E&E News discussion of the postponement of CIP-013 compliance

If you’re looking for my pandemic posts, I’ve created a new blog. If you’re looking for my cyber/NERC CIP posts, you’re come to the right place.

Christian Vasquez of E&E News published a good article today covering some of the different opinions about NERC’s postponement of the compliance date not only for CIP-013, but some of the Operations and Planning standards as well. You can read it yourself, but I found it interesting that he brought up the general idea of postponing compliance with regulations. He pointed out that Democratic lawmakers had been harshly critical of the EPA recently for postponing compliance with certain environmental standards.

Which brings up a question I really hadn’t thought about: When is it a good idea to postpone compliance with a regulation because it will cause too much of a burden on an industry at a very bad time (as is the case with CIP-013), yet not a good idea to postpone (or suspend) compliance with a different regulation – such as the EPA’s regulations? I think the rule should be that, if postponing a regulation would have an immediate negative impact on public health or safety, then it shouldn’t be postponed. But if any negative impact is likely to occur in the longer future, I think it can be postponed.

The whole rationale for a supply chain security standard is that the industry will start acting more aggressively to get security built into the products it will buy and deploy in the future. They’ve been doing that since CIP-013 was approved by FERC in October 2018. And as far as I can see, vendors of OT products for the electric power industry have taken CIP-013 very seriously already. I really doubt they’re going to suddenly drop their efforts to better secure their products, just because the utilities won’t have to comply for another three months. Instead, I think they’ll look on this as an opportunity to do a much better job of securing their products than they might do if compliance were still due on July 1.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!