Tuesday, September 8, 2020

Three weeks left!



If you're looking for my pandemic posts, go here.

Just about three months ago, I wrote this post about what NERC entities still need to do to get ready for the October 1 compliance date for CIP-013-1. Now we’re almost exactly three weeks away from that date. I’m going to assume you’ve done most of what I pointed out in the July post (although if you haven’t, there’s still time to do it all. I won’t outline the reasons for my statement here – email me if you want to discuss this).

However, I’m also betting that you’re not 100% ready for the 10/1 date. You shouldn’t panic – you can definitely finish whatever you haven’t done. Here’s are three taks that you might not have finished (or even started) yet, which you definitely need to do in the next three weeks:

Finalize your R1 plan
The most important task is you need to finalize your CIP-013-1 R1 supply chain cybersecurity risk management plan. While you will still be able to improve it any time after 10/1, you need to have a fairly complete plan now. Here are the topics that should be addressed in your plan:

·        How you identify supply chain cyber security risks to the BES. This includes risks arising from procurement of hardware or software components of BES Cyber Systems, procurement of services for BCS, installation of BCS components, use of services for BCS, and transitions between vendors.
·        How you will assess risks that arise from vendors or suppliers of BCS components or services – using questionnaires and/or other means.
·        How you will assess risks that arise from actions your own entity takes.
·        How you will mitigate those risks, including the following. Note that none of these have to be written at a low level – a high level conceptual description is enough, as long as it’s comprehensive:

1.      Mitigations of Risks that apply to your entity.
2.      Mitigations that are applied through obtaining a Supplier’s or Vendor’s assent by adding or changing terms in their contract.
3.      Mitigations that are applied through obtaining a Supplier’s or Vendor’s assent through other means than contract language.
4.      Mitigations that are applied through Supplier/Vendor follow-up.
5.      Mitigations that are applied through Requests for Proposal.
6.      Mitigations that are identified during Procurement Risk Assessments and applied during Procurement of Products and Services, Installation of Products and Use of Services.
7.      Mitigations for the 8 Risks identified in CIP-013-1 R1.2.1 – R1.2.6.
8.      Mitigations for Risks arising from open source software.
9.      Mitigations applied to Emergency Procurements.
10.   Mitigations for Risks arising from vulnerabilities due to third party or open source components in a Supplier’s software or firmware Products.
11.   Mitigations for Risks arising from “Transitions between vendors”.
12.   Mitigations for Risks due to repurposed Products.
13.   Mitigations for Risks due to transactions with other utilities.
14.   Mitigations due to compliance with the NERC CIP-003-6 through CIP-011-3 Reliability Standards.

Remember, you can change your plan whenever you want (and the plan should say how it can be changed, presumably with CIP Senior Manager approval) after 10/1, so you don’t need to have it perfect that day. But you have to have something that addresses most of the areas shown above. You can’t have something that for example ignores R1 altogether.

P’s and P’s
As I have pointed out a number of times, even though you have close-to-complete flexibility in developing your R1 plan, when you get to R2 that plan becomes a straitjacket. You have to have a set of policies and procedures that implements your R1 plan, and all of the plan; moreover, you need to determine how you will provide evidence that you are actually following those policies and procedures.

And you need all of these p’s and p’s in place by October 1. Obviously that’s for compliance purposes, but it’s for another reason as well: If, in designing your p’s and p’s, you find a particular part of the plan that you’re not sure you can implement properly, take it out. You can always add it back later, if you realize it won’t be as hard to do as you thought. But if you leave the plan in place yet don’t have the p’s and p’s in place to implement it, you’re asking for a PNC for R2.

Along with designing the p’s and p’s, you need to decide how you will provide evidence of compliance with each policy and each procedure. And here’s the good news: “evidence” in CIP-013 doesn’t mean evidence that you have done the right thing in every particular instance and for every particular system in scope, as is the case in the prescriptive requirements that are part of CIP-003 through CIP-011. If your policy is that you will do X, you need to be able to show that you implemented the policy and provide some general evidence that it was followed – e.g. emails that show it was followed in a few specific instances.

The most important evidence
However, the most important evidence is what you will compile when you carry out item 6 in the list above: the procurement risk assessment. The NERC Evidence Request Tool v4.5 makes clear that CIP-013-1 evidence requests will be based solely on “procurements”. In Level 1, you will have to provide a list of every procurement during the audit period. In Level 2, the auditors will select a sample of these procurements and ask you to show how you carried out R1.1 and R1.2.

I think it’s very important not to leave it to whoever is in charge at your next audit to try to dig up all the evidence required to show this. You need to design a Procurement Risk Assessment (PRA) process - perhaps using spreadsheets - in which just carrying out the process (which you will do with every procurement. By the way, since “procurement” and “vendor” aren’t defined by NERC, you will need to define these, as well as other terms) will provide the evidence.

Or almost. Your PRA will need to provide lists of mitigations to be carried out during procurement of the product or service, installation of the product and/or use of the service. That evidence will need to be gathered when those activities are finished or ongoing, which of course is after the PRA itself is finished.


This might seem like something that’s very complicated, but it really isn’t. If you’d like to discuss this, drop me an email and we can set up a time to do so.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.



No comments:

Post a Comment