Tuesday, May 5, 2020

Lew Folkerth on Mitigation in CIP-013



Note from Tom: If you’re only looking for today’s pandemic post, go to my new blog (and if you’re not subscribing to that blog, sign up for it. This blog will increasingly be devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post the pandemic posts here as well – but they won’t get picked up by the email feed on days when I post on both topics). If you’re looking for my cyber/NERC CIP posts, you’ve come to the right place.

Lew Folkerth of the RF Region – who has contributed many valuable insights to this blog over the years since I started it in 1970 (or so it seems) – emailed me this morning about yesterday’s post. That post focused on the fact that the word “mitigation” was left out of CIP-013-1 R1.1. He started by saying he agreed with what both Brian Allen of NERC, the presenter of yesterday’s webinar discussing the recent NERC CIP-013 FAQ, and I said about this. But he went on:

The enforceable language (Requirement, Applicability, Effective Date, Glossary Terms, and Implementation Plan) does not require an entity to mitigate risk in every case, because mitigation is not the only option in addressing risk. The possibilities include: (a) avoid – do not assume the risk to begin with; (b) mitigate – take action to reduce or eliminate the risk; (c) transfer – use insurance or some other means to transfer the risk to another party – this is not useful in the CIP world because a Registered Entity cannot transfer a compliance risk without a CFR or JRO (Tom’s note: The CFR and JRO are two vehicles under which two NERC entities can coordinate compliance for asset(s) that they own or operate together. This compares with insurance, which most security people think of when they talk about transferring risk. It’s a fundamental principle of NERC regulation – not just CIP – that risk can’t be transferred when it’s BES risk. This is because no NERC entity “owns” the BES or any portion of it. If they screw up by omission or commission, the cost of that falls on all users of the BES, not just one organization); (d) accept – the entity may choose to accept the risk.

2.       If I still get pushback, I take a more aggressive line: If a program to comply with CIP-013 does not actually mitigate any risk, then the Responsible Entity has not been effective in complying with the Standard. The audit team is required (by instruction from FERC) to identify this, usually as an Area of Concern (Note 2 from Tom: This is a “finding” in an audit that relates to a practice the auditor would like to see corrected, although it isn’t actually a violation of a requirement. The entity usually has three years to correct the practice, although if they haven’t done so by the next audit, they still can’t receive a violation. However, in general I don’t advise not correcting an AoC, just like I don’t advise calling your auditor’s baby ugly). But in the case of an entity deliberately avoiding mitigating risk based on a perceived shortcoming in the Standard, the audit team would almost certainly issue a PNC (Potential non-Compliance finding. This could lead to an actual violation). Now the program manager that thought up this scheme is going to have to stand in front of his/her CEO and explain why money was spent on a program that produced no result (mitigated no risk), and why millions more in legal fees and penalties are about to be spent at a hearing to justify these actions.

I’ve almost never heard or read something that Lew said that didn’t go way beyond how I was thinking about a problem. He hasn’t disappointed me here, either!


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!



No comments:

Post a Comment