I will admit
that I’ve emphasized a little too much that there are many possible ways to
comply with CIP-013 R1, and I need to swing the pendulum back in the other
direction a little. While it’s true that the standard gives you very little to
go on regarding what should be in your R1 plan, it’s also true that there are
some things that definitely are
required. This is especially true since NERC provided good information in their
most recent Evidence Request Tool about what audits will focus on. If something
will be audited on, you need to do it – at least that’s what my parents raised
me to believe.
This post
(and part II to follow very shortly) describes mistakes you can make, that can
lead to your being non-compliant with CIP-013.
I. You don’t address both R1.1 and R1.2 in
your plan
I’m sure
that, even a year after FERC approved CIP-013, many long-time NERC compliance
professionals look at R1 and have the following reactions:
- Their eyes glaze over when they read 1.1. All this talk
about identifying and assessing risks, without telling you any concrete
steps that you need to undertake, sounds like some sort of mystic writing
from the Upanishads,
not a NERC requirement. Every other NERC requirement they’ve seen tells
you exactly what you need to do and when you need to do it, period.
- When their eyes fall on R1.2, they grab onto it like an
old friend, even though it’s a friend that’s changed since the last time
they saw him. The six items in R1.2 don’t tell you exactly what you need
to do and when, but they at least do tell you particular objectives you
need to meet, such as “Disclosure by vendors of known vulnerabilities
related to the products or services provided to the Responsible Entity”.
It’s
inevitable that many of these people will decide that R1.2 is the whole of R1,
meaning that as long as their plan covers these six risks (there are actually
eight, since R1.2.5 and R1.2.6 address two risks each), they’re fine. In fact, when
a vendor of a software tool to aid in CIP-013 compliance spoke at GridSecCon,
it was clear that he thought R1.2 was all that was required to be in the entity’s
supply chain cyber security risk management plan.
Well, it’s
not. R1.1 isn’t there just for the fun of it, but because the CIP-013 drafting
team was taking FERC seriously when they said in Order
829 that NERC entities should identify supply chain risks to mitigate.
True, FERC did require all of the specific items in R1.2 at various points in their Order – and the SDT helpfully gathered them all into one place
in the standard – but these are in no way intended to be the only supply chain
risks that NERC entities face, or even the most important ones. It’s still up
to the entity to identify (in complying with R1.1) other risks that are
important and mitigate those, along with the risks in R1.2.
And if you
don’t believe me, take a look at NERC’s Evidence Request Spreadsheet 3.0,
discussed in the last item below.
II. You don’t address the five risk
categories in R1.1
Although
it’s not too obvious, R1.1 identifies five categories of supply chain risk that
need to be “identified and assessed” in your plan. They are[i]:
- Product risks from procurement of equipment and software;
- Risks from procurement of services applying to BCS
equipment and software;
- Product risks from installation of equipment and software;
- Risks from use of services for BCS (Note: This applies to services on all of your Medium and High impact BCS, not just those you procure after 7/1/20);
and
- Transitions between vendors.
Of course,
each of these risk categories can include many different risks. I’ll provide
one example for each category:
- The risk that a supplier’s software development
environment will be compromised, and someone will plant a backdoor in
software destined for one of your BES Cyber Systems, which they’ll later
exploit (as happened
with Delta Airlines last year, although in their case it was 800,000
credit card numbers that were stolen).
- The risk that a utility will contract with a vendor of
services for BCS who doesn’t vet their new hires properly. A person with
malicious intent will inadvertently be hired and allowed to access –
remotely or onsite – some of your BCS.
- The risk that a software product you install on one of
your BCS won’t have the most recent patches applied to it and will be
compromised after you install it.
- The risk that a vendor will fire an employee who has
onsite access to your BCS and won’t immediately tell you about it. The fired employee will come to your site and take revenge on the vendor by disabling one of
your BCS (of course, this is the risk behind R1.2.3. The risk behind
R1.2.6 – actually two risks – also falls in this category. The other four
items in R1.2 fall into category a).
- The risk that, when you leave one vendor and start
purchasing from a different one, the first vendor won’t destroy all of the
data they have stored about your BES Cyber Systems. Someone will hack into
their network and steal the data.
I freely
admit that, if you omit one of these categories in your plan (e.g. transitions between vendors), you might not be cited for a potential violation. When most people talk
about CIP-013 (including people at NERC and the Regions), they usually discuss
risks that fall into categories a and d. However, all five of these categories
are called out in R1.1. You need to at least consider all of them. If you
decide there aren’t any risks that are likely to apply to you in one of the
categories, you should document why you made this decision, but you don’t need
to try to dream up risks just for the sake of having at least one in each
category.
III. Your procedures don’t match you plan
Whatever is
in your R1 plan, there is one thing that is very certain: In R2, you need to do
what you said you would do in R1. But what if your procedures don’t match
what’s in your plan? CIP-013 isn’t that different from the other CIP standards,
in that what really counts is the procedures you write to comply with it. The
big difference is that, with say CIP-007 R2, you have to write patch management
procedures that match what the different parts of that requirement mandate.
With CIP-013 R2, you need to write supply chain security risk management
procedures that match the plan that you
developed in R1. So in R1.1, you’re literally writing the “requirements” that you have to have procedures for in
R1.2!
So how do
you avoid being non-compliant in this way? Simple (at least in theory): when
you write your plan, you need to make sure there’s nothing in it that you
aren’t positive you can do in practice. And if there’s something you’re not
sure about, take it out of the plan. You can always add it back later.
For example,
suppose you commit in your plan to conducting full security audits of say your
top five suppliers. However, when it comes time to do the supplier audits (say,
within a year of CIP-013 becoming enforceable), you realize how much staff time
and money these will require, and you begin to think of all the other things
you could do to mitigate supply chain security risks if you hadn’t committed
the time and money to audits. You should certainly be able to change your mind
at this point, but you will need to revise your plan so that it will match your
new course of action. When you’re audited, you will need to provide both plans,
as well as explain why you made the change between them (and emphasize how it
will result in greater supply chain security risk mitigation, since you'll use your resources more efficiently).
This isn’t a
new development in CIP. Since CIP v1, it has always been clear that you must
show that you complied in full with any plan or program that you develop as
part of the compliance process. For example, if in your CIP-008 R1 cyber
security incident response plan you indicate that you will take a certain step
in your incident response, yet your record of a CSIRP tabletop exercise doesn’t
indicate you took that step, you can be (and entities have been) cited for this
omission.
IV. You don’t have evidence that you
fulfilled your plan
CIP-013 R2
is also like most of the other CIP requirements, in that it requires that you
have documentation to show you did what you said you would do in your R1 plan. But
it differs from most of the other CIP requirements, in that you’re not required
– with one exception, discussed in the next section - to have documentation of every instance when you did something
that was called out in the plan.
The Measures
section of R2 says you must have “documentation to demonstrate implementation
of the supply chain cyber security risk management plan(s), which could
include, but is not limited to, correspondence, policy documents, or working
documents that demonstrate use of the supply chain cyber security risk
management plan.” In other words, you must not only show the auditors that you
developed a good R1 plan, but that you implemented the plan – yet at the same
time, you don’t have to show that you followed it without fail in every
instance.
For example,
suppose your plan says you will send out a security questionnaire to vendors
and suppliers every year. If the answers reveal that a vendor’s controls are
weak in a particular area, you will talk with them to point out that you really need them to implement these controls, and to ask if they need
your help or advice in implementing those controls (e.g., maybe a vendor really
needs a SIEM, but has no experience or understanding of how to go about implementing
and maintaining that).
Do you need
to show documentation of every questionnaire you sent out and received, as well
as of every phone call or email you sent to your vendors to follow up on
deficiencies? No, but you do need to provide enough evidence to convince the
auditor that you followed up on a deficiency pointed out in a vendor's questionnaire response. The evidence can be emails, records of phone calls, notes of an in-person meeting, etc.
However,
there is one part of your plan that does
require evidence of every instance in which it was applied. I’ll talk about
that in the next section.
V. You don’t execute and document
procurement risk assessments (PRAs)
NERC’s most
recent Evidence
Request Spreadsheet v3.0 shows what evidence will be required in audit Data Requests:
- In the Level 1 DR, you will be required to “Provide each
documented plan(s) that addresses the applicable requirement parts in
CIP-013 R1.” In other words, you have to provide your plan and show it
addressed both R1.1 and R1.2.
- In the Level 1 DR, you will also have to list all of the “procurements”
that were planned or in effect for high/medium impact BCS during the audit
period. If you’re not sure exactly what a procurement is and when it starts and ends, see this
recent post.
- In the Level 2 DR, the auditors will take a random sample
of procurements from the list you provided, and ask you to provide the
following for each selected procurement:
- “..evidence of the identification and assessment
of cyber security risk(s) to the Bulk Electric System from vendor
products or services resulting from: (i) procuring and installing vendor
equipment and software; and (ii) transitions from one vendor(s) to
another vendor(s).” In other words, evidence that you complied with R1.1
in your PRA.
- “..the following evidence:
i.
Notification by the vendor of vendor-identified
incidents;
ii.
Coordination of responses to vendor-identified
incidents;
iii.
Notification by vendors when remote or onsite
access should no longer be granted to vendor representatives;
iv.
Disclosure by vendors of known vulnerabilities;
v.
Verification of software integrity and
authenticity of all software and patches provided by the vendor for use in the
BES Cyber System; and
vi.
Coordination of controls for (i)
vendor-initiated Interactive Remote Access, and (ii) system-to-system remote
access with a vendor(s).
In other words, evidence that you
complied with R1.2 in your PRA.
I think
items 1 and 2 above are fairly self-explanatory at this point. However, what
does item 3 mean? In other words, what should your PRA evidence contain, and
what documentation will you need for it? At a high level, I think it should
contain the following:
- The list of risks (although I use the term threats here)
that you considered in the PRA. Do you remember the set of threats that
you identified for mitigation in R1.1? You should consider a subset of
these, namely those that apply to the vendor or supplier in question. And how
do you determine what these are? Well, that’s magic, but if you’re
interested in more information on it, see the last paragraph below.
- How you assessed those threats, to determine which were
already mitigated (either by the supplier or vendor or by your organization itself) and which still need
to be mitigated (at this point, that usually means your organization has to mitigate them,
but there is still time to ask the supplier or vendor to help you – e.g.
require that the vendor provide a security vulnerability assessment before
shipping the product(s) to you). You do this using the vendor or supplier risk
score (which should be calculated for each threat, not just an overall
score for the vendor or supplier), combined with the product or service
risk score (which would be a single overall score for that product or
service) to get a “procurement risk score”. If that score is low, then
this risk is mitigated for this
procurement and no further action is needed on it. If it’s high or medium
(or perhaps just high, if you’re being conservative), then you do need to
determine what additional mitigations are required during the procurement
to bring it to low. In my way of seeing things, a low risk score means the
risk is mitigated - in fact, that's my definition of mitigation.
- How you determined the mitigations required in this procurement,
based on the risks you considered in the first step above (and that’s
magic, too! Again, see the last paragraph below).
Even though you
don’t need to provide instance-by-instance evidence for all other items in your
R1.1 plan, for procurements you do, since the auditors will randomly sample the
procurements and require evidence for certain ones - so you obviously need evidence for all of them before the audit. The spreadsheets, etc. that you create and utilitize as part of the PRA should be retained, and if they're properly designed, will provide compliance evidence without any further changes.
Would you like a little more
explanation of some of the things I’ve just said? I’d be glad to do that – for
your organization alone. I’m still offering a free two-hour (or less, if you
prefer) webinar on CIP-013 compliance, for anybody in your organization who
will be involved in the program. This includes people in procurement, legal,
cybersecurity, and – oh, yes! – NERC compliance. The agenda is very flexible,
so we’ll develop it in a discussion before the webinar. If you’re interested in
this offer, please drop me an email at tom@tomalrich.com,
and I’ll send you more information.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically
for your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
[i]
I’m not going to go through the reasoning I used to arrive at this list, but I
hope it won’t be too hard to discern. If you question how I got anything on
this list, drop me an email and I’ll tell you.
No comments:
Post a Comment