I think the CIP-013 compliance
date, currently set for July 1, needs to be postponed. I think October 1, 2020
would be an appropriate target, although that might have to be re-thought if
the Covid-19 epidemic in the US lasts more than a couple months. I have two reasons
for saying this:
First: Obviously, the country is
in a serious – and rapidly growing – health crisis. It will probably result in
a number of CIP Exceptional Circumstances declarations within a week or two. For
perspective on how fast the number of cases is growing, last Tuesday morning
the reported number of cases in the US was 6. This morning (9 days later) it
was over 1,500. It will definitely be over 2,000 this weekend, probably a lot
more than that. And the big problem is that there are without a doubt thousands
of people walking around now who are infected but don’t know it (or they may
have some symptoms but for whatever reason – lack of health insurance, no sick
leave, etc. – they don’t want to get tested, even if they could. Only a little
more than 5,000 people have been tested in total, whereas in South Korea they’ve
been able to test 10,000 people a day for 2 or 3 weeks).
One of my clients on the West
coast has ordered all employees who aren’t absolutely essential to operations
to work from home. Naturally, that includes just above everyone who is involved
in getting ready for CIP-013 compliance. So that process has ground to a halt
for now. It won’t be long before a lot of other utilities are in the same
situation. In fact, I’m sure all onsite audits will be cancelled pretty soon,
by all Regions (just like all of the spring compliance workshops are being
cancelled. I got two notices this week). Even if the auditors are still willing
to travel, the lawyers will ultimately tell management that the liability would
be too huge if the auditor were infected beforehand, and infected everyone at
the utility he was auditing, or conversely if the auditor got infected on an
audit and became very sick or died.
Second: Even if Covid-19 hadn’t
happened, NERC entities are in general way behind where they should be in terms
of having a good supply chain cyber risk management program developed and
implemented by July 1. Will they be compliant on that date after all? Probably,
since all that’s required for CIP-013 compliance is that the entity have some
sort of plan written, and that whatever’s in the plan – no matter how minimal –
be implemented. But the whole idea of CIP-013 was not to give the industry a
standard that they could all be compliant with if they’re minimally competent,
but to – you know – help them meet the number two cybersecurity challenge
worldwide (after ransomware), namely supply chain security. It will be quite a
shame if the rush to the compliance date leaves utilities with a bunch of
slap-dash plans, put in place because they decided they had to just write something
at the last minute, rather than well thought-out plans that actually identify,
assess and mitigate supply chain cyber risks.
And why are NERC entities not
ready for CIP-013? Because they are hungry for guidance on how to
comply, not just guidelines like the NERC FAQ,
the SCWG’s white
papers, the NATF documents, etc. Guidelines are deliberately designed not
to provide guidance on compliance (in fact, it always took a lot of effort,
while the SCWG was developing the white papers last year, to get people to
understand that we couldn’t say anything at all about CIP-013. Even though I
was one of the leading Nazis on that subject, I also forgot sometimes, like
when someone pointed out that one of the white papers whose development I led
included a couple references to BES Cyber Systems!).
Unfortunately, NERC is
absolutely certain that to provide any guidance at all on compliance would be a
violation of the hallowed principle of Auditor Independence – which basically
says that, if the auditor (or auditing organization) gives an organization any
sort of compliance guidance and then audits them, they’re just auditing
themselves. This is because it’s just human nature that any person, auditor or
not, will give a passing grade to someone that simply implemented the advice
they provided.
In the long run-up to CIP v5
(mainly 2014 and 2015), when there were constant complaints about people not
understanding how to comply with v5 - given the various definitions (like Programmable)
that were absolutely essential to compliance but which were nowhere to be found
in the NERC Glossary, as well as other ambiguities and requirements
that are implicit but not actually stated – NERC made a lot of efforts to
produce real guidance in the form of Lessons Learned, and finally the dreaded
Memoranda. But literally every document NERC produced that provided real
guidance (such as a very good Lesson Learned that defined Programmable) got
shot down by the lawyers (or whoever) and was removed from the web site.
I had always accepted the
sacredness of auditor independence, assuming that it was enshrined in the NERC
Rules of Procedure or maybe GAGAS – but when I finally went to look for it
there, I couldn’t find it. And I’ve talked to others, including some who are
part of the NERC ERO, who have confirmed that auditor independence isn’t
mentioned anywhere in the governing documents for NERC. So why does NERC make
such a big thing of auditor independence?
I attribute it to the fact that
NERC made the mistake of bringing in a Big Four financial auditing firm to
train them (and the Regions) on auditing a number of years ago. With financial
auditing, auditor independence is absolutely critical, so I’m sure this firm
emphasized it constantly. After all, it’s much better to let a company make
mistakes in their accounting than to compromise the auditing process, so that
the auditors might deliberately overlook financial wrongdoing.
However, with cybersecurity
there’s no such thing as “the letter of the law”. The goal of cybersecurity is
to improve the odds that you won’t get hacked (or be infected with ransomware,
etc); it’s not to comply with deterministic rules like the tax code or the laws
of physics (which is ultimately what “enforces” the NERC Operations and
Planning standards. You do or don’t do something important, and – if other conditions
are right – you absolutely will cause some sort of BES event). For financial
rules and the O&P standards, rigid prescriptive requirements are the only
way to go, with the integrity of audits protected by strict auditor
independence rules.
So with CIP, there’s no harm
done if NERC or one of the Regions helps an entity become compliant. Sure, they’ll
almost certainly pass their next audit, unlike an entity that didn’t receive
any help. But they would be – you know – much more secure. And the last
time I looked, securing the BES was the goal of the CIP standards, right?
Please let me know if something has changed, but I believe that’s still the idea…
However, I somewhat doubt NERC
is going to throw over the idea of auditor independence anytime soon, meaning
it’s very likely that, come July 1, NERC entities will still be as confused
about CIP-013 compliance as they are now. I might have advocated pushing the
date back anyway, as I did repeatedly
in the runup to CIP v5 compliance. But now with Covid-19 upending basically the
entire world’s plans, I’d definitely say that a 3-month delay in the CIP-013
date wouldn’t be a huge problem in the grand scheme of things, and would lead
to a much more secure BES at the same time.
Note to NERC: I realize you will need FERC's approval to push the date back, just as you did with CIP v5 in 2016. But my guess is they'll be glad to do this. Why wouldn't they?
Note to the Trade Associations: In the CIP v5 postponement, you folks took the lead in requesting FERC to postpone the date, and NERC actually filed a brief opposing the move. So you may have to take the lead again, although I hope not.
Note to the Trade Associations: In the CIP v5 postponement, you folks took the lead in requesting FERC to postpone the date, and NERC actually filed a brief opposing the move. So you may have to take the lead again, although I hope not.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically
for your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
Good article and I agree with your conclusion, as our supply chain and procurement personnel have been 100% engaged this week on responding to this COVID-19 crisis. I expect them to be similarly engaged for at least the next many weeks.
ReplyDelete