If you’re involved with the
electric power industry and you’ve been reading this blog for a while, you’re
undoubtedly familiar with Lew Folkerth. Lew is Principal Reliability Consultant
with the RF region of NERC and is probably the most respected authority on the NERC
CIP standards. But more importantly, he’s a great teacher on those standards
and he places everything he says in the context of cybersecurity and risk management
(he’s very knowledgeable about both subjects).
Lew writes a column on NERC CIP in
RF’s newsletter, which is published quarterly. Since the newsletters are big
files, Lew also publishes his columns separately. You can access them by going here and dropping
down the menu for Standards and Compliance at the bottom. Under Outreach, you’ll
see a link to every one of his columns since he started writing them in 2014. And
BTW, you’ll also see the link to the slides
for the talk I gave on SBOMs and CIP-013 compliance at RF’s March Tech Talk.
Most importantly, Lew has just put
together, for the first time since 2019, a single file
with all of his columns. Here are some of my favorites, starting this year and
moving back (page numbers refer to the PDF itself, not the numbers at the
bottom of each page):
1.
BCSI Revisions (page 127) – this is
an excellent article (published in Q1) discussing the revisions to CIP-004 and
CIP-011 to update the protections for BES Cyber System Information, including
BCSI in the cloud.
2.
Using Advanced IT
Technologies in an OT Environment Part 2 – Containers (page 121) – another excellent article that both gives a
great introduction to containers and describes how you can utilize containers within
your Electronic Security Perimeter, yet still be in compliance with the CIP requirements.
I had never thought this was possible.
3.
Implied
Requirements (page 117) – This is one of the
endearing “features” of the NERC CIP requirements – there are so many
requirements that are implicit. Because they’re implicit, you can’t receive a
violation for missing them, but missing them will put you out of compliance
with other requirements. I wrote about implicit requirements several times,
including here
and here.
4.
Incident Response
and Incident Management (page 115)
5.
CIP-012-1 In-Depth (page 104), followed by a very detailed accompanying article
starting on page 106
Of course, if you get hooked on
Lew, you should subscribe to the RF newsletter,
which has a lot of other interesting articles besides Lew’s columns.
If you’re with a NERC entity or
an IT or OT supplier to the power industry, I’d love to have a discussion with
you about CIP-013 and supply chain cybersecurity. Please drop me an email.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment