Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Post

NERC CIP Supply Chain Survey Results: The Pain Points

image credit: FERC
Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 672,875 views
  • Mar 4, 2022
  • 356 views

I recently had the opportunity to research the NERC Supply Chain Working Group survey results on the NERC CIP Supply Chain standards. The survey questions were comprehensive and aimed at understanding the level of uptake in implementing the standards and any issues that may be preventing a party from implementing the standards. I commend the Supply Chain Work Group for sharing the survey results with the public.

This article highlights some of the key findings and, more importantly, the pain points that were identified by survey respondents. Clearly, NERC’s "Doctrine of Auditor Independence" is preventing parties from receiving the guidance that is needed to help parties properly implement solutions for NERC CIP Supply Chain Standards. Several respondents reported uncertainty regarding how to comply with the Supply Chain Standards, due to lack of guidance.

If NERC is unable, or unwilling, to provide jurisdictional entities with the guidance they need then it is incumbent upon NERC to retire the “Doctrine of Auditor Independence” for Cybersecurity standards so that NERC itself can provide the needed guidance or NERC should host an open forum where supply chain solutions can be presented, objectively, for all jurisdictional entities to see what is available to support their needs regarding NERC Supply Chain Standards.  I’ve personally seen the “open forum” approach used by NAESB to effectively inform industry of solutions available to satisfy NAESB standards requirements.

This one survey response shines a spotlight on the issue described above: “The supply chain requirements as written are reasonable.  It's the audit oversight piece that has everyone worried;”.

Survey respondents expressed concern in not knowing “auditor expectations” with regard to methods, processes and evidence needed to satisfy NERC CIP Supply Chain Standards compliance requirements. This is understandable, NERC does not provide the type of guidance survey respondents are requesting, largely because of NERC’s committed adherence to the “Doctrine of Auditor Independence”. There is a virtual ocean of cybersecurity guidance available from numerous sources, which makes it difficult for NERC jurisdictional entities to know which guidance to follow resulting in the concern over audit oversight expectations that has everyone worried. The following “Pain Points” were identified in these survey results:

  • SCRM process is labor intensive
  • Business benefit of SCRM process is unclear
  • SCRM process looks good on paper but accomplishes little in real life
  • Vendor cooperation is mixed
  • Vendors have expressed concerns over receiving multiple questionnaires in multiple formats
  • Vendors refuse to provide some information needed to conduct a SCRM assessment
  • Lack of a centralized database of vetted, certified products and vendors to choose from requires each entity to conduct their own risk assessment

NERC could help the industry address these pain points and provide the guidance needed to properly implement supply chain risk management protections that satisfy NERC CIP Supply Chain requirements, but this would require NERC to forego the “Doctrine of Auditor Independence” and provide the guidance industry seeks OR host an open forum where supply chain vendors can present their solutions, objectively, for all jurisdictional entities and NERC auditors to see what is available to implement solutions that satisfy NERC Supply Chain requirements; the open forum approach has been successfully used by NAESB to inform industry of solutions available to satisfy NAESB standards requirements, without compromising its independence as an ANSI standards development organization.   

Discussions

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »