Thursday, August 27, 2020

Don’t try this at home, kids!



If you're looking for my pandemic posts, go here.

I heard recently of a large NERC entity whose upper management overrode a good part of two years of work on the part of the people who had been preparing for compliance with CIP-013-1. They said that the entity was going to essentially ignore requirement R1.1 and just comply with R1.2, R2 and R3. In other words, they’ll ignore the requirement to develop a plan to identify, assess and (implicitly) mitigate supply chain cybersecurity risks to the Bulk Electric System, and only mitigate the eight risks addressed in R1.2.

This struck me as a pretty foolish thing to do, but I asked Lew Folkerth of the RF Regional Entity to comment on that. Here is what he said:

The NERC Reliability Standards were developed and complied with long before the Energy Policy Act of 2005 put them on the path to be mandatory and enforceable. Even the first version of the CIP Standards was in development prior to the mandatory and enforceable period. The Reliability Standards are, at their core, an agreement among all entities to behave in a certain manner in order to operate and maintain the reliability of the BES. By deliberately not implementing compliance with a Standard, an entity would break faith with their peers in the BES.

I have seen cases where an entity decides it can do a better job of mitigating risk by implementing its own processes and ignoring the Reliability Standards. In every case I’ve seen, the entity failed to implement reliability or security processes that were as effective as what was required by the Standard. I expect this to hold true for the Supply Chain Standards as well. There has been a huge amount of work performed in the development and support of CIP-013-1. The development of the Standard, ERO endorsement of Implementation Guidance, SGAS sessions at NERC resulting in the FAQ document, the SCWG’s Guidelines, and yes, even my Lighthouse articles, all have worked toward making CIP-013-1 the most documented and supported Standard in the portfolio of Reliability Standards.

In my opinion, throwing all of this material away would not be a supportable decision at any Registered Entity.

There’s more to it. In an email conversation with Lew after he sent this, he pointed out that a) by not complying with R1.1, the entity won’t be complying with R1 itself; and b) the entity can’t be compliant with R2 or R3 either, since they both depend on compliance with R1. So they might be in violation of all three requirements in CIP-013!

But other than that, I think this is a good decision.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you hot at work – or should be – on getting ready for CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.


No comments:

Post a Comment