If you're looking for my
pandemic posts, go here.
I heard recently of a large NERC
entity whose upper management overrode a good part of two years of work on the
part of the people who had been preparing for compliance with CIP-013-1. They
said that the entity was going to essentially ignore requirement R1.1 and just
comply with R1.2, R2 and R3. In other words, they’ll ignore the requirement to
develop a plan to identify, assess and (implicitly) mitigate supply chain
cybersecurity risks to the Bulk Electric System, and only mitigate the eight risks addressed in R1.2.
This struck me as a pretty foolish
thing to do, but I asked Lew Folkerth of the RF Regional Entity to comment on
that. Here is what he said:
The NERC Reliability Standards were developed and complied
with long before the Energy Policy Act of 2005 put them on the path to be
mandatory and enforceable. Even the first version of the CIP Standards was in
development prior to the mandatory and enforceable period. The Reliability
Standards are, at their core, an agreement among all entities to behave in a
certain manner in order to operate and maintain the reliability of the BES. By
deliberately not implementing compliance with a Standard, an entity would break
faith with their peers in the BES.
I have seen cases where an entity decides it can do a better
job of mitigating risk by implementing its own processes and ignoring the
Reliability Standards. In every case I’ve seen, the entity failed to implement
reliability or security processes that were as effective as what was required
by the Standard. I expect this to hold true for the Supply Chain Standards as
well. There has been a huge amount of work performed in the development and
support of CIP-013-1. The development of the Standard, ERO endorsement of
Implementation Guidance, SGAS sessions at NERC resulting in the FAQ document,
the SCWG’s Guidelines, and yes, even my Lighthouse articles, all have worked
toward making CIP-013-1 the most documented and supported Standard in the
portfolio of Reliability Standards.
In my opinion, throwing all of this material away would not
be a supportable decision at any Registered Entity.
There’s more to it. In an email
conversation with Lew after he sent this, he pointed out that a) by not
complying with R1.1, the entity won’t be complying with R1 itself; and b) the
entity can’t be compliant with R2 or R3 either, since they both depend on
compliance with R1. So they might be in violation of all three requirements in
CIP-013!
But other than that, I think this
is a good decision.
Any
opinions expressed in this blog post are strictly mine and are not necessarily
shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
Are
you hot at work – or should be – on getting ready for CIP-013-1 compliance on
October 1? Here is my summary of what you need to do between now and then.
No comments:
Post a Comment