NERC, please postpone the CIP-013 compliance date

I think the CIP-013 compliance date, currently set for July 1, needs to be postponed. I think October 1, 2020 would be an appropriate target, although that might have to be re-thought if the Covid-19 epidemic in the US lasts more than a couple months. I have two reasons for saying this:

First: Obviously, the country is in a serious – and rapidly growing – health crisis. It will probably result in a number of CIP Exceptional Circumstances declarations within a week or two. For perspective on how fast the number of cases is growing, last Tuesday morning the reported number of cases in the US was 6. This morning (9 days later) it was over 1,500. It will definitely be over 2,000 this weekend, probably a lot more than that. And the big problem is that there are without a doubt thousands of people walking around now who are infected but don’t know it (or they may have some symptoms but for whatever reason – lack of health insurance, no sick leave, etc. – they don’t want to get tested, even if they could. Only a little more than 5,000 people have been tested in total, whereas in South Korea they’ve been able to test 10,000 people a day for 2 or 3 weeks).

One of my clients on the West coast has ordered all employees who aren’t absolutely essential to operations to work from home. Naturally, that includes just above everyone who is involved in getting ready for CIP-013 compliance. So that process has ground to a halt for now. It won’t be long before a lot of other utilities are in the same situation. In fact, I’m sure all onsite audits will be cancelled pretty soon, by all Regions (just like all of the spring compliance workshops are being cancelled. I got two notices this week). Even if the auditors are still willing to travel, the lawyers will ultimately tell management that the liability would be too huge if the auditor were infected beforehand, and infected everyone at the utility he was auditing, or conversely if the auditor got infected on an audit and became very sick or died.

Second: Even if Covid-19 hadn’t happened, NERC entities are in general way behind where they should be in terms of having a good supply chain cyber risk management program developed and implemented by July 1. Will they be compliant on that date after all? Probably, since all that’s required for CIP-013 compliance is that the entity have some sort of plan written, and that whatever’s in the plan – no matter how minimal – be implemented. But the whole idea of CIP-013 was not to give the industry a standard that they could all be compliant with if they’re minimally competent, but to – you know – help them meet the number two cybersecurity challenge worldwide (after ransomware), namely supply chain security. It will be quite a shame if the rush to the compliance date leaves utilities with a bunch of slap-dash plans, put in place because they decided they had to just write something at the last minute, rather than well thought-out plans that actually identify, assess and mitigate supply chain cyber risks.

And why are NERC entities not ready for CIP-013? Because they are hungry for guidance on how to comply, not just guidelines like the NERC FAQ, the SCWG’s white papers, the NATF documents, etc. Guidelines are deliberately designed not to provide guidance on compliance (in fact, it always took a lot of effort, while the SCWG was developing the white papers last year, to get people to understand that we couldn’t say anything at all about CIP-013. Even though I was one of the leading Nazis on that subject, I also forgot sometimes, like when someone pointed out that one of the white papers whose development I led included a couple references to BES Cyber Systems!).

Unfortunately, NERC is absolutely certain that to provide any guidance at all on compliance would be a violation of the hallowed principle of Auditor Independence – which basically says that, if the auditor (or auditing organization) gives an organization any sort of compliance guidance and then audits them, they’re just auditing themselves. This is because it’s just human nature that any person, auditor or not, will give a passing grade to someone that simply implemented the advice they provided.

In the long run-up to CIP v5 (mainly 2014 and 2015), when there were constant complaints about people not understanding how to comply with v5 - given the various definitions (like Programmable) that were absolutely essential to compliance but which were nowhere to be found in the NERC Glossary, as well as other ambiguities and requirements that are implicit but not actually stated – NERC made a lot of efforts to produce real guidance in the form of Lessons Learned, and finally the dreaded Memoranda. But literally every document NERC produced that provided real guidance (such as a very good Lesson Learned that defined Programmable) got shot down by the lawyers (or whoever) and was removed from the web site.

I had always accepted the sacredness of auditor independence, assuming that it was enshrined in the NERC Rules of Procedure or maybe GAGAS – but when I finally went to look for it there, I couldn’t find it. And I’ve talked to others, including some who are part of the NERC ERO, who have confirmed that auditor independence isn’t mentioned anywhere in the governing documents for NERC. So why does NERC make such a big thing of auditor independence?

I attribute it to the fact that NERC made the mistake of bringing in a Big Four financial auditing firm to train them (and the Regions) on auditing a number of years ago. With financial auditing, auditor independence is absolutely critical, so I’m sure this firm emphasized it constantly. After all, it’s much better to let a company make mistakes in their accounting than to compromise the auditing process, so that the auditors might deliberately overlook financial wrongdoing.

However, with cybersecurity there’s no such thing as “the letter of the law”. The goal of cybersecurity is to improve the odds that you won’t get hacked (or be infected with ransomware, etc); it’s not to comply with deterministic rules like the tax code or the laws of physics (which is ultimately what “enforces” the NERC Operations and Planning standards. You do or don’t do something important, and – if other conditions are right – you absolutely will cause some sort of BES event). For financial rules and the O&P standards, rigid prescriptive requirements are the only way to go, with the integrity of audits protected by strict auditor independence rules.

So with CIP, there’s no harm done if NERC or one of the Regions helps an entity become compliant. Sure, they’ll almost certainly pass their next audit, unlike an entity that didn’t receive any help. But they would be – you know – much more secure. And the last time I looked, securing the BES was the goal of the CIP standards, right? Please let me know if something has changed, but I believe that’s still the idea…

However, I somewhat doubt NERC is going to throw over the idea of auditor independence anytime soon, meaning it’s very likely that, come July 1, NERC entities will still be as confused about CIP-013 compliance as they are now. I might have advocated pushing the date back anyway, as I did repeatedly in the runup to CIP v5 compliance. But now with Covid-19 upending basically the entire world’s plans, I’d definitely say that a 3-month delay in the CIP-013 date wouldn’t be a huge problem in the grand scheme of things, and would lead to a much more secure BES at the same time.

Note to NERC: I realize you will need FERC's approval to push the date back, just as you did with CIP v5 in 2016. But my guess is they'll be glad to do this. Why wouldn't they?

Note to the Trade Associations: In the CIP v5 postponement, you folks took the lead in requesting FERC to postpone the date, and NERC actually filed a brief opposing the move. So you may have to take the lead again, although I hope not.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.