If you’re looking for my pandemic posts,
I’ve created a new blog for
you. If you’re looking for my cyber/NERC CIP posts, you’ve come to the right
place.
People who have been dealing
with the NERC CIP standards for a while usually get all sweaty and nervous when
the compliance date for a new standard is coming due. Obviously, they’re
worried they might not get everything done that they need to by the compliance
date, but there’s a much bigger concern I’m sure everyone thinks about: What if
the compliance program we put together misses the point in some way (or all ways)?
Will we run for months or years with a non-compliant program, racking up new violations
every day?
And with CIP-002 through -011,
that’s a very big concern. Suppose you had put together what you thought was a
good plan to comply with say CIP-007-5 R2 (patch management) and you implemented
that plan on the compliance date, which was July 1, 2016. But a year later, you
realized you should have been patching device drivers all along (perhaps when
you read this
post, which I know led to anguished discussions in at least a few NERC entities).
Will fixing the problem be
simply a matter of making some changes to your procedures? Unfortunately not.
You’re most likely going to have to self report violations of CIP 7 R2, starting
on the compliance date and continuing for the year or so it took you to realize
this problem. Of course, one hopes that you won’t get hit with a fine for this,
since of course device drivers are never mentioned in the standard. But no NERC
entity would ever feel good about self reporting any violation, even if you won
a trip to Disney World for doing so.
My guess is many NERC entities
may feel that the situation is the same with your CIP-013 supply chain cyber
risk management plan: You had better get it right by the compliance date,
because making any change thereafter will mean you’ve been out of compliance up
to that point.
Well, I have good news: That’s
not the case with CIP-013. Remember, CIP-013-1 R1 requires you to develop a
supply chain cyber risk management plan (and it implicitly requires you to
develop a good plan, not just write “CIP-013 Plan” on the top of a sheet of
paper and hand it to the auditor), and gives you a few – but just a few! - pointers
on what to include (of course, the plan must include the six items in R1.2, although
those certainly aren’t the sum total of what should be in your plan).
Unless you just don’t even put a
good effort into figuring out what should be in a good plan (and I recommend attending
the NERC RSTC Supply Chain Working Group webinars,
which you’ll also be able to listen to in recorded format later), you shouldn’t
be assessed any violation for say not including X in your plan, unless X is
specifically required in R1.1 or R1.2.
Let’s say you make substantial
changes to your plan six months after the compliance date. You should document
why you made these changes, but in general your story should be “We had a good
plan on the compliance date, and we have a better plan now.” How could the
auditors possibly have a problem with that?
Of course, I’m sure there are some long-time CIP types who
will laugh cynically when they hear that question and respond “I’ll tell you
how: We got a potential violation for Y, even though Y was never in the
standard.” I’d have to agree with you, having recently told the story of a NERC
entity who was audited for CIP-014 (which also requires the entity to develop a
plan, but provides close to no guidance on what should be in it) and was given
a PNC for not including anti-tank barriers in their plan to protect the
substation. The last time I looked at CIP-014, it didn’t require anti-tank
barriers. This will without a doubt be thrown out, but it is a huge drain on
time and energy for the compliance people and the lawyers as they fight this. I
certainly hope NERC doesn’t allow the same situation to happen with CIP-013
auditing, and there are many reasons to believe it won’t – although I’ll say
that much more readily when I hear that NERC has put together a program to
train auditors on auditing CIP-013, since it’s so different from the other CIP
standards.
In other words, even if the
CIP-013 compliance date remains at July 1, you should feel comfortable doing
your best to develop a good plan, given the resources and time you have to do
that. And you might even plan now on revising the plan say six months after you
put it into effect (along with the revising you’ll do every 15 months to comply
with R3). As the man said, CIP-013 is very different from the other CIP
standards.
And now, a word from our sponsor
The team at Tom Alrich LLC is
proud to have been the primary sponsor of Tom Alrich’s blog since we started up
in early 2018. We’ve very much enjoyed working with Mr. Alrich, while of course
we do have our occasional differences of opinion with him. We want you to know
that we are working closely with Tom to offer your NERC entity a full set of
services for developing or revising your CIP-013 plan, no matter where you are
on the road to CIP-013 compliance.
For example, we are starting to
work with entities that have already developed what they think is a good plan,
but would like to hear Mr. Alrich’s ideas for making it better. Others aren’t
that far along, and want to have some good guidance as they put their plan
together. Whatever your needs, drop Tom an email, so you can set up a time to
discuss – remotely, of course! – your unique situation.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment