Thursday, April 23, 2020

OT vs. IT risks in CIP-013



If you’re looking for today’s pandemic post, go to my new blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.


The webinar on Vendor Risk Management Lifecycle that I presented on Monday for the NERC RSTC Supply Chain Working Group was well attended. I was most pleased about the questions at the end, which showed people had been paying attention to the presentation and were already thinking about how it applied in their situations.

In the presentation (which should be available as a recording shortly – I’ll let you know when it’s available. If you’d like to see the slides now, send me an email), I emphasized one of the most important aspects of my approach to supply chain cyber risk management and CIP-013: the difference between IT and OT risks. There ended up being a lot of discussion of this topic in the Q&A session.

Since I didn’t spend a huge amount of time on this topic during the presentation - and of course in the Q&A session there wasn’t time to do much more than answer the specific question – I would like to elaborate on that topic now. I think understanding this topic is very important, since not understanding it could lead to your wasting a lot of time; more importantly, it might lead to compliance risk for CIP-013 (and I couldn’t discuss the latter point at all in the webinar, since in the webinar we’re just supposed to talk about supply chain security, not CIP-013 compliance).

I think having an efficient and effective supply chain cyber risk management plan requires addressing as many risks as possible. If you just address a small number of risks, I think you’re misusing resources. Over the last 15 months of working on CIP-013, one thing I’ve come to realize is that once you have the mechanism in place to identify, assess and mitigate supply chain cyber risks, the incremental cost for addressing each risk is very small.

This is because just about no risks that a NERC entity could address in its CIP-013 plan will require you to spend a lot of money or time putting in some big new system, training a lot of staff members to do something perfectly, etc. Literally all of the risks that I’ve identified, that apply to the entity itself, can be mitigated by putting in place a policy or procedure. There are a few risks that apply to vendors, for which the vendor might have to implement a new system (such as MFA for their remote access system), but none that I can see for NERC entities with High or Medium impact BES Cyber Systems (since controls you put in place for CIP-004, -005, -007, -010 and maybe one or two other standards will mitigate a lot of supply chain risks in CIP-013 as well. Now, doesn’t that make you feel good?).

So on the one hand it’s good to identify as many risks as possible in your CIP-013 plan. On the other hand, you can waste time and money, and perhaps cause unnecessary CIP-013 compliance risk, if you’re not careful to just focus on risks that can have a more-than-negligible impact on the BES. If the risk has very little to do with the BES, don’t include it.

I see potential risks for CIP-013 as divided into “pure” IT risks, “pure” OT risks and mixed IT/OT risks. You need to focus on the latter two, not the former. Let’s look at the NATF Criteria, which I think are quite good. I’ve spent a lot of time recently incorporating all of the Criteria into the set of Vulnerabilities that my clients and I have decided are important to consider (although not necessarily mitigate – maybe I’ll discuss that point in another post) in CIP-013. They cover a range of pure OT and mixed IT/OT risks, but they don’t include any pure IT risks.

Here are two mixed IT/OT risks from the Criteria:

  • Criterion 5 reads “Supplier requires approval for access based on need for all employees and contractors with access to supplier’s assets and facilities.” Obviously, this is just as important for OT as it is for IT.
  • Criterion 22 reads “Supplier has processes to notify entity of any mergers and acquisitions as soon as legally permissible.” Again, there’s no argument that this is important in both domains.
What about pure IT risks? As I said, I haven’t identified any of these in the Criteria, but I know they show up a lot in questionnaires and contract language, when those are borrowed from some organization’s IT procurement function. My example comes from the EEI procurement language document v2, which includes a section (on page 13) titled “Cryptographic Requirements”. This starts with the sentence “Contractor shall document how the cryptographic system protects the confidentiality, data integrity, authentication, and non-repudiation of devices and data flows in the underlying system as specified by Company.”

Let’s see a show of hands: How many run control systems – say, your EMS – that encrypt their data? I didn’t think I’d see any hands. Generally, encrypting data isn’t much of a concern for data within a control center or substation, whereas not introducing latency and making sure data are always accessible immediately are big concerns. Yet, if a NERC entity were to include this section in contract language they ask their vendors to accept, there could be a lot of hair-pulling and back-and-forth between lawyers, all over a section that doesn’t even address a BES concern.

Of course, encryption is a big concern for many IT systems holding payroll, health records, etc. When procuring those systems, it makes lots of sense to make sure appropriate encryption is provided, if that’s a requirement for the system. And this is why it’s not a good idea to recycle IT vendor questionnaires, contract language, RFPs, etc. for OT purposes. Keep the IT and OT procurement worlds separate, even though many individual IT questions, etc. can be used for OT or BES purposes. There’s nothing illegal, immoral or fattening about mixing IT and OT vendor questions and contract language – but it is a big diversion of attention and resources from areas where they can be put to much better use.

However, there’s a bigger problem with mixing IT and OT when it comes to CIP-013 compliance. Keep in mind that, even though you have great freedom in developing your supply chain cyber risk management plan in CIP-013 R1, the situation changes drastically when you implement the plan in R2. At that point, you need to consider your R1 plan to be just like an extremely prescriptive requirement in the CIP 2-11 standards – perhaps even like..shudder…CIP-007 R2.

In other words, once you have written your plan, you need to make sure you live up to it word for word. This means that, if your plan requires you to take a bunch of steps to mitigate a set of pure IT risks (through contract language, RFPs, etc), you have to make sure you do that. So if you have identified encryption (more exactly, data privacy) as a risk that you’ll mitigate, you’ll need to include language in your contracts, questions in your questionnaires, etc. that address encryption. And if you slip up and leave it out at some point, you might be found in violation, since you didn’t faithfully implement your R1 plan in R2.

So just focus on risks that are important for OT. That will be work enough!


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!



No comments:

Post a Comment