Note from Tom: If you’re only looking for
today’s pandemic post, please go to my new blog. If you’re looking
for my cyber/NERC CIP post, you’ve come to the right place.
This
morning, I got a very interesting comment on my post
from yesterday, in which I took back – based on comments from Kevin Perry – my
assertion in a post
last week that any NERC entity who decided to challenge an assessed NERC CIP
violation in the administrative law courts would very likely win. I said last
week that this is because of the many cases in the CIP standards in which key
words or requirements were left out – but are nonetheless required for
compliance, as in the case of the missing word “mitigate” in CIP-013-1 R1.1.
I concluded
with this paragraph:
I agree that Kevin’s right. However,
I’m not backing away from the last sentence of the post: “This means that
sooner or later, the NERC community is going to realize that the standards need
to be rewritten from the bottom up, as I discussed in this webinar
last year.” My case for saying the CIP standards need to be rewritten doesn’t
rest at all on legal grounds, and I shouldn’t have implied that it does.
I agree that Kevin’s right. However, I’m not backing away from the last
sentence of the post: “This means that sooner or later, the NERC community is
going to realize that the standards need to be rewritten from the bottom up, as
I discussed in this webinar last
year.” My case for saying the CIP standards need to be rewritten doesn’t rest
at all on legal grounds, and I shouldn’t have implied that it does.
The comment
came from a senior cybersecurity officer at a large organization. I have known
him for a number of years and have great respect for his opinions. He appeared
to be cueing off that last paragraph, when he said “A very interesting short
post. I think the larger point is the
fact that the RE’s (Regional Entities) are so unsure of the CMEP program
that they have to resort to these tactics to protect it. That in and of itself argues for a
reconsideration of the standards.”
What does this person mean when
he says, “these tactics”? I think he means Kevin’s statement, “The Regions will
often give the benefit of the doubt to the entity if there is any chance that
the entity reasonably interpreted the expectations of a vaguely or incompletely
worded Requirement.” In other words, Kevin was saying that any Potential
non-Compliance (PNC) finding, which is based on an ambiguously or incompletely
worded Requirement (possibly including CIP-013-1 R1.1), would be dismissed
during the Region’s review of the PNC, before an actual violation was identified.
In his comment about “these tactics”, my
friend was saying something like, “It’s distressing that Regional Entities would
run into so many cases in which they were faced with the choice between
dropping a potential violation and having an Administrative Law Judge rule in
the entity’s favor because the requirement was ambiguous or omitted key points.
This shows the CIP standards need to be reconsidered and rewritten.”
However, I also want to point
out that, when I’m talking about reconsideration of the CIP standards, I’m not
talking just about restoring words that were left out, fixing ambiguous
phrases, etc. I’m saying that the CIP standards should all be written something
like CIP-013 (although with the word “mitigate” in place!). Specifically, they should
all state a goal (e.g. securing the BES supply chain, in the case of CIP-013)
and allow the NERC entity to determine the best way to achieve that goal, based
on a) their own particular environment and b) considerations of risk. If you
would like to hear more about this, take a look at this
webinar.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
Are you working on your CIP-013 plan and you would like some help on it? Or
would you like me to review what you’ve written so far and let you know what
could be improved? Just drop me an email!
No comments:
Post a Comment