Sunday, June 7, 2020

Hmm…Another problem with CIP-013-1



Note from Tom: If you’re only looking for today’s pandemic post, please go to my Pandemic Blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.

I’ll admit I haven’t read the Supplemental Material for CIP-013-1 in quite a while. When I did that today, I was surprised when I read what it says about Requirement R2 in the Rationale section:

The proposed requirement addresses Order No. 829 directives for entities to periodically reassess selected supply chain cyber security risk management controls (P. 46). 

Entities perform periodic assessment to keep plans up-to-date and address current and emerging supply chain-related concerns and vulnerabilities. Examples of sources of information that the entity could consider include guidance or information issued by:
• NERC or the E-ISAC
• ICS-CERT
• Canadian Cyber Incident Response Centre (CCIRC)

Responsible Entities are not required to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders) when implementing an updated plan (i.e., the note in Requirement R2 applies to implementation of new plans and updated plans).

Meanwhile, R2 itself reads “R2. Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1.” How does this jibe with the Rationale for R2, which is about periodically reviewing the plan, not implementing it?

It doesn’t jibe. The Supplemental Material for R2 is really about R3. There doesn’t seem to be anything in the Rationale about R2, since the first part is definitely all about R1. I’ll admit there’s not a lot that can be said in the Rationale – which I imagine has the status of Guidance, meaning the auditors are required to at least consider what it says – about R2. Although I have said a lot about it in this blog, as well as to my clients, since I consider R2 the biggest area of compliance risk in CIP-013.

Of course, this mistake doesn’t affect the interpretation or auditing of the standard, but still
I can’t believe I’m the first one to notice this, since of course the wording of CIP-013-1 was finalized in 2017. Just goes to show that nobody reads the Supplemental Material.



Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!



No comments:

Post a Comment