The revised NERC CIP-013 draft standards for Cyber Security Supply Chain Risk Management appear on course to meet FERC’s deadline. However, FERC itself appears to be in transition with Acting Chair Cheryl LaFleur as the lone commissioner. Nominations for commissioners and confirmation dates are unclear at this time (as is climate for increased regulation).
LaFleur was the dissenting opinion on the commission’s decision to proceed to final rule last July. In reviewing comments associated with the CIP-013 second ballot it seems some of LaFleur’s concerns have come home to roost. “The Commission is issuing a general directive in the Final Rule, in the hope that the standards team will do what the Commission clearly could not do: translate general supply chain concerns into a clear, auditable, and enforceable standard within the framework of section 215 of the Federal Power Act.”
Clear? The standards drafting team has been asked to clarify terms as basic as “Vendor” and abstract as “System to System Remote Access”. For instance: When is a contractor a vendor? Should vendors of electronic access points, associated protected cyber assets, and requisite operating systems be in scope? Does system to system remote access include “read-only” access? Is the intent to include all connections in and out of the NERC CIP-005-6 Electronic Security Perimeter? Clarity on these topics is critical for us to provide services and develop products with system to system communication such as PI Connectors.
Auditable? CIP-013 interpretation depends largely on the Implementation Guidance document. However there is little assurance the separate document will be adopted by NERC and all regions. Furthermore, additional examples of acceptable evidence should be provided. For instance, what is acceptable when there is no method available to verify the identity of the software source?
Enforceable? Enforceability of CIP-013 is a hot topic. NERC CIP maven Tom Alrich’s Blog has featured several recent articles on this topic. Spoiler alert: ‘unenforceable’ is trending.
OSIsoft comments on the revised standard
The ‘NotPetya’ worm reminds us, again, that cyber security supply chain risk is real and can be particularly devastating. In this case, the updater for M.E. Doc tax software, a popular and widely distributed package in Ukraine, sent the worm on its destructive mission.
Procurement aspects of CIP-013 are complex and flawed. Let’s face it, contract terms are far and away removed from critical grid operations thus, unlikely to drive change at a pace that is needed. For the moment I believe FERC should drop CIP-013 and focus on clarifications in supply chain updates to Electronic Security Perimeters (CIP-005-6) and Configuration Change Management and Vulnerability Assessments (CIP-010-3).
FERC should seek additional outreach with the Industrial Control System ecosystem. This effort should be part of a larger cross sector approach. Perhaps Mark Holman, PJM Interconnection says it best:
“In order for supply chain risks to be substantially mitigated it will require broader cross sector engagement, broad government engagement and a significant shift in how vendors and service providers deliver products and services. Broader engagement is also required to ensure an equitable allocation of liabilities and costs.”
In the meantime, closing protection gaps in the security perimeter and bolstering change management to better address supply chain risk should be a priority across industry. We can best advance critical infrastructure protection objectives through collaboration. Part of that involves clear communication about software supply chain risk which is a focus of our Ethical Disclosure policy. Perhaps there is a silver lining for voluntary approaches!