Steve Parker, the President of EnergySec, left this comment on my recent post “On Results-Based Requirements”:
“Tom: First, thanks for the kind words about our newsletter. Second, I somewhat share your optimism, although mine is tempered by the reality of the current CMEP and NERC legal authority. The problem is that CIP audits are pass/fail performance audits. Although I like the idea of moving to assessments, the CMEP needs to be modified to account for that. I think you hinted at that in your post.
“I worry that trying to take an assessment based approach without modifying the underlying Rules of Procedure, legal authority, and CMEP could lead to unexpected and undesirable results. What if an entity ignores an Area of Concern because it was not a violation? Could it eventually become one? Would there be liability for not doing something? Could this ultimately give de facto authority to auditors that they do not currently have?
“As I said, I like the idea of assessment based approaches to entity oversight. In fact, I have advocated for that with state regulators. I just want to see it done properly.” (Steve made similar comments in the EnergySec Weekly Update newsletter that came out the same day).
My initial response to Steve (which I posted as a comment under his, although I’m expanding on it here) was quite simple: I don’t envision any of this happening because of, or in spite of, appropriate changes being made in the RoP, CMEP, etc. I see it as inevitably happening because much of CIP v5 is simply unenforceable in the strict sense – meaning that an entity that challenges a fine they receive will, in my personal opinion, almost inevitably be victorious in the civil courts if they challenge it. For that reason, and also because there are so many questions about what the requirements mean in v5 (almost all of which will never be finally resolved unless or until they are addressed in a new version of CIP, which is three years away at the minimum), I believe auditors won’t have much stomach for trying to issue a bunch of PVs over purely technical violations. Instead, they will focus on what really is important, as well as much more pleasant for them: namely, working with the entity to give them suggestions for improving their overall level of cyber security.
The caveat in this scenario is that it will only happen in the case of entities that are clearly doing their best to comply with CIP v5; so there’s nothing to be gained by fighting with them over compliance details that simply have no correct answer. For instance, let’s say the entity hasn’t patched one device that’s part of a BCS, but the rest have been properly patched. Since CIP-007-6 R2 applies to BCS, not components of BCS, have they violated anything or not? I think it’s clear that entities should interpret that requirement – and a lot of others – as applying to the components of BCS. But I personally believe there’s no way that, were the entity to be fined for this and appeal to the courts, the fine would be upheld. There are hundreds of similar examples I could drag up.
However, I had a conversation with Steve at the UTC conference in Denver this afternoon. He pointed out to me that NERC audits are supposed to be devoted to auditing; anything outside of that mandate would require changes to CMEP or the RoP. While you certainly don’t want to prohibit auditors from going beyond what CIP requires and issuing Areas of Concern for security issues that should be addressed, if this becomes a substantial part of most audits, it really needs to be recognized in those governing documents.
As Steve said in his comment, one danger is that an Area of Concern issued during one audit – for a security measure that isn’t mandated by the CIP requirements – would lead in a subsequent audit to a PV. The way to guard against this would be to make changes to CMEP or RoP so that this or other abuses are guaranteed not to happen. So I stand corrected on this point, at least to the point that these changes should be considered.
But I don’t want the regions to suddenly pull back from their new approach and go back to the bad old days of just looking for violations (no matter how unimportant), pending revisions to those documents. The new auditing approach will help a lot toward the goal of increasing grid cybersecurity, even if at the moment the full legal authority for it isn’t in place. My personal opinion is that the auditors will do the right thing (and I know that Steve, being a former auditor himself, wouldn’t disagree with this!) and not pervert the process before CMEP and/or RoP can be revised.
But the new audit approach has to be seen as an imperfect solution to a much deeper problem: namely, that prescriptive standards just don’t work for cybersecurity regulation. I believe the solution is what I call a risk-based approach, something like CIP-014: the entity is required to get an assessment of its security threats and vulnerabilities and to put in place a plan to address those threats and remediate the vulnerabilities. The plan will most likely need to be approved by NERC, who could order revisions. The entity is then audited based on how well they have implemented the plan.
The hallmark of this new approach to CIP is that a threat and vulnerability assessment will be at its heart, just as it is in the case of CIP-014. While I don’t think that the Regional Entities have the staff to actually conduct all of the assessments, I do believe they should be required to review all of the reports, as well as the mitigation plans that result from them; they could then order changes to a plan or order an assessment be re-done if needed.
This is currently in the “I have a dream” stage[i], but – as I’ve tried to point out in the post in question – it may be hastened on precisely by the fact that (IMHO as always) CIP v5 is unenforceable in the strict sense. Since this “ultimate solution” has a security assessment at its heart, in a sense the new audit approach – discussed in the post - could be seen as a “halfway house” on the way to the ultimate solution to the problems of CIP.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] Note that I’m not advocating that the new CIP v7 drafting team stop working on what’s in the SAR and just focus on this complete rewrite of CIP. On the other hand, I certainly hope v7 will be the last prescriptive CIP version. I want CIP v8 to be the new risk-based CIP!