In my last post,
I discussed the importance of supplier/vendor security questionnaires and described
how two different suppliers – both major suppliers to electric utilities – have
described their policies for responding (or not) to questionnaires submitted to
them by their customers. I finished the post by praising one of them,
Schweitzer Engineering Laboratories, for saying they would answer all
questionnaires from customers, full stop.
However, I first described a
“major OT software supplier” to the power industry, who had put out a paper at
the end of last year - which described their policy toward customer security
questionnaires. Their story was more nuanced. Based just on my reading of the
letter, I summarized it in two points: a) They will be reluctant to respond to
customer security questionnaires in general, especially lengthy ones; and b)
They are now compliant with ISO 27001/2, and will be audited soon. They want
customers to look through ISO 27001 first, to see if their certification will
address some (and hopefully most) of their questions.
I said this would be OK (with
me, at least), as long as
- ISO
27001 will answer all or most of the security questions a customer is
likely to have. However, I pointed out that, in a list of 42 questions
based on 42 vulnerabilities that I and my CIP-013 clients have identified
as important enough to require industry suppliers to mitigate, I don’t
think a single one is addressed in any meaningful way in 27001. This isn’t
hugely surprising, since ISO 27001/2 (and just about every other important
cybersecurity standard) is designed to address IT threats, not OT ones.
The NERC CIP standards are all about OT.
- This
supplier will help their customers find where in 27001 their questions are
answered. Simply pointing them to the document isn’t enough.
- The
supplier will provide the actual audit report, since simply knowing that
the supplier passed an audit (no matter what the standard) is just about
useless for supply chain security risk management purposes. Both for
CIP-013 compliance and overall supply chain security, it’s important to
know if and whether the supplier has mitigated each of the risks
you (the utility) have identified as important – in the case of my
clients, it’s the 42 vulnerabilities that led to the 42 questions we want
to ask each supplier. These vulnerabilities came from a) “identifying and
assessing” supply chain cyber security risks to BCS, as required by
CIP-013-1 R1.1; and b) assessing the six (actually, eight) “required”
risks described in R1.2.
Because I didn’t have answers to
these questions at the time, in my post I gave this supplier an “Incomplete”
for questionnaire responsiveness, pending any answers I received from them. But
I later heard from Ron Koziy, the Director of Cyber Security & Compliance of
this organization – whom I know through the NERC CIPC Supply Chain Working
Group. Through a couple of back-and-forth emails, I confirmed that this
organization – and I can now reveal they are OSI
International, which has a huge share of the US EMS market (although they
have a lot of other software offerings a well) – will in fact answer
questionnaires from customers as well. However, before the customer sends them
a questionnaire, OSI wants them to first read the following on OSI’s secure
website, which will presumably answer some of their questions:
- The
document detailing how OSI stands with respect to the NATF Criteria. I
agree this is a good first step, since most of the Criteria address real
risks to BES Cyber Systems. But as I explained in this
post, these are far from being the only risks that NERC entities
should consider for their CIP-013 plans. Risks not addressed in the
Criteria include those due to a) vulnerabilities found in fourth-party
software components of the software or firmware (whether compiled with the
supplier’s own code or provided as standalone components); b) insecure software
or firmware development practices; c) insecure shipment of hardware; d) inadequate
protections for systems used for remote access to the utility's BCS; e) inadequate
anti-phishing and anti-ransomware measures on the supplier’s part; f) vulnerabilities
in open source software included in the product; and g) lack of two-factor
authentication for the supplier’s own remote access systems (since DHS in
2018 said in a briefing that “over 200” suppliers to the electric power
industry had been penetrated by the Russians, through their own remote
access systems).
- The
document (available in March) that describes the steps OSI is taking
specifically to help their customers comply with CIP-013 R1.2.1 – R1.2.6;
- The
report from OSI’s ISO 27001 audit, available in April. As I’ve said
earlier, the majority of the questions in ISO 27001/2 have little or no
relevance for control systems. I pointed out in my last post that posting
the audit report will only help if OSI helps their customers find answers
to particular questions, if they’re there. Rob says they will do this,
although he also says (with my italicized notes) “Specific questions will
more likely be found in OSI procedures or policies for ISO 27001 (found
on the secure website), for which we can assist with directing
customers to the specific section (of the audit report).”
- But let’s
say the above steps don’t answer all of your questions (and I can promise they
won’t answer all of my clients’ questions, since we have already developed
them – BTW, the majority of my CIP-013 clients are OSI customers); what’s
plan B? Here’s Ron’s response to that question: “If entities have
questions that have not been answered within the posted NATF criteria,
please send them to OSI at any time (i.e. now). OSI customer questions can be sent to: CIP13@osii.com or via their account
manager, or to me directly (rob.koziy@osii.com). OSI will provide responses to all
customers directly and subsequently update our CIP-013 website with new
questions and answers on a regular basis.”
Of course, answer 4 is the key
for me, which is why I upgraded OSI’s “grade” for questionnaire responsiveness from
Incomplete to Good (like Schweitzer’s – in fact, I would now say both of their
policies for responding to security questions are very good). I also like OSI’s
idea of compiling and posting a list of these questions and their answers. This
will further reduce the likely number of questions that are still unanswered,
after the customer has spent some quality time on the OSI secure site. In fact,
I recommend that Schweitzer do the same thing.
No comments:
Post a Comment