Steve
Parker, the President of EnergySec, left this comment on my recent post
“On Results-Based Requirements”:
“Tom: First,
thanks for the kind words about our newsletter. Second, I somewhat share your
optimism, although mine is tempered by the reality of the current CMEP and NERC
legal authority. The problem is that CIP audits are pass/fail performance
audits. Although I like the idea of moving to assessments, the CMEP needs to be
modified to account for that. I think you hinted at that in your post.
“I worry
that trying to take an assessment based approach without modifying the
underlying Rules of Procedure, legal authority, and CMEP could lead to
unexpected and undesirable results. What if an entity ignores an Area of
Concern because it was not a violation? Could it eventually become one? Would
there be liability for not doing something? Could this ultimately give de facto
authority to auditors that they do not currently have?
“As I said,
I like the idea of assessment based approaches to entity oversight. In fact, I
have advocated for that with state regulators. I just want to see it done
properly.” (Steve made similar comments in the EnergySec Weekly Update
newsletter that came out the same day).
My initial
response to Steve (which I posted as a comment under his, although I’m
expanding on it here) was quite simple: I don’t envision any of this happening
because of, or in spite of, appropriate changes being made in the RoP, CMEP,
etc. I see it as inevitably happening
because much of CIP v5 is simply unenforceable in the strict sense – meaning
that an entity that challenges a fine they receive will, in my personal
opinion, almost inevitably be victorious in the civil courts if they challenge
it. For that reason, and also because there are so many questions about what
the requirements mean in v5 (almost all of which will never be finally resolved
unless or until they are addressed in a new version of CIP, which is three
years away at the minimum), I believe auditors won’t have much stomach for
trying to issue a bunch of PVs over purely technical violations. Instead, they
will focus on what really is important, as well as much more pleasant for them:
namely, working with the entity to give them suggestions for improving their
overall level of cyber security.
The caveat
in this scenario is that it will only happen in the case of entities that are
clearly doing their best to comply with CIP v5; so there’s nothing to be gained
by fighting with them over compliance details that simply have no correct
answer. For instance, let’s say the entity hasn’t patched one device that’s
part of a BCS, but the rest have been properly patched. Since CIP-007-6 R2
applies to BCS, not components of BCS, have they violated anything or not? I
think it’s clear that entities should interpret that requirement – and a lot of
others – as applying to the components of BCS. But I personally believe there’s
no way that, were the entity to be fined for this and appeal to the courts, the
fine would be upheld. There are hundreds of similar examples I could drag up.
However, I
had a conversation with Steve at the UTC conference in Denver this afternoon. He
pointed out to me that NERC audits are supposed to be devoted to auditing;
anything outside of that mandate would require changes to CMEP or the RoP.
While you certainly don’t want to prohibit auditors from going beyond what CIP
requires and issuing Areas of Concern for security issues that should be addressed,
if this becomes a substantial part of most audits, it really needs to be
recognized in those governing documents.
As Steve
said in his comment, one danger is that an Area of Concern issued during one
audit – for a security measure that isn’t mandated by the CIP requirements –
would lead in a subsequent audit to a PV.
The way to guard against this would be to make changes to CMEP or RoP so
that this or other abuses are guaranteed not to happen. So I stand corrected on
this point, at least to the point that these changes should be considered.
But I don’t
want the regions to suddenly pull back from their new approach and go back to
the bad old days of just looking for violations (no matter how unimportant),
pending revisions to those documents. The new auditing approach will help a lot
toward the goal of increasing grid cybersecurity, even if at the moment the
full legal authority for it isn’t in place. My personal opinion is that the auditors
will do the right thing (and I know that Steve, being a former auditor himself,
wouldn’t disagree with this!) and not pervert the process before CMEP and/or
RoP can be revised.
But the new
audit approach has to be seen as an imperfect solution to a much deeper
problem: namely, that prescriptive standards just don’t work for cybersecurity
regulation. I believe the solution is what I call a risk-based approach,
something like CIP-014: the entity is required to get an assessment of its
security threats and vulnerabilities and to put in place a plan to address
those threats and remediate the vulnerabilities. The plan will most likely need
to be approved by NERC, who could order revisions. The entity is then audited
based on how well they have implemented the plan.
The hallmark
of this new approach to CIP is that a threat and vulnerability assessment will
be at its heart, just as it is in the case of CIP-014. While I don’t think that
the Regional Entities have the staff to actually conduct all of the
assessments, I do believe they should be required to review all of the reports,
as well as the mitigation plans that result from them; they could then order
changes to a plan or order an assessment be re-done if needed.
This is
currently in the “I have a dream” stage[i], but –
as I’ve tried to point out in the post in question – it may be hastened on
precisely by the fact that (IMHO as always) CIP v5 is unenforceable in the
strict sense. Since this “ultimate solution” has a security assessment at its
heart, in a sense the new audit approach – discussed in the post - could be
seen as a “halfway house” on the way to the ultimate solution to the problems
of CIP.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
Note that I’m not advocating that the new CIP v7 drafting team stop working on
what’s in the SAR and just focus on this complete rewrite of CIP. On the other
hand, I certainly hope v7 will be the last prescriptive CIP version. I want CIP
v8 to be the new risk-based CIP!
No comments:
Post a Comment