Interesting comment on yesterday’s post

Note from Tom: If you’re only looking for today’s pandemic post, please go to my new blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.

This morning, I got a very interesting comment on my post from yesterday, in which I took back – based on comments from Kevin Perry – my assertion in a post last week that any NERC entity who decided to challenge an assessed NERC CIP violation in the administrative law courts would very likely win. I said last week that this is because of the many cases in the CIP standards in which key words or requirements were left out – but are nonetheless required for compliance, as in the case of the missing word “mitigate” in CIP-013-1 R1.1.

I concluded with this paragraph:

I agree that Kevin’s right. However, I’m not backing away from the last sentence of the post: “This means that sooner or later, the NERC community is going to realize that the standards need to be rewritten from the bottom up, as I discussed in this webinar last year.” My case for saying the CIP standards need to be rewritten doesn’t rest at all on legal grounds, and I shouldn’t have implied that it does. I agree that Kevin’s right. However, I’m not backing away from the last sentence of the post: “This means that sooner or later, the NERC community is going to realize that the standards need to be rewritten from the bottom up, as I discussed in this webinar last year.” My case for saying the CIP standards need to be rewritten doesn’t rest at all on legal grounds, and I shouldn’t have implied that it does.

The comment came from a senior cybersecurity officer at a large organization. I have known him for a number of years and have great respect for his opinions. He appeared to be cueing off that last paragraph, when he said “A very interesting short post.  I think the larger point is the fact that the RE’s (Regional Entities) are so unsure of the CMEP program that they have to resort to these tactics to protect it.  That in and of itself argues for a reconsideration of the standards.”

What does this person mean when he says, “these tactics”? I think he means Kevin’s statement, “The Regions will often give the benefit of the doubt to the entity if there is any chance that the entity reasonably interpreted the expectations of a vaguely or incompletely worded Requirement.” In other words, Kevin was saying that any Potential non-Compliance (PNC) finding, which is based on an ambiguously or incompletely worded Requirement (possibly including CIP-013-1 R1.1), would be dismissed during the Region’s review of the PNC, before an actual violation was identified.

In his comment about “these tactics”, my friend was saying something like, “It’s distressing that Regional Entities would run into so many cases in which they were faced with the choice between dropping a potential violation and having an Administrative Law Judge rule in the entity’s favor because the requirement was ambiguous or omitted key points. This shows the CIP standards need to be reconsidered and rewritten.”

However, I also want to point out that, when I’m talking about reconsideration of the CIP standards, I’m not talking just about restoring words that were left out, fixing ambiguous phrases, etc. I’m saying that the CIP standards should all be written something like CIP-013 (although with the word “mitigate” in place!). Specifically, they should all state a goal (e.g. securing the BES supply chain, in the case of CIP-013) and allow the NERC entity to determine the best way to achieve that goal, based on a) their own particular environment and b) considerations of risk. If you would like to hear more about this, take a look at this webinar.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!