Early this year, I was invited to speak at the EastWest Institute’s Global Cybersecurity Cooperation Summit in Berkeley, CA in March – specifically, at the meeting of the EWI’s Breakthrough Group on Increasing the Global Availability and Use of Secure ICT[i] Products and Services. I had certainly heard of the EastWest Institute previously, but only in the context of their weighing in on ponderous global issues like war and peace. I didn’t realize that cybersecurity would rank as a concern worthy of their attention, but this is obviously the case, and has been for many years.
I believe the reason I was invited to speak at this meeting was the various posts I have written on FERC Order 829 and the subsequent development of CIP-013, the new Supply Chain Security standard (of course, that standard is very much still in the development process. Moreover, three of the existing CIP standards are now being modified to include requirements from the first draft of CIP-013, that commenters on the first draft felt would be better included in those standards).
Last year the Breakthrough Group published an ICT Buyers Security Guide. I read the guide and discussed it with the members of the group before the meeting. I am quite impressed with this document, for two important reasons. First, it is concise (the main discussion takes up about 22 pages). As such, it contrasts vividly with NIST 800-161, NIST’s supply-chain security guide. Like most NIST publications, 800-161 tries to exhaustively (and exhaustingly!) cover every possible aspect of its subject, supply chain security. Unfortunately, the result is that non-governmental organizations, who aren’t required to follow it, must put in a considerable amount of effort just to decide which controls they should focus on (and also, for each control, how they should address it).
Second, the guide is very practical. Perhaps because it is concise, it is focused on providing guidelines that organizations can immediately put into practice. These guidelines are mostly in the form of 25 questions that can be asked of suppliers, like “Are third-party inputs evaluated for security prior to selection and tracked/validated upon entering the supply chain?” and “How are products and services continually tested for security vulnerabilities?”[ii]
If you’re wondering how this Guide might fit in with CIP-013, I would think some or all of these questions might be incorporated into your entity’s process for compliance with CIP-013 R1.1.1 (at least, as that requirement part stood in the first draft, posted in January).
So I recommend that you read this document, and consider how it might help your organization achieve two goals: a) Improve your supply chain security posture; and b) Comply with CIP-013.
I also want to point out that the EWI supply chain security group is now working on a major revision to the Guide. If you might be interested in participating in that process (which includes phone conferences and in-person meetings), let me know and I’ll put you in touch with the leader of the group.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] ICT stands for Information and Communications Technology.
[ii] Of course, it’s up to the organization to determine which questions to ask of which suppliers. One big difference between this Guide and both CIP-013 and NIST 800-161 is that this guide focuses entirely on what suppliers do and don’t do. It doesn’t address other areas that are under the entity’s control, such as secure deployment and vendor remote access control. Of course, some might argue that these topics aren’t really part of supply chain security. And they probably wouldn’t be in CIP-013 either, except for the fact that FERC ordered they be included.