A couple
weeks ago, I wrote part
I of this post. Here’s the second and final part. The general theme of part
I, and of this part II, is that, even though
I’ve perhaps overly emphasized the freedom that NERC entities have in complying
with CIP-013-1, there still are things you are required to do for compliance. In
part I, I described what’s mandatory for compliance with R1 and R2 (although I framed it in negative terms: what you shouldn't do if you want to comply with CIP-013. Perhaps I'm just in a more mellow mood after Thanksgiving, but this post is about what you should do, not what you shouldn't). Now I’ll
look at R3.
Fortunately
for me, I already looked at R3
in August 2017. I’ve just gone through that post and made a few minor changes,
but overall it says exactly what I would otherwise say now. The main point of
that post was that, even though the final draft of R3 pretty much doesn’t
require you to do anything more than wave your R1 supply chain cyber security
risk management plan in front of your CIP Senior Manager’s face and ask him or
her to sign it again, the SDT really intended that you re-do the plan to
account for any changes in supply chain risks, or mitigations of those risks,
since the previous year. This is evidenced by language from the CIP-013
Implementation Guidance, which I quoted in the post.
However,
this doesn’t mean you have to redraft your CIP-013 plan from scratch. You can
certainly start with last year’s plan, but you then need to ask questions like:
- What new supply chain cybersecurity threats (I prefer this
word to “risks”, which is in the requirement. But if you prefer to use
risks, I don’t have a big problem with that) have we become aware of since
the last plan was developed? Are any of these significant enough to be added
for consideration in the plan?
- Of course, you should also ask whether any threats should
be dropped from your plan because you no longer think they’re significant
enough for consideration (i.e. their likelihood of being realized is
already low).
- What new mitigations for supply chain cyber threats are
now available that were not available, or at least not known to your
organization, last year[i]?
Will any of these mitigate cyber threats that you currently consider to be
significant?
- What lessons have you learned as you’ve used your CIP-013
plan in the last year? What changes should be made to any of the
procedures?
- Has there been any further guidance from NERC or the
Regions on CIP-013 compliance? It’s highly unlikely there will be any
official guidance, since NERC’s rules of procedure currently don’t allow
anything more than implementation guidance, which has already been
published for CIP-013. Of course, by the time compliance with R3 is due –
October 1, 2021 – there will certainly be indications from the new
Standards Drafting Team for CIP-013-2 about what that standard will look
like, although it’s very unlikely to be in force by then. You might then want
to incorporate at least some of the v2 changes into your v1 plan, to get a
head start on compliance with CIP-013-2.
- Have new guidelines been developed by other organizations,
such as the NERC CIP Committee (which has put out five
guideline papers already and will publish more as time goes on), NATF,
NIST, EPRI, etc.? All of these documents can give you good ideas on
changes you may want to make to procedures, as well as new threats and/or
mitigations you should consider adding to your plan.
Of course,
you need to reconsider both your plan and the procedures that implement it –
they all need to be reviewed, and changed or added to if necessary.
There’s one
other point about CIP-013 compliance I want to point out: By 7/1/20, you also
need to make sure you have your procedures documented and trained on for compliance
with CIP-005-6 R2.4 and R2.5 and CIP-010-3 R1.6, which are the three new
requirement parts that come into effect with CIP-013-1 on 7/1/20. Unfortunately,
you can’t just use your procedures for CIP-013-1 R1.2.5 and R1.2.6 to comply
with these other parts. These parts are incorporated in prescriptive CIP
requirements, and need to be addressed in the same way. Most importantly, you
will need documentation for every instance of compliance, as I discussed in this
post in 2017 – with a follow-up
early this year. Note that these two posts just dealt with CIP-010-3 R1.6, but
the same principle applies to CIP-005-6 R2.4 and R2.5. However this principle
is nowhere near as burdensome in the latter two requirement parts, since
CIP-005 R2 is a much less prescriptive requirement than CIP-010 R1.
You should
also note that CIP-005-6 R2.4 applies to Medium and High impact PACS as well as
BES Cyber Systems, and R2.5 only applies to Medium and High EACMS (which, given
the content of the requirement part, makes sense).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
[i]
Since in my methodology I also identify vulnerabilities that allow threats to
be realized, I believe that mitigations apply to the vulnerabilities, not the
threats directly. When each of the vulnerabilities that enables the threat to be
realized is mitigated, then the threat itself is mitigated. So I would insert a
step here of identifying new vulnerabilities that enable any threats on the
list to be realized, as well as removing any that are no longer relevant.
No comments:
Post a Comment