If you're looking for my
pandemic posts, go here.
Just about three months ago, I
wrote this
post about what NERC entities still need to do to get ready for the October
1 compliance date for CIP-013-1. Now we’re almost exactly three weeks away from
that date. I’m going to assume you’ve done most of what I pointed out in the
July post (although if you haven’t, there’s still time to do it all. I won’t
outline the reasons for my statement here – email me if you want to discuss this).
However, I’m also betting that you’re
not 100% ready for the 10/1 date. You shouldn’t panic – you can definitely finish
whatever you haven’t done. Here’s are three taks that you might not have finished
(or even started) yet, which you definitely need to do in the next three weeks:
Finalize your R1 plan
The most important task is you
need to finalize your CIP-013-1 R1 supply chain cybersecurity risk management
plan. While you will still be able to improve it any time after 10/1, you need
to have a fairly complete plan now. Here are the topics that should be
addressed in your plan:
·
How you identify supply chain cyber security
risks to the BES. This includes risks arising from procurement of hardware or
software components of BES Cyber Systems, procurement of services for BCS, installation
of BCS components, use of services for BCS, and transitions between vendors.
·
How you will assess risks that arise from vendors
or suppliers of BCS components or services – using questionnaires and/or other
means.
·
How you will assess risks that arise from
actions your own entity takes.
·
How you will mitigate those risks, including the
following. Note that none of these have to be written at a low level – a high
level conceptual description is enough, as long as it’s comprehensive:
1. Mitigations
of Risks that apply to your entity.
2.
Mitigations that are applied through obtaining a
Supplier’s or Vendor’s assent by adding or changing terms in their contract.
3.
Mitigations that are applied through obtaining a
Supplier’s or Vendor’s assent through other means than contract language.
4. Mitigations
that are applied through Supplier/Vendor follow-up.
5. Mitigations
that are applied through Requests for Proposal.
6. Mitigations
that are identified during Procurement Risk Assessments and applied during
Procurement of Products and Services, Installation of Products and Use of
Services.
7. Mitigations
for the 8 Risks identified in CIP-013-1 R1.2.1 – R1.2.6.
8. Mitigations
for Risks arising from open source software.
9. Mitigations
applied to Emergency Procurements.
10. Mitigations
for Risks arising from vulnerabilities due to third party or open source components
in a Supplier’s software or firmware Products.
11. Mitigations
for Risks arising from “Transitions between vendors”.
12. Mitigations
for Risks due to repurposed Products.
13. Mitigations
for Risks due to transactions with other utilities.
14. Mitigations
due to compliance with the NERC CIP-003-6 through CIP-011-3 Reliability
Standards.
Remember, you can change your plan
whenever you want (and the plan should say how it can be changed, presumably
with CIP Senior Manager approval) after 10/1, so you don’t need to have it
perfect that day. But you have to have something that addresses most of the
areas shown above. You can’t have something that for example ignores
R1 altogether.
P’s and P’s
As I have pointed out a number of
times, even though you have close-to-complete flexibility in developing your R1
plan, when you get to R2 that plan becomes a straitjacket. You have to have a
set of policies and procedures that implements your R1 plan, and all of
the plan; moreover, you need to determine how you will provide evidence that
you are actually following those policies and procedures.
And you need all of these p’s and
p’s in place by October 1. Obviously that’s for compliance purposes, but it’s
for another reason as well: If, in designing your p’s and p’s, you find a
particular part of the plan that you’re not sure you can implement properly, take
it out. You can always add it back later, if you realize it won’t be as hard to
do as you thought. But if you leave the plan in place yet don’t have the p’s
and p’s in place to implement it, you’re asking for a PNC for R2.
Along with designing the p’s and p’s,
you need to decide how you will provide evidence of compliance with each policy
and each procedure. And here’s the good news: “evidence” in CIP-013 doesn’t
mean evidence that you have done the right thing in every particular instance
and for every particular system in scope, as is the case in the prescriptive
requirements that are part of CIP-003 through CIP-011. If your policy is that
you will do X, you need to be able to show that you implemented the policy and provide
some general evidence that it was followed – e.g. emails that show it was
followed in a few specific instances.
The most important evidence
However, the most important
evidence is what you will compile when you carry out item 6 in the list above:
the procurement risk assessment. The NERC Evidence Request Tool v4.5 makes
clear that CIP-013-1 evidence requests will be based solely on “procurements”. In
Level 1, you will have to provide a list of every procurement during the audit
period. In Level 2, the auditors will select a sample of these procurements and
ask you to show how you carried out R1.1 and R1.2.
I think it’s very important not to
leave it to whoever is in charge at your next audit to try to dig up all the
evidence required to show this. You need to design a Procurement Risk Assessment
(PRA) process - perhaps using spreadsheets - in which just carrying out the
process (which you will do with every procurement. By the way, since “procurement”
and “vendor” aren’t defined by NERC, you will need to define these, as well as
other terms) will provide the evidence.
Or almost. Your PRA will need to provide
lists of mitigations to be carried out during procurement of the product or
service, installation of the product and/or use of the service. That evidence
will need to be gathered when those activities are finished or ongoing, which
of course is after the PRA itself is finished.
This might seem like something
that’s very complicated, but it really isn’t. If you’d like to discuss this,
drop me an email and we can set up a time to do so.
Any
opinions expressed in this blog post are strictly mine and are not necessarily
shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment