Monday, May 4, 2020

Today’s webinar on the CIP-013 FAQ, Part I



Note from Tom: If you’re only looking for today’s pandemic post, go to my new blog (and if you’re not subscribing to that blog, sign up for it. This blog will increasingly be devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post the pandemic posts here as well – but they won’t get picked up by the email feed on days when I post on both topics). If you’re looking for my cyber/NERC CIP posts, you’re come to the right place.


The Supply Chain Working Group’s webinar today was on the CIP-013 FAQ that NERC put out in February (and that I wrote about in March); it was conducted by Brian Allen.  The best part was the Q&A at the end. Part of that dialogue was on the word “mitigation”. I’ll discuss that in this post, and will cover my other takeaways in another post soon.

One questioner pointed out something that I first noticed when I wrote this post in early 2018: CIP-013 R1 calls for the NERC entity’s plan to include “identification and assessment” of supply chain security risks, but it doesn’t say anything about mitigating those risks. So technically, all you have to do to comply with R1 (and R2, since that simply tells you to implement your plan, whatever is in it) is show how you’ll identify and assess risks; it doesn’t say anything about mitigation.

Brian’s answer to this question was good: that the Purpose statement for CIP-013 reads “To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.” This is quite clear, although another questioner (perhaps the same one) then asked if the Purpose statement in a standard is auditable.

I can’t remember Brian’s answer, although my guess is no, it’s not auditable (at least, I think it should have been that). But I certainly don’t recommend you try to convince the auditor that your plan is a good one if it omits mitigation! The whole standard wouldn’t make any sense if you weren’t supposed to mitigate the risks you’ve identified and assessed. And remember that R1.2 consists of six mitigations that need to be included in your plan. They’re there because FERC mentioned them at various places in their Order 829 in 2016. FERC certainly intended that NERC entities should mitigate the risks they’ve identified!

This being said, I have suggested previously that the word “mitigate” should be added to R1.1, so that there can be no question about this. This would be pretty simple: All a drafting team would have to do would be to change the words “identify and assess” in R1.1 to read “identify, assess and mitigate”. However, the drafting team developing CIP-013-2 is already starting to work on their second draft (since the first one didn’t get enough votes for approval, which of course always happens with new or revised CIP standards), and there’s nothing in the first draft about mitigation (in fact, the SAR didn’t mention mitigation at all, so it would be surprising if there were something about it in the first or any draft). So if this change gets made, it will have to be in version 3 of the standard, which is years away from even being proposed.

In case you haven’t noticed it, there are a lot of implied requirements in the NERC CIP standards – these are things you have to do, even though they’re not actually stated as part of a requirement. Here’s one more!

  
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!



No comments:

Post a Comment