Sunday, April 15, 2018

Interesting Comments on CIP-013



Mike Johnson put out a very good post last week summarizing the comments that FERC received regarding CIP-013, in response to their January NOPR indicating they intend to approve the standard. I won’t summarize the post, but I found it most interesting to note that the comments fell into two distinct groups, depending on whether the commenter was from a NERC entity or some other organization.

In both groups, the comments were almost always uniform. For the NERC entity group, the responses almost all said[i]:

  1. That FERC’s proposal to shorten the implementation period for CIP-013 from 18 to 12 months is a bad idea, since there’s a huge amount of work that needs to be done to prepare for compliance, especially for the larger utilities. I’m in complete agreement with this sentiment. Part of the reason why I says this is that – just as was the case with CIP v5 – there is significant uncertainty about what the requirements mean. Until this is cleared up in some way, NERC entities will have a very hard time putting their compliance programs in place.
  2. That requiring NERC entities to apply CIP-013 to Electronic Access Control and Monitoring Systems (EACMS), as well as BES Cyber Systems, is another bad idea; FERC also asked for comments on this in the NOPR. I agree that this shouldn’t be done in the first compliance version (i.e. FERC shouldn’t order a crash “compliance filing” to make this one change, before CIP-013 takes effect at all). I do think this could be considered for the next version, which of course would take effect 2-3 years from now (but see below).
  3. That before ordering that any other new systems be brought into scope (FERC suggested that Low impact BCS should be included in CIP-013, as well as Physical Access Control Systems and Protected Cyber Assets), FERC should wait for NERC to complete the study ordered by the Board of Trustees (due out this summer, I believe). I support that idea as well.

However, there was one set of NERC entity comments that stood out from all of the others: those were the comments submitted by the US Bureau of Reclamation. I don’t agree with most of what they said, but I thought their comments were quite interesting.

First, BoR says that CIP-013 should apply to all systems in scope for the current CIP standards (BCS, PCAs, PACS, EACMS, and Low impact BCS). To make up for this increase in scope, there should be a 24-month implementation period. This might sound like a fair trade-off (a scope extension for more time to implement it), except for the fact that I think NERC entities are going to want to have a say on this big extension of the scope. They can quite reasonably argue that they voted for a standard that applied to just Medium and High impact BES Cyber Systems – and they voted down the first draft in part because it applied to Lows. It is unfair to add Lows back to the scope without considering changes to the requirements themselves (the first draft had different requirements for Low BCS than for Mediums and Highs).

I think FERC would be understanding of this argument. But I really don’t see them just sending CIP-013-1 back to NERC (i.e. remanding it), then ordering NERC to draft and ballot new requirements as well as the scope increase and a 24-month implementation plan. That would effectively put off implementation of CIP-013 for another three years. FERC clearly wants to have a supply chain standard in effect as soon as possible. While they may order that NERC expand the scope, but that would come in a new version to be drafted and balloted, not in an order for a quick and limited compliance filing.

BoR’s second recommendation is even more interesting, in that they rewrote CIP-013 R1. They suggest that R1 be rewritten to read:

Each Responsible Entity shall identify, assess, and mitigate cyber security risks resulting from (i) procuring vendor equipment and software; (ii) installing vendor equipment and software; and (iii) transitioning from one vendor to another by:
1.1. Receiving vendor notification of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
1.2. Coordinating responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
1.3. Receiving vendor notification when remote or onsite access should no longer be granted to vendor representatives;
1.4. Receiving vendor disclosure of known vulnerabilities related to the products or services provided to the Responsible Entity and steps to mitigate them;
1.5. Receiving vendor verification of the integrity and authenticity of all software and patches provided for use in the entity's BCS; and
1.6. Coordinating controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with vendor(s).
                                                                                            
Before I discuss this, I want to point out that BoR caught the obvious mistake in R1.1 that I also discovered as I was writing this post: that the drafting team left out the word “mitigate” in R1.1. This should be fixed in the next version of CIP-013, although everything else NERC has written and said about CIP-013 (and that FERC said in Order 829) points clearly to mitigation being the primary purpose of the standard; I think that will be enough to make CIP-013-1 enforceable with that implicit addition.

Let’s look at the first part of BoR’s R1 and compare it to CIP-013-1 R1. Note that BoR has taken out the entire “preamble” to the requirement – saying the entity needs to develop “one or more…plans…” I definitely don’t agree with this change. In my opinion, one of the chief virtues of CIP-013-1 R1 is that it is a plan-based requirement; I wish all the CIP requirements were also plan-based (although CIP-013 has other serious flaws, of course).

Now let’s look at R1.1 in the standard. It reads “One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor(s) to another vendor(s).”

BoR has taken out the language requiring “One or more process(es) used in planning for the procurement of BES Cyber Systems…”, but essentially left the rest. I pointed out in this post that combining this language (what BoR took out) with the preceding language from the preamble to R1 leaves this redundant sentence: “The plan shall include one or more processes used in planning for the procurement…” So I would heartily endorse the idea of removing this language, as long as the preamble were left in place – but of course BoR didn’t do that.

Let’s move on. BoR essentially left the rest of R1.1 in place, namely “Each Responsible Entity shall identify, assess, and mitigate cyber security risks resulting from (i) procuring vendor equipment and software; (ii) installing vendor equipment and software; and (iii) transitioning from one vendor to another”. This is of course a good thing, since I don’t want to see R1.1 ignored. But then BoR  
added the word “by” , followed by the six items they number 1.1-1.6, which are of course just rewordings of R1.2.1-R1.2.6 in CIP-013-1 itself.
In this recent post, I pointed out that almost everything I’ve heard from NERC or the Regions about CIP-013 R1 seems to imply that R1.2 is the only part of R1 that matters; in other words, it seemed to me when I wrote that post that NERC might be intending to ignore R1.1 altogether, since auditing it will be problematic (although as I pointed out a few days later, that concern may be overblown). So am I happy that BoR left the important part of R1.1 in place?
No I’m not. Because look what they did by adding “by”, followed by the six items from R1.2 in the original standard. They are in effect saying “You need to identify, assess and mitigate supply chain risks, and you do this by doing the six things below.” In other words, as long as you’ve done the six things, you’ve also done all of your risk identification and mitigation. Of course, this doesn’t make sense, since all you’ve done is implement the six things, not identify or mitigate any other risks. In other words, there is no point in having the initial paragraph in BoR’s R1. It could just list the six things in 1.1-1.6 and there would be no change in meaning.

So in rewriting R1 as they did above, BoR seems to be firmly on the side of those who think that R1.2 is the whole of the requirement, and R1.1 can be ignored. Of course, this may ultimately be how CIP-013 R1 is interpreted, by both NERC and the auditors. We’ll need to wait and see about that. In any case, I found BoR’s comments on CIP-013 to be very interesting, and I commend them for making them. 


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.

[i] I read the NERC entity comments myself, and I agree that it was amazing how uniform they were, with one exception discussed below.

No comments:

Post a Comment