Thursday, February 14, 2013

CIP Version 5: The Order 761 Problem

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

NERC’s recent filing of CIP Version 5 had to accomplish a number of objectives.  One of the most important was to explain to FERC that NERC has complied with the directives for Version 5 that FERC gave in Order 761, issued last April.  Indeed, the filing devotes ten pages to explaining why Version 5 does meet these directives.[i]  Is this really the case?

I bring this up because NERC is obviously counting very heavily on FERC’s approving Version 5 very quickly (given their repeated appeals to FERC in the filing to do so).  A lot of NERC entities are putting off Version 4 compliance activities - which need to be finished by April 1, 2014 - in the hope that Version 5 will be approved before that date and thus supersede Version 4.  If there is a substantial question whether NERC has in fact satisfied FERC’s directives in V5, this doesn’t bode well for speedy FERC approval, and therefore for the idea that Version 4 will be bypassed.

Here are the specific FERC directives that NERC discusses in the filing (the page references are from the filing), as well as my opinion on whether or not NERC has addressed each directive:

“Application of NIST Risk Management Framework” (Section V part b, pp. 31-34) – In NERC’s words, Order 761 “urged NERC to review relevant NIST standards for guidance in developing effective cybersecurity standards for the electric industry.”  NERC’s discussion of how they have done this seems to be primarily a justification of the “identify, assess and correct” approach used in 17 CIP standards (which may or may not have anything to do with FERC’s directive).  I discussed that issue in a separate post.  However, my guess is FERC is going to give NERC a pass on this one; I agree they have probably addressed this directive as much as reasonably possible.

“Regional Perspective” (Section V part c, pp 35-37) - In paragraphs 101 to 104 of Order 761, FERC points out that in Order 706 they said there was a need for NERC or the Regional Entities to be able to designate Critical Assets, when for whatever reason a NERC entity didn’t do that in the case of a clearly critical asset.  They go on to agree with commenters that there is less of a need for this because of implementation of the bright-line criteria in Version 5 (versus the RBAM in Versions 1-3, which gave the Registered Entity substantial discretion in designating Critical Assets). 

However, they state that they still see the need for a “limited” capability for NERC or the Region to designate a facility as critical when the criteria for whatever reason don’t make it so (of course, since we’re talking about CIP Version 5, you should substitute “Medium or High impact BES Facility” for “Critical Asset” in this whole discussion.  FERC had to say “Critical Asset” since Version 5 hadn’t been presented to them last April).  This is a pretty clear directive to NERC.

In the filing, how does NERC say they have met this directive?  They at first act as if only the first two sentences of the above paragraph were applicable: i.e. they “agree” with FERC that the bright-line criteria in CIP Version 5 obviate the need for any external review of Critical Asset designation.   Is this true?  I certainly don’t think so.  As I have argued elsewhere, the so-called bright lines are hardly bright; they will need a lot of interpretation (and this isn’t because of the particular criteria included in Version 5.  In an industry as diverse and fragmented as electric power, any criteria would require a lot of interpretation).  I think both FERC and NERC are being naïve here.

However, FERC goes on to say (paragraph 103 of Order 761) that, even with bright-line criteria, there will still be the need for regional or NERC review.  How does NERC address this?  They point out that the Rules of Procedure allow them, if need be, to issue Recommendations and Essential Actions.  They say, “NERC can use Level 2 Recommendations and Level 3 Essential Actions to address assets that NERC and Regional Entities later determine should be treated as a higher impact level than would otherwise be categorized under the CIP Version 5 impact criteria.”

Will this statement satisfy FERC that there is no need for any other review of designation of High and Medium impact BES facilities?  I really don’t think so.  The point of Recommendations and Essential Actions is that they apply to all NERC entities.  They would have to be worded as clarifications to the bright-line criteria, saying something like “Notwithstanding anything in Attachment 1 of CIP-002-4, if you have a facility that meets… (a certain description), it needs to be a High (or Medium) impact BES Facility.” 

Why is this not enough?  Because FERC wants NERC and the Regional Entities to be able to designate particular facilities (plant X, substation Y) as High or Medium impact.  But NERC is saying they have the ability to essentially require that all facilities that meet a particular description should be High or Medium; isn’t that better than designating one particular facility?  In my opinion, the answer to that is no.  There are a lot of particular reasons why one – say – generating station might be deemed Medium impact (of course, no gen station can be a High) while a seemingly similar station in a different location might not be considered such.  If a general rule is issued by NERC, the entities will always disagree with whether it applies to their particular facility or not (after all, we’re talking about a lot of money here!).

There is another reason why I think FERC won’t be satisfied with NERC’s answer.  They want both NERC and the Regional Entities to be able to designate High and Medium impact facilities.  As far as I know, the Regional Entities can’t issue Recommendations or Essential Actions.  So they would be precluded from doing this, if NERC has its way.  Bottom line: I don’t think FERC is going to agree that NERC has met their Order 761 directive to have NERC or the Regions be able to designate High or Medium impact BES Facilities (“Critical Assets”).

“Connectivity (1)” (Section V part d, pp 37-39) – In the section entitled “Connectivity” in the Version 5 filing, NERC actually addresses three separate issues that had been raised by FERC in Order 761.  I will discuss these separately, since I think FERC will judge NERC’s response differently in the three cases.

The first of the three connectivity issues is that of impact of the cyber system.  Specifically, FERC says (in paragraphs 52 and 88) that connectivity of the facility, at which the cyber system is located, with other BES facilities should be considered in classifying the cyber system.  What this means for Version 5 is that connectivity of the BES facility (and therefore of the BES Cyber Systems associated with it) should be used to determine whether it is High, Medium or Low impact.

In practice, what FERC is talking about here are control centers – they’re saying they should all be classified as High or Medium impact.  CIP Version 5 does make an effort to include more control centers than Version 4 did – that is, include them as High or Medium impact.   So I think NERC has addressed this particular concern of FERC’s.[ii]

“Connectivity (2)” (Section V part d, pp 39-40) – The second connectivity issue that FERC raised has to do with Mutual Distrust (no, this doesn’t refer to the relationship between FERC and NERC.  FERC says Mutual Distrust denotes “how ‘outside world’ systems are treated by those inside the control system[iii].”).  While I don’t agree with NERC’s reasoning in this case[iv], I do agree that Version 5 has incorporated the principle of Mutual Distrust.

“Connectivity (3)” (Section V part d, pp 40-41) – In paragraph 87 of Order 761, FERC said “we support the concept of applying electronic security perimeter protections ‘of some form’ to all bulk electric system cyber systems.”  NERC does cite this quotation (although not all of it), but then somehow connects it to Mutual Distrust.

It really has nothing to do with Mutual Distrust.  FERC is saying that they want to see every BES cyber system enclosed within an ESP – whether it’s High, Medium or Low impact.  Does Version 5 do this?  NERC says yes, citing CIP-003-5 R2, which states that, for Low impact BES Cyber Systems, the entity must implement “cyber security policies that collectively address the following topics…”  Those topics include “Electronic access controls for external routable protocol connections and Dial-up Connectivity.”    

Does this amount to a requirement that Low impact BES Cyber Systems be enclosed in an ESP?  I don’t believe it does, but let’s concede the point for the moment.  How will NERC audit to ensure that all BES Cyber Systems are within an ESP?  FERC is going to want this “requirement” to be auditable.

The problem is that CIP-003-5 R2 concludes by saying “An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required.”  When the auditor comes around and wants proof that all of the Low impact BES Cyber Systems are in an ESP, how will the entity ever be able to provide that?  They may point to a few systems and show they’re in the ESP.  But they can never prove that all of them are in the ESP unless they have a list of what they all are. 

I will point out that I had a couple long arguments with the Standards Drafting Team about exactly this point – that of auditability - last year, to no avail.  They had their good reasons of course, but the fact is that, had V5 required NERC entities to inventory their Low impact BES Cyber Systems, it would never have passed the NERC ballot (many entities believe that the task of inventorying all of their BES cyber assets would be a monumental one.  I’m sure this would be the case for at least some of them).  The SDT was between the proverbial rock and a hard place, and since they had to get Version 5 out the door, they in essence kicked the problem upstairs to FERC.  They in effect said, “This is too political a problem for us to solve on this level.  If you decide you need to impose this on your own, go ahead[v].”  (Of course, this is all my interpretation.  Nobody on the SDT would agree with this)  So I think this is the second case in which FERC will conclude that NERC has not met a directive in Order 761. 

Now to my conclusion: There are at least two cases in which it seems likely FERC will conclude that NERC has not met its directives for CIP Version 5[vi].  This doesn’t mean they’ll simply disapprove it – most likely, they’ll conditionally approve it and also require a compliance filing (in something like 90 days) to correct the deficiencies (as was done when FERC approved CIP Version 2 but required a new filing in 90 days to include a new requirement). 

However, this does mean that any hope that FERC will approve Version 5 before April 1, 2014 (and thus bypass Version 4) is forlorn at best[vii].  All of this will require a lot of time for FERC to address.  You had better not build your CIP compliance strategy on the hope that Version 4 will be bypassed by Version 5, Mr./Ms. NERC Entity.

[i] In Order 761, FERC was clear that any directives they gave for Version 5 were merely restatements of directives in Order 706 (issued in January 2008).  Of course, there were a lot of directives in 706!  Order 761 presumably repeated the ones that FERC was most concerned about.
[ii] An Interested Party has added this note: “The question is, are there any ICCP or other cyber systems connected to a control center from other than another control center that fall through the cracks?  These interconnected systems communicate over trusted paths that can be exploited.  The trusted path generally defeats the mutual distrust that otherwise is protecting the BES Cyber Systems and is one of the reasons the jump host for interactive access has to sit in a DMZ outside of the ESP.”  I agree this is a legitimate concern, but I still think NERC has addressed FERC’s directive in this case.
[iii] The use of “control system” here is unfortunate.  I think FERC means something like “inside the control network”.
[iv] In explaining why they have incorporated Mutual Distrust in CIP Version 5, NERC essentially assumes that their argument in what I call “Connectivity (3)” is correct.  As I say in that section, I don’t believe their argument is correct. 
[v] I believe this is also the reason why the SDT didn’t address the FERC directive to allow NERC or Regional designation of High or Medium BES Facilities.  They knew it would kill the chances of passing Version 5.
[vi] There are other reasons why I believe FERC will want to amend Version 5.  See this post for more on that.
[vii] And there are other reasons – besides the likelihood that FERC will require changes – that make it very unlikely Version 5 will sail through approval.  See this post for more on that.

No comments:

Post a Comment