Note from Tom: If you’re only looking for
today’s pandemic post, please go to my new blog. If you’re looking for my
cyber/NERC CIP posts, you’ve come to the right place.
In this post
on May 4, I pointed out that one of the questions that came out in that day’s
Supply Chain Working Group webinar was on whether NERC entities need to do
anything more than “identify and assess” supply chain cyber security risks as
they comply with CIP-013-1 R1, since there’s no mention of having to mitigate
them. In the webinar, Brian Allen of NERC had answered that the Purpose
statement for CIP-013-1 made clear that mitigation was required.
At that point, another
questioner (who turned out to be the same one) asked if the Purpose statement for
a NERC standard was auditable. I couldn’t remember how Brian had answered that,
but I said my answer would be no – the Purpose statement isn’t part of any
requirement and isn’t itself auditable. I went on to say that I don’t recommend
testing this idea with an auditor, since the whole standard wouldn’t make sense
if it didn’t require mitigation of risks.
The next day, Lew Folkerth wrote
to me about this and I posted
what he said. He pointed out that auditors are allowed to look beyond the strict
wording of the requirement and consider whether the entity has been “effective”
in complying with the requirement. If an entity deliberately doesn’t mitigate
risk because they think it’s not strictly required, he thinks an audit team
would give them a Potential non-Compliance finding (the first step toward an
actual violation).
However, the next day the person
who had asked the question (who’s someone I’ve known for a long time, although
of course I didn’t know it was his question at the webinar), wrote back at
length to give his justification for saying that mitigation isn’t required. I
then asked Kevin Perry and Lew to comment, and last week published a post
with my friend’s email and Kevin’s and Lew’s responses.
However, I didn’t want to add my
own opinions to that post since it was already quite long. So I’ll add them
now: I’m quite willing to stipulate that there might be no basis for an auditor
to issue a PNC if an entity’s CIP-013 plan doesn’t say anything about
mitigating risk. But guess what? There are a lot of things that a NERC entity
is required to do to comply with one of the NERC CIP requirements (in all of
the CIP standards), that aren’t written down. This is just another in a long
line of them.
I wrote a post
on this topic in 2018 – which quoted a lot from Lew, since this was his idea
back in 2014 (maybe earlier). Here’s one of the examples I used: CIP-005 R1.1
applies in part to Protected Cyber Assets, but nowhere in the CIP standards (to
this day) is the entity required to actually identify PCAs. An adventurous
entity might decide to stand up for principle and tell an auditor they hadn’t
applied CIP-005 R1.1 to their PCAs, because they were never required to
identify them in the first place.
But what will happen if this
adventurous entity makes their stand and doesn’t apply CIP-005 R1.1 to their
PCAs? They’ll get a PNC and it will probably turn into a violation and a fine.
They’ll appeal the violation and fine up through NERC and FERC, and get turned
down at each step of the way. They’ll finally have to take this to an
administrative law judge, and that judge might be much more sympathetic (BTW,
although I believe that at least a few lawsuits over NERC CIP may have been
filed in the administrative court system, no case has ever been adjudicated).
After all, CIP definitely doesn’t require the entity to identify its PCAs.
But what will the entity have
accomplished? They’ll get their fine thrown out, but it will have been at a
huge cost in money and time. And meanwhile, they’ll have p---ed off NERC and
FERC, which is never a position an electric utility wants to find itself in.
They will have had their victory, but it will have been a Pyrrhic one.
But that’s not the end of this
story. This just demonstrates that a good part (or even all) of the NERC CIP regulatory
program hangs on very tenuous legal grounds. If one or two entities want to seriously
challenge NERC on these grounds, the whole NERC CIP program might be brought
crashing down. This means that sooner or later, the NERC community is going to
realize that the standards need to be rewritten from the bottom up, as I
discussed in this
webinar last year.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment