Running a business is no easy feat: it takes courage, investment, planning, and resources. The ease and success of your journey down the I-95 business corridor changes over time. Your success may depend on your adaptability to threats you encounter along the way. In the context of your business, that might include:

When you hit the road, the choice is yours as to whether or not you take the bus and transfer the risk to someone who helps drive your implementation, or whether you take the wheel yourself and drive. If you choose the latter, your vehicle options may range from a new BMW M850 to a Toyota Camry, or you may be slightly more limited to a 1995 Tercel.

In any case, understanding the parameters you are working within is paramount if you want to stay on the road to success. If you don’t, you can’t build your garage, buy insurance, license your vehicle, service your vehicle with the right parts, or have confidence that when a new vehicle is needed, there is one available at that time.

In business terms this equates to:

• Knowing that the people you do business with are reliable and trustworthy.
• Having confidence that products you have deployed or are utilizing have appropriate security protections​ such as access controls, network segmentation, continuous monitoring, physical fencing, and a safe work environment.
• Understanding whether you can rebound from disruptions in inventory unavailability and restore your operations with spare stock ​or through partner relationships.
• Controlling costs by forecasting inventory availability​ and buying when pricing is appropriate.
• Gaining insights ​about the stability and sufficiency of your people, processes, technology, or information/data assets so that your resources continue to function throughout their necessary lifecycle.
• Being confident that legal/regulatory obligations are met for your in-scope assets (HIPAA, NERC CIP, Data Privacy, etc.).
• Having the information necessary to timely assess emerging threats, and mitigate associated risks and vulnerabilities to that which the entity has implemented and must reliably operate.

How many discrete inventories does an entity within our industry really have? How many different systems (or tools, like Excel) are they managed in – if they are managed at all? What data is common across those inventories? Is that data correct and in-sync?  If not, how would you know?

The importance of keeping an inventory of company practices may not always be understood, especially if those inventories are not recognized by those who create or maintain them. Some might think they are just maintaining a ‘list’ and it may require a new perspective to change that mindset so these ‘lists’ are viewed in the light necessary to drive success. A registered entity may support day-to-day operational activities/compliance tasks with various ‘lists,’ a few of which might be):

• Industry assets (control centers, substations, generation stations, etc.)
• BES facilities
• Critical Infrastructure Protection (CIP) classification and impact rating of sites and cyber systems/assets

Building and maintaining these ‘lists’ relies on other ‘lists’ that are more transactional in nature, such as:

• Suppliers (goods or services)
• Legal contracts to procure goods or services
• Requisitions and procurements
• Goods received/services rendered

All of these ‘lists’ might look familiar, and those responsible for operating and securing the grid (as well as maintaining compliance with Reliability Standards) might quickly recognize these are not just ‘lists’ with one column of data. Rather, they are interrelated inventories that rely on each other because each list item contains important attributes or related information that drives day-to-day decision-making when executing tasks. What may be worthy of further consideration is to treat them as inventories, especially if that information also drives key business decisions, or can be used to:

• assess threats/vulnerabilities and mitigate risk
• measure performance
• identify patterns
• demonstrate compliance
• provide reasonable assurance of security and reliability, etc.

It is essential to take inventory of your inventories so you know what to collect and manage – in doing so, you may begin to view the information about your assets more holistically – and identify the interrelatedness of the processes and information and the data integral to downstream steps.

By shining the headlights on imperative data, one can visualize how this information must be carried through discrete processes in a synchronized and repeatable manner, preferably from authoritative sources to dependent systems. The upfront investment to accomplish this fosters long-term effectiveness and efficiency in execution. The more reliable the data and quality controls, the more users of the information can focus on task execution, as opposed to time wasted revalidating that upstream processes resulted in timely and dependable data.

For context, what could a good inventory system look like? If you have an established relationship with a supplier that ships goods, you could have a process that looks like this:

But there is risk at each stage. For example:

• Goods are delivered
  • What if they aren’t available? (supply chain risk)
  • What if they do not meet quality standards? (supply chain risk)
  • What if they never make it to you or the business no longer supports the goods? (supply chain risk)
  • What if they have been tampered with? (security/regulatory/legal risk)
• Goods are reviewed, sorted, and stored
  • What if they don’t align with your technology portfolio standards and require extra work? (IT risk)
  • What if they aren’t the right product? (supply chain/legal risk)
• Inventory is monitored
  • Between the time that you receive and use the goods, is it still available or has it been taken or tampered with?

Knowing your inventory helps you understand your risk. If we look at common frameworks and maturity models, they prioritize these similarly. For example:

• NIST CSF: the first function and category are identify: asset management – because you cannot secure what you don’t know exists.
• CIS Critical Security Controls (v8): the first three critical controls are
  • Inventory and control enterprise assets
  • Inventory and control software assets
  • Data protection (inclusive of inventory)
• Energy Sector Cyber Capability Maturity Model (ES-C2M2): Assesses your ability to inventory risks, assets, changes, threats/vulnerabilities, workforce, internal/external information sharing relationships, and more.

No matter which inventory, each is foundational, and because the quality of output is determined by the quality of input, the completeness, accuracy, and timeliness of each step is key. Here are the benefits:

• It breeds confidence in data, which in turn increases effectiveness and efficiency gains for those executing day-to-day tasks.
• Assessing and connecting inventories highlights opportunities to identify authoritative sources and system integration vs. time spent on manual transfer/replication of data and associated human performance error.
• It leads to process/system consolidation and standardization, which enables cross functional (or even enterprise) alignment.
• With fewer systems to manage and single authoritative sources for data entry, it positions entities for greater success in designing effective internal controls with repeatable testing cadences for reasonable assurance of inventory integrity, and the design effectiveness of controls.
• Repeatable assurance methods that detect data delays, synchronization, or quality issues enable continuous improvement; and over time they create a road map for the maturity of processes and supporting technology.
• A succinct set of quality inventories enables data analytics for the assessment of an entity’s conformance with processes, and the ability to trace assets through their lifecycle to assess return on investment.
• Complete and dependable data enables timely threat response, effective vulnerability assessment, and risk mitigation/management. This in turn may prevent compromise and the associated negative outcomes.

You cannot manage what you don’t know you have.

Similarly, in an environment with a rapidly changing threat landscape, you cannot assess your risk as vulnerabilities/threats emerge without knowing what you have. If you want to avoid pedaling through uncertain terrain and have a comfortable drive on your way to success, take the wheel on inventory management to make sure you are headed in the right direction.

– The following authors are from American Transmission Company: Corey Young, Lead Compliance Strategist & CIP Senior Manager; Benny Akowuah, Manager, Technology Audit & GRC Program; and Sharon Koller, Lead Compliance Strategist & CIP Senior Manager

ARTICLE DISCLAIMER

MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject matter experts from MRO’s organizational groups have authored some of the articles in this publication, and the opinion and views expressed in these articles are those of the author(s) and do not necessarily represent the opinions and views of MRO.