Wednesday, December 2, 2020

How will CIP-013 R1.1 be audited?

In the September meeting of the NERC RSTC Supply Chain Working Group, two or three people from NERC discussed the subject of “audit approach” to CIP-013-1. Of course, this was an eagerly awaited discussion, and the SCWG members crowded into the meeting room to hear what would be said (that’s a joke. They crowded into the WebEx, shoulder-to-shoulder).

I was looking forward to the discussion because I’ve been wondering for a long time how CIP-013-1 R1.1 will be audited. After all, an auditor can only find you in potential non-compliance (PNC) if you violate the strict wording of the requirement. But R1.1 just tells you to develop a supply chain cybersecurity risk management plan, and very little else. The only information that it gives you about what needs to be in the plan is the following:

1.      your plan needs to “identify, assess and mitigate” risks. As you probably know, the word mitigate isn’t in R1.1 but it is definitely implied, and as a couple ex-auditors pointed out in a post last May, you would be on thin ice if you omitted risk mitigation in your R1 plan.

2.      Second, your plan needs to consider these five types of risk:

a)      Risks arising from procurement of hardware and software products for BES Cyber Systems;

b)     Risks arising from installation of hardware and software products for BCS;

c)      Risks arising from procurement of vendor services for BCS;

d)     Risks arising from use of vendor services for BCS; and

e)     Risks arising from transitions between vendors.

Given that this is all that is required from R1.1, strictly speaking, I wanted to hear from NERC how R1.1 would be audited. To be honest, I think there are only two ways in which you could violate the strict wording of R1.1:

1.      Your plan doesn’t identify, assess or mitigate any risks at all, other than the risks behind the six items in R1.2 (which of course are mandatory). This is the approach that one NERC Entity is going to take; I predict it will not be successful.

2.      Your plan doesn’t even consider one or more of the five types of risk listed above. And to be honest, given that R1.1 isn’t worded too carefully, I think the only two types that would be absolutely necessary to include are the two procurement risks: a) and c). But even for these, you really only need to consider possible risks in those areas. If you consider them but then decide you don’t have any, you technically wouldn’t be out of compliance.

On the other hand, the whole idea of having a risk-based requirement that just requires a plan – as R1.1 does – is that there’s such a thing as a good plan, in contrast with a bad plan. I know the auditors are allowed to assess penalties in a case where the plan the entity develops just isn’t good at all. That would be the case, for example, if someone wrote “Supply chain cybersecurity risk management plan” at the top of a sheet of paper and handed that to the auditor when they asked to see the R1.1 plan.

So what I wanted to hear from NERC was: Where do you draw the line? At one extreme, you have a blank sheet of paper. At the other extreme, you have a very carefully drawn up plan that considers just about every imaginable supply chain cybersecurity risk, assesses whether that risk is likely ever to be realized in a typical electric utility environment (and their suppliers’ environments) nowadays, and describes in excruciating detail how each of those risks will be mitigated, assuming its likelihood is high enough that it needs to be mitigated.

So how did the presenters from NERC describe how R1.1 will be audited? They didn’t at all. Their presentation focused almost entirely on R1.2 and a little bit on R2 and R3; nothing about R1.1. Of course, R1.2 provides some red meat for people who like to talk about compliance details, which NERC people like to do. But I wanted to hear about R1.1, since in my opinion that is the heart of the standard.

FERC Order 829 (which ordered NERC to develop a supply chain cybersecurity standard) required a supply chain cybersecurity risk management plan. In the second paragraph of the Order, FERC said “Specifically, we direct NERC to develop a forward-looking, objective-based Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.” They didn’t say “Well, just do these six things (now in R1.2). Then you can call it a day.”

When the Q&A period started, I asked the NERC presenters how R1.1 would be audited. Would an entity get a pass if they handed in a blank piece of paper and said “We just couldn’t think of any risks that apply to us. Have a nice day”? After all, this doesn’t seem to be forbidden by the strict wording of the requirement.

The presenters were sure that a blank piece of paper wouldn’t be allowed. I was pleased to hear that, of course. But my question was: Where do you draw the line? How are the auditors going to decide whether a plan is clearly not acceptable? Or is there even a line in the first place? Will anything that’s called a plan be acceptable? They assured me that no, there is definitely a line somewhere, below which a plan is non-compliant.

So the presenters made it clear that handing in a blank piece of paper as your CIP-013-1 R1.1 supply chain cyber security risk management plan will not be looked on favorably by your auditor. What did they say beyond that, just in case that’s not enough guidance for you?

I probably don’t have to tell you the advice the NERC people provided for NERC entities that want some more guidance on what is an acceptable supply chain cyber security risk management plan. The same answer you will get from NERC if you ask any other hard question about CIP, like the meaning of the word “programmable” in the definition of Cyber Asset: Ask your Region.

I should have known from the beginning that’s what they would say. It is very unfortunate, but NERC’s lawyers have for many years forbidden NERC staff members from providing any information that might be thought of as an “interpretation” of a NERC requirement. They base this on what I believe is a mistaken application of the idea of “auditor independence”, which comes from the financial auditing world. Fortunately, the Regions will usually be willing to provide you with information on what they interpret a NERC Requirement to mean, although they will just about never write that down, and it will always be prefaced by “This is just my personal opinion, not that of the Region, NERC, FERC, the Pope, etc.”

However, in a world where risk considerations are essential – and that is especially true in cyber security, where assessing and mitigating risk is literally the whole game – this approach doesn’t make sense. Given that the NERC CIP standards are becoming more risk-based all the time (in fact, the last prescriptive CIP requirements drafted were part of CIP version 5, which came into effect in 2016 – all requirements drafted since then have been risk-based), NERC needs to re-think its approach to auditing.

Auditors should collaborate with the NERC entities on the common goal of securing the Bulk Electric System – and part of collaboration is freely sharing information on the best ways to further that goal. It makes no sense to refuse to help a NERC entity as it struggles to understand how to comply with a risk-based requirement. Instead, not only should NERC and the Regions answer questions about how to comply with requirements like CIP-013-1 R1.1, but they should proactively reach out to them with information in webinars, white papers, etc. For example, there might be a webinar entitled “Tips for putting together a good supply chain cybersecurity risk management plan in CIP-013-1 R1.1”.

Think of it: How does it help secure the BES to refuse to provide information like this to a NERC entity now, but then let them make their own mistakes as they design their R1.1 plan? Then to come back three years later in an audit and say “You got this all wrong”? Even though the entity would probably not get a PNC at the audit (probably an Area of Concern, with a directive to fix the problem by the next audit), that’s still three years that the BES wasn’t as well protected as it could have been if NERC or the auditor had reached out to help them to start with. I’m not sure who benefits from that situation, but it’s definitely the one we’re in.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment