Do you remember the NERC Supply
Chain Working Group (SCWG)? We’ve been in operation since 2018 and are still
going strong. Our current project is to update the set of supply chain guidelines that we
drew up in 2019. Drafting them was a great experience, since we had a lot of
people participating on the calls. I anticipate that re-drafting them (or
perhaps adding to them, since my guess is most of them don’t need to be amended
very much) will be equally interesting.
One important goal of the guidelines
is to keep them short enough to be read in maybe 20 minutes. The original
guidelines were all 3-5 pages long, and I anticipate the new ones will be 5-8
pages. I’ll point out something you may already know: It’s a lot harder to
write a short paper than a long one. That may be why the drafting meetings were
so interesting – when every word has to count, you need to decide what has to
be said and say it as economically as possible (which of course is why blog
posts sometimes go on and on – since the blogger knows there’s no limit imposed
and he doesn’t have to be careful about his words. Of course, I don’t personally
know any bloggers like that, but I’m told they’re out there).
I ended up leading the drafting of
two of those papers, and I’ll be leading it for the new versions of both papers
(unless someone else would like to take the lead on one of them and I’ll just
participate. That would be fine with me). We need to get the drafts done by I
believe mid-March, so we won’t have many meetings to draft them. I will have 3-4
meetings for each paper, and I’ll alternate weeks, so there will be a meting
for one paper the first week and the other the second, etc. Of course, you can
come to as many meetings as you want – although of course there won’t be any
recordings made.
The two papers for which I’ll lead
the drafting are both found here, along with some
slides from presentations we did in Orlando in June 2019. There are also recordings
of webinars we did (one for each paper) in 2020, which were well attended
(since people weren’t going to a lot of in-person meetings in April through
June of 2020). My two papers are Cyber Security Risk Management Lifecycle (which
should really be called Supply Chain Cyber Risk Management Lifecyle – we’re
not trying to tackle the entire field of cybersecurity in five pages!) and Vendor
Risk Management Lifecycle.
You’re welcome to attend any or
all of the meetings; I’m not going to keep attendance. You don’t have to be a
member of the SCWG, although we’ll probably enroll you anyway. This will
entitle you to all the benefits and emoluments of membership - priceless. We’re
even waiving the normal $1,000 signup fee…😊
Also, even though these meetings are mostly populated with electric power industry types, I can assure you there’s nothing we’ll be talking about that’s specific to the power industry. So anyone is welcome to participate, both suppliers and end users. Note that, even though the papers are NERC publications, they aren't compliance guidance for CIP-013; they're simply best practices for supply chain cyber risk management.
We’ve put out Doodle polls
to find the best time for both series of meetings. The poll for the Cyber Risk
Management meetings is here
and for Vendor Risk Management is here.[i]
I hate to pressure you, but for the
Cyber Risk Management meetings, we’ll have to decide the time by tomorrow
afternoon, since we want to have the first meeting this week. So if you’re
interested in that, please sign up asap (note we won’t meet on Monday the 17th,
although if Monday is the best for someone, we could later move the meeting to
Monday if the rest agree). For Vendor Risk Management, we’ll meet next week
(the week of the 24th), so we’ll wait a few days before we set that
time. We’ll send everybody who’s participated in the poll an invitation for the
series.
I hope you can help us out!
Need CIP-013 compliance help,
either from the NERC entity or the vendor side? I’ve worked with a number of electric
utilities on CIP-013 compliance, and I’m currently working with two vendors to
the industry. Drop me an email and we can talk!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] If
you want to sign up for one of the three other papers that we’re going to
revise this quarter (the others will come later) – which are Provenance, Open
Source, and Secure Equipment Delivery – drop an email to Tom Hofstetter of NERC
at tom.hofstetter@nerc.net and he’ll
send you the links for those Doodle polls.
No comments:
Post a Comment