Thursday, April 2, 2020

Can you change your CIP-013 plan after July 1?



If you’re looking for my pandemic posts, I’ve created a new blog for you. If you’re looking for my cyber/NERC CIP posts, you’ve come to the right place.

People who have been dealing with the NERC CIP standards for a while usually get all sweaty and nervous when the compliance date for a new standard is coming due. Obviously, they’re worried they might not get everything done that they need to by the compliance date, but there’s a much bigger concern I’m sure everyone thinks about: What if the compliance program we put together misses the point in some way (or all ways)? Will we run for months or years with a non-compliant program, racking up new violations every day?

And with CIP-002 through -011, that’s a very big concern. Suppose you had put together what you thought was a good plan to comply with say CIP-007-5 R2 (patch management) and you implemented that plan on the compliance date, which was July 1, 2016. But a year later, you realized you should have been patching device drivers all along (perhaps when you read this post, which I know led to anguished discussions in at least a few NERC entities).

Will fixing the problem be simply a matter of making some changes to your procedures? Unfortunately not. You’re most likely going to have to self report violations of CIP 7 R2, starting on the compliance date and continuing for the year or so it took you to realize this problem. Of course, one hopes that you won’t get hit with a fine for this, since of course device drivers are never mentioned in the standard. But no NERC entity would ever feel good about self reporting any violation, even if you won a trip to Disney World for doing so.

My guess is many NERC entities may feel that the situation is the same with your CIP-013 supply chain cyber risk management plan: You had better get it right by the compliance date, because making any change thereafter will mean you’ve been out of compliance up to that point.

Well, I have good news: That’s not the case with CIP-013. Remember, CIP-013-1 R1 requires you to develop a supply chain cyber risk management plan (and it implicitly requires you to develop a good plan, not just write “CIP-013 Plan” on the top of a sheet of paper and hand it to the auditor), and gives you a few – but just a few! - pointers on what to include (of course, the plan must include the six items in R1.2, although those certainly aren’t the sum total of what should be in your plan).

Unless you just don’t even put a good effort into figuring out what should be in a good plan (and I recommend attending the NERC RSTC Supply Chain Working Group webinars, which you’ll also be able to listen to in recorded format later), you shouldn’t be assessed any violation for say not including X in your plan, unless X is specifically required in R1.1 or R1.2.

Let’s say you make substantial changes to your plan six months after the compliance date. You should document why you made these changes, but in general your story should be “We had a good plan on the compliance date, and we have a better plan now.” How could the auditors possibly have a problem with that?

Of course, I’m sure there are some long-time CIP types who will laugh cynically when they hear that question and respond “I’ll tell you how: We got a potential violation for Y, even though Y was never in the standard.” I’d have to agree with you, having recently told the story of a NERC entity who was audited for CIP-014 (which also requires the entity to develop a plan, but provides close to no guidance on what should be in it) and was given a PNC for not including anti-tank barriers in their plan to protect the substation. The last time I looked at CIP-014, it didn’t require anti-tank barriers. This will without a doubt be thrown out, but it is a huge drain on time and energy for the compliance people and the lawyers as they fight this. I certainly hope NERC doesn’t allow the same situation to happen with CIP-013 auditing, and there are many reasons to believe it won’t – although I’ll say that much more readily when I hear that NERC has put together a program to train auditors on auditing CIP-013, since it’s so different from the other CIP standards.

In other words, even if the CIP-013 compliance date remains at July 1, you should feel comfortable doing your best to develop a good plan, given the resources and time you have to do that. And you might even plan now on revising the plan say six months after you put it into effect (along with the revising you’ll do every 15 months to comply with R3). As the man said, CIP-013 is very different from the other CIP standards.

And now, a word from our sponsor
The team at Tom Alrich LLC is proud to have been the primary sponsor of Tom Alrich’s blog since we started up in early 2018. We’ve very much enjoyed working with Mr. Alrich, while of course we do have our occasional differences of opinion with him. We want you to know that we are working closely with Tom to offer your NERC entity a full set of services for developing or revising your CIP-013 plan, no matter where you are on the road to CIP-013 compliance.

For example, we are starting to work with entities that have already developed what they think is a good plan, but would like to hear Mr. Alrich’s ideas for making it better. Others aren’t that far along, and want to have some good guidance as they put their plan together. Whatever your needs, drop Tom an email, so you can set up a time to discuss – remotely, of course! – your unique situation.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


No comments:

Post a Comment