How to comply with CIP-013-1, part II

A couple weeks ago, I wrote part I of this post. Here’s the second and final part. The general theme of part I, and of this part II, is that,  even though I’ve perhaps overly emphasized the freedom that NERC entities have in complying with CIP-013-1, there still are things you are required to do for compliance. In part I, I described what’s mandatory for compliance with R1 and R2 (although I framed it in negative terms: what you shouldn't do if you want to comply with CIP-013. Perhaps I'm just in a more mellow mood after Thanksgiving, but this post is about what you should do, not what you shouldn't). Now I’ll look at R3.

Fortunately for me, I already looked at R3 in August 2017. I’ve just gone through that post and made a few minor changes, but overall it says exactly what I would otherwise say now. The main point of that post was that, even though the final draft of R3 pretty much doesn’t require you to do anything more than wave your R1 supply chain cyber security risk management plan in front of your CIP Senior Manager’s face and ask him or her to sign it again, the SDT really intended that you re-do the plan to account for any changes in supply chain risks, or mitigations of those risks, since the previous year. This is evidenced by language from the CIP-013 Implementation Guidance, which I quoted in the post.

However, this doesn’t mean you have to redraft your CIP-013 plan from scratch. You can certainly start with last year’s plan, but you then need to ask questions like:

1. What new supply chain cybersecurity threats (I prefer this word to “risks”, which is in the requirement. But if you prefer to use risks, I don’t have a big problem with that) have we become aware of since the last plan was developed? Are any of these significant enough to be added for consideration in the plan?
2. Of course, you should also ask whether any threats should be dropped from your plan because you no longer think they’re significant enough for consideration (i.e. their likelihood of being realized is already low).
3. What new mitigations for supply chain cyber threats are now available that were not available, or at least not known to your organization, last year[i]? Will any of these mitigate cyber threats that you currently consider to be significant?
4. What lessons have you learned as you’ve used your CIP-013 plan in the last year? What changes should be made to any of the procedures?
5. Has there been any further guidance from NERC or the Regions on CIP-013 compliance? It’s highly unlikely there will be any official guidance, since NERC’s rules of procedure currently don’t allow anything more than implementation guidance, which has already been published for CIP-013. Of course, by the time compliance with R3 is due – October 1, 2021 – there will certainly be indications from the new Standards Drafting Team for CIP-013-2 about what that standard will look like, although it’s very unlikely to be in force by then. You might then want to incorporate at least some of the v2 changes into your v1 plan, to get a head start on compliance with CIP-013-2.
6. Have new guidelines been developed by other organizations, such as the NERC CIP Committee (which has put out five guideline papers already and will publish more as time goes on), NATF, NIST, EPRI, etc.? All of these documents can give you good ideas on changes you may want to make to procedures, as well as new threats and/or mitigations you should consider adding to your plan.

Of course, you need to reconsider both your plan and the procedures that implement it – they all need to be reviewed, and changed or added to if necessary.

There’s one other point about CIP-013 compliance I want to point out: By 7/1/20, you also need to make sure you have your procedures documented and trained on for compliance with CIP-005-6 R2.4 and R2.5 and CIP-010-3 R1.6, which are the three new requirement parts that come into effect with CIP-013-1 on 7/1/20. Unfortunately, you can’t just use your procedures for CIP-013-1 R1.2.5 and R1.2.6 to comply with these other parts. These parts are incorporated in prescriptive CIP requirements, and need to be addressed in the same way. Most importantly, you will need documentation for every instance of compliance, as I discussed in this post in 2017 – with a follow-up early this year. Note that these two posts just dealt with CIP-010-3 R1.6, but the same principle applies to CIP-005-6 R2.4 and R2.5. However this principle is nowhere near as burdensome in the latter two requirement parts, since CIP-005 R2 is a much less prescriptive requirement than CIP-010 R1.

You should also note that CIP-005-6 R2.4 applies to Medium and High impact PACS as well as BES Cyber Systems, and R2.5 only applies to Medium and High EACMS (which, given the content of the requirement part, makes sense).

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.

---

[i] Since in my methodology I also identify vulnerabilities that allow threats to be realized, I believe that mitigations apply to the vulnerabilities, not the threats directly. When each of the vulnerabilities that enables the threat to be realized is mitigated, then the threat itself is mitigated. So I would insert a step here of identifying new vulnerabilities that enable any threats on the list to be realized, as well as removing any that are no longer relevant.