A former vendor's take on CIP-013 Supply Chain Risk Management

After being pushed back 3 months due to teams in forced isolation due to global pandemic, owner/operators that participate in the North American grid were first under obligations to comply to what was to be one of the first ‘risk based’ objective requirements of CIP13 (Supply Chain Risk Management).  October 1, 2020, came and went without much of the fanfare or doom that many pundits in the industry had claimed, but our attentions seemed to dwell on other forms of risk posed by those in our immediate circles of trust.  

In the beginning, no task was too outlandish, and no level of verification was sufficient. Everyone was suspect. From our understanding, one misstep meant complete and total compromise. While there were some exceptions, people treated the issue with the same level of seriousness of communal well-being. Early outbreaks were met with empathy mixed with a twinge of ridicule.  Inevitably, most social circles experienced some level of impact.  Expert-suggested mitigations were adjusted several times. Eventually, groups found balancing generic guidance with peer lessons-learned helped in their daily risk decision making so that life could return to what could constitute the new normal.  

Obvious parallels can be made between handling of pandemic and supply chain.  Both came with a near paralyzing fear of those outside of your bubble. Overnight, there was a myriad of methods to demonstrate to others how seriously you took your and their well-being. No one seemed to ask if this was effective nor why this wasn’t completed prior to the event. Would it continue to occur? How long has it been occurring?  These are industry recognized/suggested mitigations. Why aren’t you always doing these? Show me the receipts.  

Before I go too far down the rant hole, I need to step back and talk about where I and we got to here. 

  

I spent the better part of my ICS life as a vendor. I also spent a good portion of my time on the other side of NERC CIP compliance.  I started my journey alongside my customers from just before the Mike Assante letter telling the North American generation fleets that compliance is no longer a suggestion. 

The NERC CIP mandates were built from events that transpired in the 2000s both manmade and theoretical (at the time).  Policy makers looked at several parts of our society and deemed 16 critical. However, when someone mentions critical infrastructure, power generation seems to unfairly garner the most mindshare in both the general public and elected officials.  Perhaps because everyone has felt the impact of a power outage and the helplessness it may cause if the outage could stretch for weeks from the faceless malicious cyber-attack.    

Like most mandates, momentum can often be traced back for years to see where the idea may have started.  There are NIST workshops posted in 2012 that translated into efforts to alter the Department of Defense Federal Acquisition Regulation (DFAR) in 2015/2016.  It is certainly non-coincidental in timing spring of 2016 FERC questioned why Supply Chain isn’t being addressed in the yet-to-be-approved CIP updates that had languished in committees for years.   

Like all NERC requirements, CIP13 started with a FERC push down to NERC with a few loaded requests that turn into an order to make a new requirement.  However, don’t take years like the last ones did. You have a deadline, and here are some items we want to see in it.  This one was to be one of the first with only a few suggested objectives, but generally open ended because one of the primary complaints about NERC compliance was that it was too prescriptive leading to gaming the system and constant thrashing/updating of the requirements.  This is also an issue with other mandates/regimes like NIST800 or ISO/IEC.  Constant updates are needed to move the documents forward at the same rate technology is flowing.  Teams would only need to build a plan based on current threats and how their environment is engineered.  This all sounds very reasonable and flexible. Right?  

Feedback during the accelerated drafting process echoed themes from the initial DFAR introductions. Those subject to enforcement complained they were unfairly targeted for systems/people/decisions out of their control. Vendors tried to find ways blanketly to assure customers they are fine, while descoping any obligation on individual projects. Policy makers argued that the effort involved shouldn’t be any more significant as most organizations were undertaking these assurance steps.  It should be just a matter of getting your homework checked by your trusted partners.   

Much like the DFARs, no amount of complaining was going to get this to stop.  There were 3 high level goals to achieve: Name a person in charge of Plan; Make a plan (that includes at least 6 objectives FERC identified as important in 2016); and review your plan every 15 months.  Teams had an opportunity to really look at where they were getting their products and services from.  Who were their trusted partners and sources?  Looking back at NIST presentations or even the 6 FERC requirements, there were themes of counterfeiting, abuse of trusted or no longer necessary connections, and an overall lack of awareness by the purchaser.   

What resulted from the efforts around CIP13, was a general push towards straight to the supply chain teams who largely were understaffed to begin with and were more apt to lean on legal wrangling or hard negotiation tactics than nuance.  Both the purchaser and vendor are extremely incentivized to make the process as streamlined as possible which forces a need for non-reviewable certifications/checklists/pamphlets that only satisfy the most lackadaisical compliance audit person.

  

Gone is any real benefit to any protections this was to bring about. We are establishing a legal blame shifting that will only play out significantly after the compromise has come and gone.  I think it should come to no surprise that I think no level of questionnaire or checklist is sufficient. I certainly think that a 400 question one is absolutely a waste of both parties and the billable time to review, and answer should be sent to the ones that created it.  I also find it amusing that the same people who call for a government certification for supply chain would scoff at compliance equaling security. Let’s just say what we are asking for, a simple thumbs up by someone else so you don’t have to work, which is what these central databases are trying to sell you.   

 I appreciate that you can question your partners they have security, but any organization of any size can only answer half-truths that are snapshots in time. It is your responsibility as a protector of your environment to assume failure and how you might protect yourself. What are you doing to review what you are receiving? Are your people making good decisions?  

I could go on longer, but this is more than enough.  I must sign off on a whole building of equipment being operated by a team of people I never met in a country I will never travel to, is free from all vulnerabilities.  

  

References 

Featured Posts