As with all other issues in this blog, I get the final word on mitigation and CIP-013

Note from Tom: If you’re only looking for today’s pandemic post, please go to my new blog. If you’re looking for my cyber/NERC CIP posts, you’ve come to the right place.

In this post on May 4, I pointed out that one of the questions that came out in that day’s Supply Chain Working Group webinar was on whether NERC entities need to do anything more than “identify and assess” supply chain cyber security risks as they comply with CIP-013-1 R1, since there’s no mention of having to mitigate them. In the webinar, Brian Allen of NERC had answered that the Purpose statement for CIP-013-1 made clear that mitigation was required.

At that point, another questioner (who turned out to be the same one) asked if the Purpose statement for a NERC standard was auditable. I couldn’t remember how Brian had answered that, but I said my answer would be no – the Purpose statement isn’t part of any requirement and isn’t itself auditable. I went on to say that I don’t recommend testing this idea with an auditor, since the whole standard wouldn’t make sense if it didn’t require mitigation of risks.

The next day, Lew Folkerth wrote to me about this and I posted what he said. He pointed out that auditors are allowed to look beyond the strict wording of the requirement and consider whether the entity has been “effective” in complying with the requirement. If an entity deliberately doesn’t mitigate risk because they think it’s not strictly required, he thinks an audit team would give them a Potential non-Compliance finding (the first step toward an actual violation).

However, the next day the person who had asked the question (who’s someone I’ve known for a long time, although of course I didn’t know it was his question at the webinar), wrote back at length to give his justification for saying that mitigation isn’t required. I then asked Kevin Perry and Lew to comment, and last week published a post with my friend’s email and Kevin’s and Lew’s responses.

However, I didn’t want to add my own opinions to that post since it was already quite long. So I’ll add them now: I’m quite willing to stipulate that there might be no basis for an auditor to issue a PNC if an entity’s CIP-013 plan doesn’t say anything about mitigating risk. But guess what? There are a lot of things that a NERC entity is required to do to comply with one of the NERC CIP requirements (in all of the CIP standards), that aren’t written down. This is just another in a long line of them.

I wrote a post on this topic in 2018 – which quoted a lot from Lew, since this was his idea back in 2014 (maybe earlier). Here’s one of the examples I used: CIP-005 R1.1 applies in part to Protected Cyber Assets, but nowhere in the CIP standards (to this day) is the entity required to actually identify PCAs. An adventurous entity might decide to stand up for principle and tell an auditor they hadn’t applied CIP-005 R1.1 to their PCAs, because they were never required to identify them in the first place.

But what will happen if this adventurous entity makes their stand and doesn’t apply CIP-005 R1.1 to their PCAs? They’ll get a PNC and it will probably turn into a violation and a fine. They’ll appeal the violation and fine up through NERC and FERC, and get turned down at each step of the way. They’ll finally have to take this to an administrative law judge, and that judge might be much more sympathetic (BTW, although I believe that at least a few lawsuits over NERC CIP may have been filed in the administrative court system, no case has ever been adjudicated). After all, CIP definitely doesn’t require the entity to identify its PCAs.

But what will the entity have accomplished? They’ll get their fine thrown out, but it will have been at a huge cost in money and time. And meanwhile, they’ll have p---ed off NERC and FERC, which is never a position an electric utility wants to find itself in. They will have had their victory, but it will have been a Pyrrhic one.

But that’s not the end of this story. This just demonstrates that a good part (or even all) of the NERC CIP regulatory program hangs on very tenuous legal grounds. If one or two entities want to seriously challenge NERC on these grounds, the whole NERC CIP program might be brought crashing down. This means that sooner or later, the NERC community is going to realize that the standards need to be rewritten from the bottom up, as I discussed in this webinar last year.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!