I have a Constitutional right to change my mind, and I’m about to do that.
In this recent post, I repeated the concerns that a staff member from one of the NERC Regional Entities had raised to me about whether CIP-013, the upcoming supply chain security management standard, is even enforceable, given that it says contract language is not “in scope” for the standard. This provision means that a NERC entity doesn’t have to show any actual contracts to an auditor in a CIP-013 compliance audit, even though the entity may have asserted that they complied with CIP-013 R2 by getting vendors to include language in their contracts that covers the six specific items required by CIP-013 R1.
As I described in this follow-on post, an auditor from another NERC region responded to the first post by pointing out that “The requirement is essentially that the Registered Entity ask for the elements of the required process(es), not that the vendor agree to them.” In other words, you don’t need to show a signed contract to prove you complied with CIP-013 R2 for a particular vendor. The auditor went on to state that an RFP or even emails stating the “expectations to be placed on the vendor” could constitute evidence of compliance.
I heard a similar argument made by Kevin Perry, the head CIP auditor of SPP, at SPP-RE’s annual CIP workshop in Little Rock this week. He emphasized that CIP-013 R2 (implicitly) requires the entity to try to get the vendor to agree to commit (through contract language or another means like just an email) to doing the six things required in CIP-013 R1, not that they succeed in doing so. They need to provide evidence, like the RFP or emails described above, that shows they indeed tried to obtain that commitment.
The RE staff member wasn’t convinced by this auditor’s argument when I presented it to him, and he sent me a new email. I excerpted two paragraphs from that email in the follow-on post, but I didn’t simply reprint the whole email. Now that I have gone back and read the email, I realize I didn’t do justice to what the staff member said. Here is the full text of his email, although I have broken it into two parts to indicate the two arguments he makes:
Argument One: “The ultimate goal of CIP-013 is to modify the terms of acquisition contracts used by the Responsible Entity:
FERC Order 829 page 59: ‘The new or modified Reliability Standard must address the provision and verification of relevant security concepts in future contracts for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.’
In keeping contracts out of scope for audits, CIP-013 does not fulfill the underlying purpose of the Standard.”
Argument Two: “There may be some things that can be audited, but the auditors will be handicapped in reviewing evidence. They will not be able to audit that ICS contracts contain provisions which satisfy the security controls of R1, and they will not be able to verify that the entity enforces these controls.
Ultimately, this version of CIP-013 does not fulfill the definition of a Risk-Based Requirement: “[D]efine actions by one or more entities that reduce a stated risk to the reliability of the Bulk Power System and can be measured by evaluating a particular product or outcome resulting from the required actions.” [NERC RoP App 3A Sect 2.4] If the outcome cannot be measured, then the Requirement fails as a Risk-based Requirement.”
Let’s look at the first argument. Although he didn’t comment further, it seems to me the staff member was saying that the fact that FERC specifically used the word “contracts” in the quotation from Order 829 means that contracts with the appropriate language are actually what FERC was aiming for, not just an assurance that the entity tried to get the vendor to commit to what is needed.
To this argument, the auditor replied that the enforceability of CIP-013 has nothing to do with whether it fulfills FERC’s order. FERC has to decide whether NERC has fulfilled their order, and if they think NERC hasn’t done so, they will remand it and repeat (or state more explicitly) that this is all about contracts; at that point, NERC would have to change the language. I agree with the auditor on this point.
However, the staff member’s second argument gives me pause. I think he may be right: A requirement that just requires the entity to give it the ol’ college try, without having to show they actually achieved anything, probably does violate the NERC Rules of Procedure.
Unfortunately, I think this brings us back to a point I made in a post from April. There, I documented how I had come to the realization that just having non-prescriptive, results-based NERC requirements (which NERC refers to as “risk-based”, although I don’t like use of that term in this context) isn’t enough. The whole NERC enforcement environment – including the Rules of Procedure and CMEP – is oriented toward prescriptive requirements. This is why I reluctantly concluded that it will be almost impossible to get any new non-prescriptive requirements approved by the NERC ballot body[i].
In fact, I think it will be very hard to get any new CIP prescriptive requirements approved going forward, either. I think we’ve simply reached the end of the line for any expansion of CIP, absent a FERC order. Look for more on this topic coming soon to a blog near you.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] And don’t point out to me CIP-013 is non-prescriptive and it just got approved. There was a special reason why CIP-013 suddenly surged from about 9% support on the first ballot to 85% or so on the second (and this same reason probably led to CIP-003-7 being approved last year on the second ballot, after failing badly on the first ballot): There was a FERC deadline that had to be met. Absent such a deadline, I think it will be hard for any new requirements – prescriptive or not – to be approved.