Monday, December 18, 2017

Continuing Dialog with an Auditor on Auditing CIP-013


In my last post, I engaged in a dialog with an auditor regarding how CIP-013 will be audited (although this discussion applies to other plan-based standards and requirements, including CIP-014, CIP-010 R4 and CIP-003 R2). The auditor had emailed me to object to the main point I had made in my previous post: that a requirement that mandates that the entity have a plan needs to have some specific high-level criteria in the requirement itself in order for it to be auditable. CIP-013 R1 only provides six criteria that apply to only one of the three main areas that the supply chain cyber security risk management plan needs to address; therefore, I consider R1 to be mostly un-auditable.

In his email, the auditor said I had overlooked the fact that there are both “objective” and “subjective” audits. A prescriptive requirement like CIP-007 R2 can only be audited “objectively” – that is, by checking the box on each part of the requirement; did the entity do it, or didn’t they? But the auditor said a requirement like CIP-013 R1 needs to be audited subjectively. And what is a subjective audit? It is one that determines whether “the approach used was reasonable and sound, and whether the entity sufficiently achieved the objective to not merit a PNC.  That makes the audit subjective and it places a greater burden on the ability of the auditor to make such a determination.”

I then pointed out (I’m still talking about my last post, of course!) that I didn’t think this was good enough to audit a plan-based requirement; I still believed there need to be some objective criteria in the requirement itself (and in my opinion the criteria listed in Attachment 1 for CIP-010 R4 are the best example of providing criteria in a plan-based requirement).  My reasoning came down to this: “If the plan is a reasonable one and adequately takes account of the threats that need to be addressed in the plan, the entity should presumably receive a passing grade on the audit.” And you can consider the “criteria” in the requirement to be essentially a listing of the threats that need to be addressed in the plan.

Here’s an example of what I’m talking about: CIP-010 R4 is a plan-based requirement. It requires the entity to develop and implement a plan for securing Transient Cyber Assets and Removable Media. But it doesn’t just mandate that the entity develop the plan, it provides a whole set of criteria for what must be addressed in the plan; these are listed in Attachment 1 of CIP-010-2.

There are three sections to Attachment 1 (TCA’s managed by the Responsible Entity, etc), each of which contains between two and five headings. The headings show domains that must be addressed within that section: “Software Vulnerability Mitigation”, “Malicious Code Mitigation”, etc. These headings can be thought of as threats whose risk needs to be mitigated: the threat of vulnerabilities in software installed on TCA’s, the threat of malicious code carried on removable media, etc. Under each heading is a list of processes or technologies that can be used to mitigate those threats; the entity must use “one or a combination” of these to mitigate the risk posed by the threat indicated in the heading.[i]

To sum up what I’ve just said, I think that a plan-based requirement needs to include a list of threats that must be addressed in the plan (which I called “criteria” until just now). If the requirement doesn’t include such a list, then I don’t think the auditor can make a decision on whether the plan is adequate or not; in other words, I don’t think the requirement is auditable. CIP-013 R1 only lists six items that need to be included in the plan. They only partially address one of the three overall threat areas that R1.1 requires to be addressed: procuring vendor equipment and software; installing vendor equipment and software; and transitions between vendors. Therefore, I believe CIP-013 R1 (and by extension R2) is only partially auditable. On the other hand, CIP-010 R4 Attachment 1 does a good job of listing threats that need to be addressed, as well as giving the entity options for how they mitigate those threats; I believe that this requirement is auditable.

After I put up this post, the auditor emailed back to me and said the following[ii]: “I am arguing that there do(es) not have to be defined criteria in the Requirement, specifying what must be in a “plan” in order to render the requirement, and thus the plan, auditable.  In fact, the minute criteria appear in the requirement, two things happen.  First, the requirement becomes prescriptive.  The plan must contain these elements or else the plan will be found non-compliant.  Second, many entities will write a plan that only includes those elements.  They will not do the deep thinking, as you suggested in your previous post, to determine what needs to be in a really good plan.  And as circumstances change, there is no incentive to modify the plan because it already hit the required elements…it is technically compliant.”

My response to what the auditor has just said is the following: I am advocating that plan-based requirements include a listing of the threats[iii] that need to be addressed in the plan, not of how those threats need to be mitigated. The fact that the entity still can choose how they mitigate the threat means that the requirement hasn’t been turned into a prescriptive one.[iv] Your second point, that entities will write a plan “that only includes those elements”, should now be reworded as “entities will write a plan that only addresses the threats listed in the requirement.”

Theoretically, raising this as an issue would make sense if we are assuming that NERC entities all have the capability to look out over the whole threat landscape and decide for themselves what are the important threats that need to be addressed in the area covered by the plan-based requirement in question (of course, in the case of CIP-013, those threats are supply chain threats. In the case of CIP-014 R5, the threats are physical threats to an important substation). It is certainly likely that some entities do have this capability (mostly the larger ones, of course). However, I think that a lot of NERC entities (even ones with High and/or Medium impact BES Cyber Systems) would have a hard time articulating how they would do this.

And indeed, I really don’t think it should be up to the entities to survey the threat landscape and decide what are the most important threats that apply to them. Or at least, they shouldn’t be required to do this, if they are potentially going to face a Potential Non-Compliance finding for not being able to identify all of the threats that – in the auditor’s opinion, of course – should be addressed in the plan. So I think there should be a list of threats to be addressed included in the requirement for the plan. This is the case with CIP-010 R4, but it isn’t the case with CIP-013 R1, which is again why I say that requirement is only partially auditable.

A Slight Digression
(You can skip this section without missing anything of the overall argument. In fact, it might be better to skip this section the first time around, so you can keep the larger argument in mind).

The auditor goes on to discuss CIP-013 R1.[v] He says “You argue that Part 1.1 does not specify what must be in the procurement planning processes defined in the plan and therefore Part 1.1 is not auditable.  I disagree.  Part 1.1 specifically states that the processes used in planning for the procurement of BES Cyber Systems must “identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services.”  Part 1.1 goes on to mandate that two types of risks must be addressed: “(i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).”  Part 1.1 does not presume to know what those risks may be.  It is explicitly up to the entity to identify those risks and to assess those risks that have been identified.  Once assessed, the Part expects one or more processes to be developed to address those risks.  The plan and/or procedures will have to include how the risks are identified and assessed, since that is a key expectation of the Requirement.  The entity might have (a) beautifully documented plan and process, defining a completely ineffective methodology for getting where the entity needs to be.  And, as implied by the intended vagueness or non-prescriptiveness of the Part, the entity needs to continue to identify, assess, and mitigate evolving threats.”

You will notice the auditor is talking about “risks” here, not threats. That is because CIP-013 also talks about risks, not threats. However, I believe that threats need to be identified in the requirement, not risks. And what – ask you – is the difference between risks and threats? The Oxford Dictionaries define a threat as “A person or thing likely to cause damage or danger.” Notice there is nothing quantitative about this. For example, a cyber threat might be “software vulnerabilities”.

A risk, on the other hand, is quantitative[vi]. I define it as the probability that a threat will be realized, times its impact. I also believe that, at least in cyber security, it is close to impossible to even estimate the absolute values of particular risks. However, I do believe that it is possible to speak about the different levels of risk that apply to particular threats; this then leads to the possibility of ranking threats according to the degree of risk they pose.[vii]

So if we substitute “threat” for “risk” in what the auditor says above, as well as in the text of CIP-013 itself, I don’t think we’ll do too much harm to the meaning. The auditor can now be understood as simply giving an example of what he said in the first paragraph that I quoted of his email: That it should be up to the entity to identify the threats that need to be addressed in a particular plan-based requirement, and up to the auditor to determine whether the entity has properly identified those threats. As I’ve already said, I disagree with that position. I think the requirement should include in it the threats that need to be addressed in the plan, and that it isn’t auditable unless this is done.

Continuing with our Story
The auditor concludes with this paragraph: “And that is a key point here.  Non-prescriptive requirements by their very nature have implied, “prescriptive” requirements.  CIP-013 R1 is not a “one and done” effort.  As I just mentioned, there is an expectation of continuous identification and assessment of new risks as they arise.  Another implied requirement is that the defined processes that were developed as part of the overall plan are expected to be implemented.  In the past, FERC felt it necessary to require Standards to be modified to explicitly require implementation, otherwise entities might, in FERC’s view, argue that failure to implement the process or control was not a violation because the Standard did not explicitly require it.  FERC even went so far as to declare a CIP-008 Incident Response Plan that was not performed (implemented) in the event of a cyber security incident was to be found as a violation.  In the age of non-prescriptive requirements, the underlying expectations have not changed; they are just not explicitly stated.  You cannot have it both ways.  If you want prescriptive requirements, then fine.  Just don’t then complain about the minutiae.  If you do not want prescriptive requirements, then accept that you will have to read between the lines and meet the intention of the Standard and its requirements.  And accept that the auditor is adept at reading between the lines as well and will evaluate what you did against the intention of the requirement and its underlying expectations, to determine if you did “good enough.”  The audit team will then apply its collective expertise and professional judgment to determine what type of finding might be warranted, given the facts and circumstances of the instant case.” (my emphasis)

I have three comments on this. The first is that a requirement may well be implied by another requirement (and I talked a lot about implicit requirements in CIP v5 in the long-ago days), but the implied requirement can never be audited by itself (although I don’t disagree with the auditor that the entity could be in violation of the original requirement if they haven’t followed a requirement that is clearly implied by it. On the other hand, this is no way to write mandatory standards! All requirements should be explicitly stated. This is one of the big problems with CIP v5 – the fact that full compliance requires following so many implied requirements). The auditor uses the example of a requirement to develop a plan but not to implement it. I know that was a problem in the CIP v1-v3 days, but I don’t now know of any current CIP requirement to develop a plan, that isn’t accompanied by a requirement for the entity to implement the plan.

Second, I want to call attention to what the auditor said about “continuous identification and assessment of new risks as they arise”. Of course, I would substitute “threats” for “risks” here, but otherwise I totally agree that there needs to be a process to identify new threats as they arise. As I discussed in this post, this is what CIP-013 R3 does. But this also shouldn’t be the entity’s job. There should be a centralized body that continually reviews new supply chain threats, as well as new techniques for mitigating them, and regularly updates NERC entities on these.

But my biggest issue is with the sentences I highlighted. It seems to me that the auditor is making a false dichotomy here. He seems to be saying that if a requirement isn’t prescriptive (i.e. it’s an objectives-based or plan-based requirement), then entities just have to accept that there will be implied requirements they will be held accountable for. I think this is almost exactly backwards. Implicit requirements only come into play when there are prescriptive standards that aren’t worded properly. Since a plan-based requirement (which BTW I will soon start calling management-based, while I’ll start calling prescriptive requirements means-based. There’s a reason for this, which I’ll discuss in a separate post soon. For the moment, I’m sticking with my current terms) doesn’t prescribe any actions, there shouldn’t be any implicit requirements associated with it. Especially since I’ve now clarified my wording, and said that all plan requirements should include a list of threats that need to be addressed in the plan, not a list of “criteria”. The auditor feared that criteria could easily become prescriptive requirements, and I agree with him about that. But threats can’t become requirements in themselves.

Finally, the End
I started this post with my assertion (from two previous posts) that plan-based requirements should have a list of threats that need to be addressed in the plan, in order to be auditable. Furthermore, I stated that, since CIP-013 R1 only provides a partial list of the threats to be addressed in the supply chain cyber security risk management plan (SCCSRMP, in case you forgot the acronym. In another year, this acronym will be on every NERC compliance professional’s lips, it’s so musical. I ought to trademark it), R1 is mostly un-auditable. So I am ending the post by making the same two assertions that I started it with, after having considered the auditor’s excellent points that he raised in his email. I have learned a lot by writing this post, and I have clarified my positions. Just because I ended up where I started doesn’t mean the journey wasn’t worthwhile!
               
Of course, I have yet to answer the question I’ve said I’ll address in my next post twice already: namely, whether it matters that CIP-013 R1 is mostly un-auditable (spoiler alert: I’m going to say it really doesn’t matter that much). Maybe next time I’ll actually do that, although I won’t bet on it.


The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

[i] I’m sure some people questioned the fact that in none of these sections is the entity free to find another mitigation that is equally effective as the ones listed; these are the only options the entity has. My guess is the drafting team decided that there was too much risk that an entity would grab onto ineffective means of mitigating the risk, rather than the tried-and-true ones listed. I won’t try to weigh in on this argument, since the requirement is now in effect and I haven’t heard any grousing about the fact that the entity doesn’t have any other options besides those listed (like they do in CIP-003-7 Attachment 1, Section 3.1, where the entity is just required to “implement electronic access controls” to “Permit only necessary inbound and outbound electronic access” to Low impact assets with external routable connectivity. Of course, CIP-003-7 is another plan-based requirement).

[ii] There were actually two email exchanges this time. What I’m quoting is all form the second exchange.

[iii] And I will readily admit that my thinking has evolved even since my last post, when I was simply saying that there need to be “criteria” in the requirement. I wasn’t thinking that the criteria would be simply threats that need to be addressed, but that they could indeed be something like requirement parts. If I hadn’t changed my thinking, I would completely agree with the auditor that these criteria could well have turned into prescriptive requirements. However, by clarifying that the requirement needs to include a listing of threats, not “criteria”, I think I have addressed the potential problem of turning a plan-based requirement into a prescriptive one.

[iv] If you’ve been paying attention, you may think this is a contradiction to the praise that I just heaped on CIP-010 R4 Attachment 1. This requirement lists threats to be mitigated, but it only provides certain options for mitigation; the entity doesn’t have complete freedom to mitigate in a way that makes the most sense for them. While I don’t necessarily agree that this is the right approach, I think that just having these options means this hasn’t turned into a prescriptive requirement.

[v] Part of what he says isn’t germane to the main argument of this post, but is nevertheless quite good. Here it is:

“The purpose of the Standard, and thus the collective purpose of the requirements is to “to mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.”  Everything that the entity does with respect to the requirements is expected to achieve the overall purpose of the Standard.  In plain language, the entity needs to “do something”, i.e., implement one or security controls to mitigate risks.  That, therefore, implies that the entity needs to identify and understand the risks so that it can design effective security controls to mitigate those risks.  Yes, I know that the purpose statement is not an approved, auditable requirement.  But, it serves to inform the intention of the Standard and its requirements, thus establishing certain expectations of performance.

“Requirement R1 states “each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.”  The requirement goes on to specify certain elements that must be in the plan.  There are two specific elements: (Part 1.1) one or more process(es) used in planning for the procurement of BES Cyber Systems, and (Part 1.2) one or more process(es) used in procuring BES Cyber Systems.

“I agree that Part 1.2 prescribes six specific elements of the procurement process that are auditable.  Either the processes collectively address the six elements or they do not.  Part 1.2 is prescriptive and can be objectively audited in terms of whether the elements are present.  Part 1.2 can also be audited subjectively in terms of whether the elements were adequately addressed.  The subjective aspect of the audit of Part 1.2 primarily applies to Parts 1.2.5 and 1.2.6.  Those are the two Parts that afford entity the most discretion in how the entity approaches the expectations.  For example, Part 1.2.5 requires “verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System.”  While hashing downloaded files and verifying the hash results against information provided by a vendor is an excellent way to accomplish this expectation, not all vendors will provide hashes of their software.  The process will have to address how the entity plans to perform the expected verification in the absence of provided hash values (in this example).  That suggests that as the plan and its required processes are developed, the entity is coincidently evaluating what its vendors do today in order to identify and develop appropriate verification schemes that accommodate vendor practice.  And, if the vendor changes its practices in the future, the processes might need to be changed to maintain alignment.

[vi] I will readily admit that the definition of risk that I’m giving here isn’t from any dictionary. Rather, it is the definition that makes my worldview of industrial cyber security work. I’ve said before – in fact, probably in mid-2016 – that I’m working on a book, with two co-authors, on how NERC CIP can be “reformed” to address the major problems it has, and make it sustainable into the future (which it is not now, in our opinion). I’m glad to say that we’ve finally progressed beyond the talking stage and are doing serious writing now, although I’m not going to even talk about a publishing date yet. In any case, this “definition” of risk is the one we are using in our book and it works for our purposes. Other definitions would work for other purposes.

[vii] This observation – that it is possible to at least give a rough ranking of the relative degree of risk that each cyber threat poses – is the key to making our upcoming book work. I hate to tease you with this idea and leave it there, but I can’t really explain why this is the case without quoting a good portion of the book. And the book isn’t written yet!

No comments:

Post a Comment