In the September meeting of the NERC RSTC Supply Chain Working Group, two or three people from NERC discussed the subject of “audit approach” to CIP-013-1. Of course, this was an eagerly awaited discussion, and the SCWG members crowded into the meeting room to hear what would be said (that’s a joke. They crowded into the WebEx, shoulder-to-shoulder).
I was looking forward to the discussion
because I’ve been wondering for a long time how CIP-013-1 R1.1 will be audited.
After all, an auditor can only find you in potential non-compliance (PNC) if
you violate the strict wording of the requirement. But R1.1 just tells you to
develop a supply chain cybersecurity risk management plan, and very little else.
The only information that it gives you about what needs to be in the plan is
the following:
1.
your plan needs to
“identify, assess and mitigate” risks. As you probably know, the word mitigate
isn’t in R1.1 but it is definitely implied, and as a couple ex-auditors pointed
out in a post last May, you would be on thin ice if you omitted risk
mitigation in your R1 plan.
2.
Second, your plan
needs to consider these five types of risk:
a)
Risks arising from
procurement of hardware and software products for BES Cyber Systems;
b)
Risks arising from
installation of hardware and software products for BCS;
c)
Risks arising from
procurement of vendor services for BCS;
d)
Risks arising from use
of vendor services for BCS; and
e)
Risks arising from
transitions between vendors.
Given that this is all that is
required from R1.1, strictly speaking, I wanted to hear from NERC how R1.1
would be audited. To be honest, I think there are only two ways in which you
could violate the strict wording of R1.1:
1.
Your plan doesn’t
identify, assess or mitigate any risks at all, other than the risks behind the
six items in R1.2 (which of course are mandatory). This is the approach that
one NERC
Entity is going to take; I predict it will not be successful.
2.
Your plan doesn’t even
consider one or more of the five types of risk listed above. And to be honest,
given that R1.1 isn’t worded too carefully, I think the only two types that would
be absolutely necessary to include are the two procurement risks: a) and c). But
even for these, you really only need to consider possible risks in those
areas. If you consider them but then decide you don’t have any, you technically
wouldn’t be out of compliance.
On the other hand, the whole idea of having a risk-based requirement that
just requires a plan – as R1.1 does – is that there’s such a thing as a good
plan, in contrast with a bad plan. I know the auditors are allowed to assess
penalties in a case where the plan the entity develops just isn’t good at all.
That would be the case, for example, if someone wrote “Supply chain
cybersecurity risk management plan” at the top of a sheet of paper and handed
that to the auditor when they asked to see the R1.1 plan.
So what I wanted to hear from NERC
was: Where do you draw the line? At one extreme, you have a blank sheet of
paper. At the other extreme, you have a very carefully drawn up plan that
considers just about every imaginable supply chain cybersecurity risk, assesses
whether that risk is likely ever to be realized in a typical electric utility
environment (and their suppliers’ environments) nowadays, and describes in excruciating
detail how each of those risks will be mitigated, assuming its likelihood is
high enough that it needs to be mitigated.
So how did the presenters from
NERC describe how R1.1 will be audited? They didn’t at all. Their presentation
focused almost entirely on R1.2 and a little bit on R2 and R3; nothing about
R1.1. Of course, R1.2 provides some red meat for people who like to talk about compliance
details, which NERC people like to do. But I wanted to hear about R1.1, since
in my opinion that is the heart of the standard.
FERC Order 829 (which ordered NERC
to develop a supply chain cybersecurity standard) required a supply chain
cybersecurity risk management plan. In the second paragraph of the Order, FERC
said “Specifically, we direct NERC to develop a forward-looking,
objective-based Reliability Standard to require each affected entity to develop
and implement a plan that includes security controls for supply chain
management for industrial control system hardware, software, and services
associated with bulk electric system operations.” They didn’t say “Well, just
do these six things (now in R1.2). Then you can call it a day.”
When the Q&A period started, I
asked the NERC presenters how R1.1 would be audited. Would an entity get a pass
if they handed in a blank piece of paper and said “We just couldn’t think of
any risks that apply to us. Have a nice day”? After all, this doesn’t seem to
be forbidden by the strict wording of the requirement.
The presenters were sure that a
blank piece of paper wouldn’t be allowed. I was pleased to hear that, of
course. But my question was: Where do you draw the line? How are the auditors
going to decide whether a plan is clearly not acceptable? Or is there even a
line in the first place? Will anything that’s called a plan be acceptable? They
assured me that no, there is definitely a line somewhere, below which a plan is
non-compliant.
So the presenters made it clear
that handing in a blank piece of paper as your CIP-013-1 R1.1 supply chain
cyber security risk management plan will not be looked on favorably by your
auditor. What did they say beyond that, just in case that’s not enough guidance
for you?
I probably don’t have to tell you
the advice the NERC people provided for NERC entities that want some more
guidance on what is an acceptable supply chain cyber security risk management
plan. The same answer you will get from NERC if you ask any other hard question
about CIP, like the meaning of the word “programmable” in the definition of
Cyber Asset: Ask your Region.
I should have known from the
beginning that’s what they would say. It is very unfortunate, but NERC’s
lawyers have for many years forbidden NERC staff members from providing any
information that might be thought of as an “interpretation” of a NERC requirement.
They base this on what I believe is a mistaken application of the idea of
“auditor independence”, which comes from the financial auditing world. Fortunately,
the Regions will usually be willing to provide you with information on what
they interpret a NERC Requirement to mean, although they will just about never write
that down, and it will always be prefaced by “This
is just my personal opinion, not that of the Region, NERC, FERC, the Pope, etc.”
However, in a world where risk
considerations are essential – and that is especially true in cyber security,
where assessing and mitigating risk is literally the whole game – this approach
doesn’t make sense. Given that the NERC CIP standards are becoming more risk-based
all the time (in fact, the last prescriptive CIP requirements drafted were part
of CIP version 5, which came into effect in 2016 – all requirements drafted
since then have been risk-based), NERC needs to re-think its approach to
auditing.
Auditors should collaborate
with the NERC entities on the common goal of securing the Bulk Electric System –
and part of collaboration is freely sharing information on the best ways to further
that goal. It makes no sense to refuse to help a NERC entity as it struggles to
understand how to comply with a risk-based requirement. Instead, not only should
NERC and the Regions answer questions about how to comply with requirements
like CIP-013-1 R1.1, but they should proactively reach out to them with
information in webinars, white papers, etc. For example, there might be a
webinar entitled “Tips for putting together a good supply chain cybersecurity
risk management plan in CIP-013-1 R1.1”.
Think of it: How does it help secure
the BES to refuse to provide information like this to a NERC entity now, but
then let them make their own mistakes as they design their R1.1 plan? Then to
come back three years later in an audit and say “You got this all wrong”? Even
though the entity would probably not get a PNC at the audit (probably an Area
of Concern, with a directive to fix the problem by the next audit), that’s
still three years that the BES wasn’t as well protected as it could have been
if NERC or the auditor had reached out to help them to start with. I’m not sure
who benefits from that situation, but it’s definitely the one we’re in.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment