I have heard from an industry source that FERC recently asked at least one of the trade associations to answer two questions (they in turn circulated these to their members):
Q1: Which, if any, of the existing CIP requirements would you get rid of and why? Do any of these requirements harm/hinder security efforts?
Q2: What would a performance or results-based approach to the CIP Standards look like? (e.g., a CIP-014 type approach) Could it help to improve compliance efficiency and certainty as well as the security of the BES? How?
FERC didn’t ask for my opinion on these questions, but since I always try to be helpful, and since I have answered these multiple times in various posts but not in one place, here is how I would answer them if asked.
Regarding Q1, my answer is very simple: Just getting rid of particular CIP requirements and leaving others makes no sense (no more sense than the “2 for 1” rule – in which two regulations must be eliminated for every new rule – makes). The problem isn’t that some of the specific things that CIP makes entities do are unneeded while others are needed. Everything that CIP requires is needed, just not all to the same degree. Plus there’s a lot more that CIP doesn’t require – controls on phishing, ransomware protections, etc. – that is also very much needed.
And that’s the point (which also brings me to my answer to Q2): By requiring that NERC entities allocate large amounts of resources to particular areas like CIP-007 R2 patch management compliance and not requiring any resources be spent on areas like phishing[i], CIP forces a misallocation of an entity’s cyber dollars.
In an ideal standard, the entity would a) come up with a list of current threats to its control of BES processes (and this list should ideally be generated externally by some group like the E-ISAC[ii]); b) get an assessment of its current control posture vis-à-vis these threats; c) from the list of vulnerabilities developed by that assessment, prioritize them by their degree of impact on control of the BES; d) develop a mitigation plan that allocates resources to each vulnerability based on its degree of impact; e) have their NERC Region review the plan and order changes if needed[iii]; f) execute the plan; g) be audited by their Region on how well the entity had executed the plan[iv]; and h) rinse and repeat – execute the whole cycle every two or three years (for larger and riskier entities) or longer (for smaller and less-risky entities. Of course, I’m talking about risk to the BES, not financial risk or something like that) – and the new vulnerability assessment must be based on the latest version of the “threat list”[v].
At one point I thought that CIP-014 was a good model for what I’m proposing, but I now think that it should have a lot more structure (like the above) if we’re talking about replacing CIP-002 through CIP-011. CIP-014 essentially tells the entity (that has assets in scope) to get an assessment and fix the problems, period. These are both steps in what I’m advocating, but they’re far from being the whole story.
I recently put together a list of the six principles (subject to later additions, of course. I don’t believe six is a magic number) that would govern the security regime I am advocating[vi]. They are:
- The process being protected needs to be clearly defined (the Bulk Electric System, the interstate gas transmission system, a safe water supply for City X, etc).
- The compliance regime must be threat-based, meaning there needs to be a list of threats that each entity should address (or else demonstrate why a particular threat doesn’t apply to it).
- The list of threats needs to be regularly updated, as new threats emerge and perhaps some old ones become less important.
- While no particular steps will be prescribed to mitigate any threat, the entity will need to be able to show that what they have done to mitigate each threat has been effective[vii].
- Mitigations need to apply to all assets and cyber assets in the entity’s control, although the degree of mitigation required will depend on the risk that misuse or loss of the particular asset or cyber asset poses to the process being protected.
- It should be up to the entity to determine how it will prioritize its expenditures (expenditures of money and of time) on these threats, although it will need to document how it determined its prioritization.
I have just answered the first part of Q2: “What would a performance or results-based approach to the CIP Standards look like?” My answer is that it would look like what I’ve just described. This is a results-based approach because it requires the entity to achieve a particular result (mitigation of the vulnerabilities identified in the assessment, ranked by their impact), without prescribing how that is to be achieved (of course, there will be lots of guidance on how to mitigate various types of vulnerabilities, and more importantly that guidance will be regularly updated, perhaps by the same group that updates the threat list).
The second part of Q2 reads: “Could it help to improve compliance efficiency and certainty as well as the security of the BES? How?” I will break this down into its parts.
- Does what I am proposing improve compliance efficiency? I guess it does, but compliance efficiency isn’t the goal – efficiency of improving cyber security should be the goal. As I said at the outset, NERC CIP now forces a mis-allocation of resources toward tasks that – while certainly producing some security benefit – probably don’t produce a benefit that justifies the expenditure required; while at the same time leaving less resources for areas like phishing that aren’t part of the CIP requirements at all and are probably more deserving of resources.[vii] What I am proposing would a) reduce (but not eliminate) the paperwork burden, but more importantly b) produce a great deal more cyber security for every dollar spent, vs. the current prescriptive CIP compliance regime.[viii]
- Does what I’m proposing improve compliance certainty? I’m not sure whether it improves it, but it certainly doesn’t hurt it. It makes compliance certainty fade as an issue, since there are no longer prescriptive requirements, whose interpretation one way or the other will make entities face million-dollar-a-day fines. An entity will still be subject to fines, but those will be for not fulfilling the promises it made when FERC approved its mitigation plan. The entity could be fined if it didn’t follow through in some way, and if it also didn’t address the corrections that the region ordered.[ix]
- Does this help the security of the BES? Absolutely. As I said, the biggest benefit is that it effectively increases the amount of money going to BES security without in itself requiring an overall increase in cyber security expenditures (although don’t kid yourself – cyber expenditures are going to have to go up every year for the foreseeable future. That’s the world we live in).
So here are my respectful answers to FERC’s questions. If anyone has comments or wants to discuss these, email me at email@example.com.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] In practice, I’m sure most utilities are now spending a lot of money to address the phishing threat. But it’s almost axiomatic that, since the CIP requirements carry the possibility of big fines whereas anti-phishing measures don’t avoid any fines, entities will spend much more on other less serious threats if they’re part of the CIP requirements.
[ii] This list should be updated regularly, at least once a year and maybe every six months. The entity could always add a threat to its own list, if its own situation dictates it should be on the list. Conversely, they could remove a threat from the list if it doesn’t apply to them or if they’d already sufficiently mitigated this. They would have to document their justification for doing this, though.
[iii] Of course, they couldn’t order changes just because some auditor felt like it. There would be guidelines for what constitutes an acceptable plan.
[iv] Normally, if the Region feels an entity has not properly addressed a particular vulnerability, they could order it to re-do or augment the steps it took to address that vulnerability. And if the Region feels the entity has really screwed up the whole effort, they could order it be redone. Again, there would be guidance on what does and doesn’t constitute successful mitigation of a vulnerability.
[v] One of the big problems with CIP now is that it is close to impossible to address a new threat. For example, virtualization has brought lots of benefits but also new potential threats. Virtualization was widely used in 2011 when the CSO 706 (CIP) SDT turned its attention to developing v5, yet I don’t think there was any real thought of addressing virtualization in v5. Now NERC really has to address it, and the drafting team is doing very good work on addressing virtualization on a conceptual level, as well as starting to develop new (or revised) requirements and definitions. However, because of the sheer number of the changes that will be required, I am skeptical they will ever be able to get all of this approved by the ballot body, at least within the lifetime of the universe as we know it. I will attend the drafting team’s meeting in Montreal next week and hope to get a better take on this effort, since I admit I have not paid enough attention to virtualization lately.
[vi] While that post was specifically about natural gas pipeline regulation, I wrote the principles so that they would apply equally well to any process-based critical infrastructure. In the next post, I discussed them in the context of the electrical power industry, which is of course where they are needed first.
[vii] And don’t tell me that the solution to this problem is to write a SAR for a new CIP phishing standard! I don’t want the current CIP standards to be expanded beyond what they currently cover. Instead, I want a regime where all threats are considered and prioritized. I am sure phishing will be at the top of a lot of entities’ lists of threats to address, although that might not be true in five years (I’m sure there will be new threats we haven’t thought of yet by that time).
[viii] I’ve noted a couple times that I asked some entities how much of every dollar they spent on implementing CIP v5 went to cyber security vs. just compliance – the average answer I got was 50%. I doubt my plan will reduce any utility’s total spending on cyber security (including CIP compliance). However, I do believe it will increase that percentage to say at least 75 or 80%. If say two billion dollars a year is now being spent on CIP compliance by North American utilities and IPPs (and I don’t know what the full number is, although I’m sure it’s well over $1 Bn), increasing the percentage to 75% would be an effective increase of $500 million going to cyber security. That’s much more than I earn in a year.
[ix] I won’t pretend there isn’t a potential problem with rogue auditors who like to torment utilities by unreasonably saying they haven’t fulfilled their mitigation plan. There will need to be controls to prevent this, the most important being a much more extensive auditor training program and higher requirements for cyber security expertise.