolbox. Try to mitigate as much risk as you can with other means, before
relying on contract language to solve your problems. And remember: Just
getting some language in a contract doesn’t itself show you’ve mitigated
any risk. You need to show you’re taking steps to verify the
vendor/supplier is actually doing what they promised to do, whether they
promised it in contract language, in a letter to you, in a phone call, in
a message in a bottle, etc.
This
concludes Lew’s article. I asked him what readers who want to ask other
questions should do to get answers. He replied “If readers have additional
questions they should send them to me. I can’t promise to answer all questions,
but I’ll try. RF entities will have first priority. Entities from other regions
will either be referred to that region or the answer will be coordinated with
their region.” So just email your questions to Lew; the address is in the box
at the end of the article. And you should probably mention what Region you’re
part of.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, has received a
great response, and remains open to NERC entities and vendors of hardware or
software components of BES Cyber Systems. To discuss this, you can email me at
the same address.
[i]
Lew continues this answer for another paragraph, but I don’t think that’s
terribly important to discuss here. You can read it for yourself!
No comments:
Post a Comment