Note from Tom: If you’re only looking for
today’s pandemic post, go to my new blog (and if you’re not
subscribing to that blog, sign up for it. This blog will increasingly be
devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post
the pandemic posts here as well – but they won’t get picked up by the email
feed on days when I post on both topics). If you’re looking for my cyber/NERC
CIP posts, you’ve come to the right place.
Lew Folkerth of the RF Region –
who has contributed many valuable insights to this blog over the years since I
started it in 1970 (or so it seems) – emailed me this morning about yesterday’s
post.
That post focused on the fact that the word “mitigation” was left out of
CIP-013-1 R1.1. He started by saying he agreed with what both Brian Allen of
NERC, the presenter of yesterday’s webinar discussing the recent NERC CIP-013
FAQ, and I said about this. But he went on:
The enforceable language (Requirement, Applicability, Effective Date,
Glossary Terms, and Implementation Plan) does not require an entity to mitigate
risk in every case, because mitigation is not the only option in addressing
risk. The possibilities include: (a) avoid – do not assume the risk to begin
with; (b) mitigate – take action to reduce or eliminate the risk; (c) transfer
– use insurance or some other means to transfer the risk to another party –
this is not useful in the CIP world because a Registered Entity cannot transfer
a compliance risk without a CFR or JRO (Tom’s note: The CFR and JRO are two
vehicles under which two NERC entities can coordinate compliance for asset(s)
that they own or operate together. This compares with insurance, which most
security people think of when they talk about transferring risk. It’s a
fundamental principle of NERC regulation – not just CIP – that risk can’t be
transferred when it’s BES risk. This is because no NERC entity “owns” the BES
or any portion of it. If they screw up by omission or commission, the cost of
that falls on all users of the BES, not just one organization); (d) accept
– the entity may choose to accept the risk.
2. If I still get pushback, I take a more
aggressive line: If a program to comply with CIP-013 does not actually mitigate
any risk, then the Responsible Entity has not been effective in complying with
the Standard. The audit team is required (by instruction from FERC) to identify
this, usually as an Area of Concern (Note 2 from Tom: This is a “finding” in
an audit that relates to a practice the auditor would like to see corrected,
although it isn’t actually a violation of a requirement. The entity usually has
three years to correct the practice, although if they haven’t done so by the
next audit, they still can’t receive a violation. However, in general I don’t
advise not correcting an AoC, just like I don’t advise calling your auditor’s
baby ugly). But in the case of an entity deliberately avoiding mitigating
risk based on a perceived shortcoming in the Standard, the audit team would
almost certainly issue a PNC (Potential non-Compliance finding. This could
lead to an actual violation). Now the program manager that thought up this
scheme is going to have to stand in front of his/her CEO and explain why money
was spent on a program that produced no result (mitigated no risk), and why
millions more in legal fees and penalties are about to be spent at a hearing to
justify these actions.
I’ve almost never heard or read
something that Lew said that didn’t go way beyond how I was thinking about a
problem. He hasn’t disappointed me here, either!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment