Note from Tom: If you’re only looking for
today’s pandemic post, go to my new blog (and if you’re not
subscribing to that blog, sign up for it. This blog will increasingly be
devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post
the pandemic posts here as well – but they won’t get picked up by the email
feed on days when I post on both topics). If you’re looking for my cyber/NERC
CIP posts, you’re come to the right place.
The Supply Chain Working Group’s
webinar
today was on the CIP-013 FAQ that NERC put out in February (and that I wrote
about in March); it was conducted by Brian Allen. The best part was the Q&A at the end. Part
of that dialogue was on the word “mitigation”. I’ll discuss that in this post,
and will cover my other takeaways in another post soon.
One questioner pointed out
something that I first noticed when I wrote this
post in early 2018: CIP-013 R1 calls for the NERC entity’s plan to include
“identification and assessment” of supply chain security risks, but it doesn’t
say anything about mitigating those risks. So technically, all you have to do
to comply with R1 (and R2, since that simply tells you to implement your plan,
whatever is in it) is show how you’ll identify and assess risks; it doesn’t say
anything about mitigation.
Brian’s answer to this question
was good: that the Purpose statement for CIP-013 reads “To mitigate cyber
security risks to the reliable operation of the Bulk Electric System (BES) by
implementing security controls for supply chain risk management of BES Cyber
Systems.” This is quite clear, although another questioner (perhaps the same
one) then asked if the Purpose statement in a standard is auditable.
I can’t remember Brian’s answer,
although my guess is no, it’s not auditable (at least, I think it should have
been that). But I certainly don’t recommend you try to convince the auditor
that your plan is a good one if it omits mitigation! The whole standard wouldn’t
make any sense if you weren’t supposed to mitigate the risks you’ve identified
and assessed. And remember that R1.2 consists of six mitigations that need to
be included in your plan. They’re there because FERC mentioned them at various
places in their Order
829 in 2016. FERC certainly intended that NERC entities should mitigate the
risks they’ve identified!
This being said, I have
suggested previously that the word “mitigate” should be added to R1.1, so that
there can be no question about this. This would be pretty simple: All a
drafting team would have to do would be to change the words “identify and
assess” in R1.1 to read “identify, assess and mitigate”. However, the drafting
team developing CIP-013-2 is already starting to work on their second draft
(since the first one didn’t get enough votes for approval, which of course
always happens with new or revised CIP standards), and there’s nothing in the
first draft about mitigation (in fact, the SAR didn’t mention mitigation at all,
so it would be surprising if there were something about it in the first or any
draft). So if this change gets made, it will have to be in version 3 of the
standard, which is years away from even being proposed.
In case you haven’t noticed it,
there are a lot of implied
requirements in the NERC CIP standards – these are things you have to do,
even though they’re not actually stated as part of a requirement. Here’s one
more!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment