Good for OSI!

In my last post, I discussed the importance of supplier/vendor security questionnaires and described how two different suppliers – both major suppliers to electric utilities – have described their policies for responding (or not) to questionnaires submitted to them by their customers. I finished the post by praising one of them, Schweitzer Engineering Laboratories, for saying they would answer all questionnaires from customers, full stop.

However, I first described a “major OT software supplier” to the power industry, who had put out a paper at the end of last year - which described their policy toward customer security questionnaires. Their story was more nuanced. Based just on my reading of the letter, I summarized it in two points: a) They will be reluctant to respond to customer security questionnaires in general, especially lengthy ones; and b) They are now compliant with ISO 27001/2, and will be audited soon. They want customers to look through ISO 27001 first, to see if their certification will address some (and hopefully most) of their questions.

I said this would be OK (with me, at least), as long as

1. ISO 27001 will answer all or most of the security questions a customer is likely to have. However, I pointed out that, in a list of 42 questions based on 42 vulnerabilities that I and my CIP-013 clients have identified as important enough to require industry suppliers to mitigate, I don’t think a single one is addressed in any meaningful way in 27001. This isn’t hugely surprising, since ISO 27001/2 (and just about every other important cybersecurity standard) is designed to address IT threats, not OT ones. The NERC CIP standards are all about OT.
2. This supplier will help their customers find where in 27001 their questions are answered. Simply pointing them to the document isn’t enough.
3. The supplier will provide the actual audit report, since simply knowing that the supplier passed an audit (no matter what the standard) is just about useless for supply chain security risk management purposes. Both for CIP-013 compliance and overall supply chain security, it’s important to know if and whether the supplier has mitigated each of the risks you (the utility) have identified as important – in the case of my clients, it’s the 42 vulnerabilities that led to the 42 questions we want to ask each supplier. These vulnerabilities came from a) “identifying and assessing” supply chain cyber security risks to BCS, as required by CIP-013-1 R1.1; and b) assessing the six (actually, eight) “required” risks described in R1.2.

Because I didn’t have answers to these questions at the time, in my post I gave this supplier an “Incomplete” for questionnaire responsiveness, pending any answers I received from them. But I later heard from Ron Koziy, the Director of Cyber Security & Compliance of this organization – whom I know through the NERC CIPC Supply Chain Working Group. Through a couple of back-and-forth emails, I confirmed that this organization – and I can now reveal they are OSI International, which has a huge share of the US EMS market (although they have a lot of other software offerings a well) – will in fact answer questionnaires from customers as well. However, before the customer sends them a questionnaire, OSI wants them to first read the following on OSI’s secure website, which will presumably answer some of their questions:

1. The document detailing how OSI stands with respect to the NATF Criteria. I agree this is a good first step, since most of the Criteria address real risks to BES Cyber Systems. But as I explained in this post, these are far from being the only risks that NERC entities should consider for their CIP-013 plans. Risks not addressed in the Criteria include those due to a) vulnerabilities found in fourth-party software components of the software or firmware (whether compiled with the supplier’s own code or provided as standalone components); b) insecure software or firmware development practices; c) insecure shipment of hardware; d) inadequate protections for systems used for remote access to the utility's BCS; e) inadequate anti-phishing and anti-ransomware measures on the supplier’s part; f) vulnerabilities in open source software included in the product; and g) lack of two-factor authentication for the supplier’s own remote access systems (since DHS in 2018 said in a briefing that “over 200” suppliers to the electric power industry had been penetrated by the Russians, through their own remote access systems).
2. The document (available in March) that describes the steps OSI is taking specifically to help their customers comply with CIP-013 R1.2.1 – R1.2.6;
3. The report from OSI’s ISO 27001 audit, available in April. As I’ve said earlier, the majority of the questions in ISO 27001/2 have little or no relevance for control systems. I pointed out in my last post that posting the audit report will only help if OSI helps their customers find answers to particular questions, if they’re there. Rob says they will do this, although he also says (with my italicized notes) “Specific questions will more likely be found in OSI procedures or policies for ISO 27001 (found on the secure website), for which we can assist with directing customers to the specific section (of the audit report).”
4. But let’s say the above steps don’t answer all of your questions (and I can promise they won’t answer all of my clients’ questions, since we have already developed them – BTW, the majority of my CIP-013 clients are OSI customers); what’s plan B? Here’s Ron’s response to that question: “If entities have questions that have not been answered within the posted NATF criteria, please send them to OSI at any time (i.e. now).  OSI customer questions can be sent to: CIP13@osii.com or via their account manager, or to me directly (rob.koziy@osii.com).  OSI will provide responses to all customers directly and subsequently update our CIP-013 website with new questions and answers on a regular basis.”

Of course, answer 4 is the key for me, which is why I upgraded OSI’s “grade” for questionnaire responsiveness from Incomplete to Good (like Schweitzer’s – in fact, I would now say both of their policies for responding to security questions are very good). I also like OSI’s idea of compiling and posting a list of these questions and their answers. This will further reduce the likely number of questions that are still unanswered, after the customer has spent some quality time on the OSI secure site. In fact, I recommend that Schweitzer do the same thing.