Last
week, I pointed out that FERC, in their recent
Notice of Proposed Rulemaking (NOPR), demonstrated they’re not happy with the
way that CIP-013-2 (and by extension CIP-013-1) has been implemented by NERC
and NERC entities. Although FERC didn’t assign blame for this situation, they
made it clear they want it fixed. They’re allowing two months for comment, with
a deadline of early December. Early next year, they’ll issue an order requiring
that NERC draft a revised standard, which will address the problems they
discuss in the NOPR.
The NOPR suggests (at a high level)
various changes that FERC is considering ordering in CIP-013-2. I’ve seen a
number of FERC NOPRs that deal with existing CIP standards; almost all have
essentially said, “We don’t have any problem with your first version of the
standard, but now we’re going to have you do something more.” However, in this
NOPR, FERC effectively said, “The standard you drafted originally (which remained
virtually the same in the second version, except it was expanded to cover EACMS
and PACS, as well as BES Cyber Systems) was insufficient. We want you to do
better this time. Here are some changes we’re considering requiring you to make
in our Final Rule next year.”
If my interpretation is correct
and this is FERC’s meaning, I don’t think they are being fair to NERC or to the
team that drafted CIP-013-1. Here’s why:
·
In their Order
829 of July 2016, FERC handed the standards drafting
team (SDT) an almost impossible task: They had to develop and get approved
probably the first supply chain cybersecurity standard outside of the military,
which would also be the first completely risk-based NERC standard. Most
importantly, they had to do all of this – meaning they wanted it completely
approved by NERC and ready for their consideration – in 12 months.
·
All new or revised NERC
standards are drafted by a Standards Drafting Team (composed of subject matter
experts from NERC entities) and submitted for approval to a Ballot Body composed
of NERC entities that choose to participate. The balloting process is very
complicated, but approval of any standard requires a supermajority of the ballot
body.
·
Usually, new or
revised CIP standards have required four ballots for final approval. With each
ballot, NERC entities can submit comments on the standards. The SDT is required
to respond to all comments. Including the commenting process, each ballot can
easily require 3-4 months.
·
Since the comments
often explain why an entity has voted no, the SDT scrutinizes them carefully, trying
to identify changes that could be made in the draft standard that would
increase its chances of approval. Having attended some of the CIP-013 SDT
meetings, I know they received a lot of negative comments and made a lot of
changes that some observers (including me) thought were “watering down” the requirements
of the standard. However, the team members were always keenly aware of the
deadline they faced. They had to make some tough choices, to have a chance of
meeting that deadline (which they did, of course).
·
After having pushed
NERC to meet the one-year deadline, did FERC rush to approve the standard?
Well…not exactly. Even though CIP-013-1 was on FERC’s desk by the middle of 2017,
they didn’t approve it until more than a year later. There was a reason for
that. You may remember there was some sort of upheaval in Washington around the
end of 2016 and a lot of people departed their jobs (voluntarily and otherwise).
In all of that, FERC lost most of its members and was left with one or two
Commissioners, which wasn’t a quorum. That’s why it took them longer to approve
CIP-013 (in October 2018) than it took NERC to draft it.
In their new NOPR, FERC states
they’re considering imposing a 12-month deadline for NERC to revise the
standard, fully approve it, and send it to FERC for their approval. This is a
terrible idea, since in that case it’s almost certain the new standard will be
no more to FERC’s liking than the current one. Fortunately, near the end of the NOPR, FERC
suggested they would be open to considering an 18-month deadline. I think that’s
a great idea!
This will give the SDT time to
discuss and submit for a ballot some of the items FERC listed in their NOPR, as
well as perhaps some items that the earlier team considered in 2016-2017, but had
to remove in the face of strong opposition. I remember a couple of them (although
I don’t have time to go back to the original records to verify every detail of
this):
1.
It seems obvious that
a supply chain security standard should have a definition of “vendor”. Since
there is no such definition in the NERC Glossary, the “CIP-013” SDT drafted one.
When a new or revised NERC standard requires a new definition, it usually gets
balloted along with the standard itself; that happened in this case (I believe
it was the first ballot). The definition was solidly voted down. I remember the
discussion in an SDT meeting after this happened; the team decided their
one-year deadline would be in jeopardy if they kept revising and re-balloting
the definition. This is why even today, there’s no NERC Glossary definition of “vendor”.
2.
As originally drafted,
Requirement R3 mandated that every 15 months, the NERC entity would review and,
where needed, revise the supply chain cybersecurity risk management plan that
they developed for Requirement R1. That led to negative comments in the early
ballots, which led the SDT to water down R3 to the current language: “Each
Responsible Entity shall review and obtain CIP Senior Manager or delegate
approval of its supply chain cyber security risk management plan(s) specified
in Requirement R1 at least once every 15 calendar months.” In other words, the
CIP Senior Manager needs to approve the plan every 15 months. If they don’t even
look at it to see what if anything has changed, that’s perfectly fine.
To be honest, I felt (and still
feel) that CIP-013-1 was a missed opportunity to develop a risk-based NERC CIP
standard that could serve as a model for future risk-based CIP standards. In
fact, the NERC community will need such a model, since whatever standards or
requirements are developed by the new Project
2023-09 Risk Management for Third-Party Cloud Services drafting team will
have to be risk-based: nothing else will work in the cloud.
Fortunately (or unfortunately),
the new “cloud” SDT hasn’t even started to consider (except at a very high
level) what any new standard will look like, and they won’t be able to do that until
next year at the earliest. By that time, FERC will have issued their Final Rule
and the CIP-013-3 drafting team should be well into the balloting process. They
may have some good advice for the cloud team.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment