“Purchase Decision”

Note from Tom: If you’re only looking for my latest pandemic post, please go to my Pandemic Blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.

In NATF’s recent webinar on their Supply Chain Risk Questionnaire – which I’ve written about in four posts, starting with this one – they briefly discussed not only the questionnaire but their Supplier Cyber Security Assessment Model, which forms the basis for their supply chain/CIP-013 program. It was previously discussed (briefly) in their webinar in March.

The model is summarized in a diagram on page 6. The heart of the diagram is the circle at the bottom: “Conduct Risk Assessment”. The process of assessing the supplier’s cyber risk (which is of course the focus of NATF’s program, including the Criteria and the questionnaire) is the biggest input (physically) to the Risk Assessment in the circle. However, in two little boxes on the side we find two more types of input: “Other factors…(financial, operational, reputational, regulatory, etc.)” and “The purchasing entity’s inherent risk and risk appetite”. The output of the circle (and of the whole process) is a green box to the right of the circle that reads “Purchase Decision”.

What this diagram essentially says is that the goal of CIP-013, and of supply chain cybersecurity risk management for the BES in general, is to help NERC entities make well-informed decisions on whether or not to purchase particular products or services. That decision is based on a number of factors, of which the vendor’s cyber security is important but hardly the only one (even though the cyber assessment takes up at least ten times as much space as the little box of “other factors” does).

There’s only one problem I have with this diagram and the model behind it: I simply don’t think it’s realistic for the domain it’s trying to address, which is supply chain security for hardware and software components of BES Cyber Systems.

When it comes to purchase decisions for hardware and software that go into BCS, there are two considerations that outweigh all others – including cyber security – by far. The first is “Does this product do everything we need it to?” If another product doesn’t do something the engineers consider is important, it won’t matter how low the price is, how great a reputation the supplier has, how “compliant” their product is, etc. That product won’t be purchased.

The second consideration – and I’d say this is the one that outweighs all the others by far – is “Do we have experience with this supplier (and if possible with this product), and has it been good?” If the answers to both parts of this question are yes, it will require an act of Congress, a Papal Encyclical, and a Presidential Directive for that supplier not to get this new order. And that makes perfect sense: For systems that literally run the BES, an electric utility will almost never take a flier on a different supplier unless they’re having some problems with the current one – and unless there are at least ten other utilities on the same block that use a different supplier, and will promise them on a stack of Bibles that they won’t be sorry they switched.

Of course there’s another consideration which makes a NERC entity strongly inclined to stick with their existing supplier: installed base. If a utility uses an EMS from supplier X, the chances are strong they’ll still be with that supplier ten years from now, and the chances are just about 100% that they won’t change suppliers for at least a few years, even if they make the irrevocable decision today to change.

What this comes down to is: For BCS hardware and software, NERC entities almost never make “purchase decisions”. That is, they almost never find themselves in the situation where they need to compare a number of suppliers on various factors, including cybersecurity. The decision to purchase product A from supplier B has almost always been made before cybersecurity even comes into consideration.[i]

Does this mean the industry is wasting its time worrying about supply chain security? Or, more cynically, can it be said that the main purpose of supplier security assessments is to find evidence to back up a purchase decision that has already been made?

Fortunately, no. It means that, in the great majority of BCS procurements, the risk assessment begins after the purchase decision has been made. The question the assessment needs to answer isn’t “Should we buy from these guys or not?”. It’s “Since we’ve decided to buy from these guys once again, what are the cybersecurity risks we need to be concerned about, and how can we mitigate those risks to the best of our ability (and accept the rest)?”

What does this mean for a CIP-013 program? I’ve had this opinion for a long time, so it’s baked into my methodology. The biggest consequence is that I don’t think it’s useful to spend time developing overall supplier risk scores, or even scores for general areas like identity and access management or remote access. Instead, you need a score for every cyber risk that applies to a supplier.

So far, I and my clients have identified about 90 cyber risks that apply to suppliers and vendors. I want to know where the supplier stands on each of those risks – are they high, medium or low risk? In other words, I want a risk score for each risk that applies to a supplier. My questionnaire asks one or two questions for each supplier risk, and from the answer(s) I develop a score for that risk.

What’s the point of having all those scores? The main use for them is in the procurement risk assessment, which is the heart of my methodology, and also is the focus of the NERC Evidence Request Spreadsheet for CIP-013-1. The supplier’s scores tell you which risks still need to be mitigated during the procurement or installation of the product. For each unmitigated risk, you need to identify one or more mitigations that will reduce the risk during the procurement or installation – and if there is no possible mitigation at that point, you need to accept the risk.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!

---

[i][i][i] One of my clients – a medium-to-large municipal utility – told me they do a competitive RFP for BCS hardware or software once every five years, if that.