All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
Note: This post turned out to be the first in a series of four posts in which I complained bitterly about the very imprecise wording in CIP-002-5 - and ended up writing my own "fantasy" version. The next step in this tetralogy is here.
Oct. 7: I started another series of posts today, on how NERC entities could get through the CIP-002-5 ambiguities discussed in this and subsequent posts, in order to actually identify cyber assets in scope for CIP Version 5 (since I'm assuming FERC won't order that standard be rewritten, when it approves Version 5 in the near future). You can see the first of that series here.
A funny thing happened on the way to this blog post. After FERC’s NOPR on April 18, I decided I should do a series of blog posts that really tear into the details of CIP Version 5 – since very few people other than the SDT members can probably give you a good accounting of what is in there, and since a large number of NERC entities (many more than with the previous versions) will be facing CIP compliance under V5. I started with CIP-002-5, which – as in the previous CIP versions – is where the entity identifies which of its cyber assets (if any) are subject to the remaining standards.
Now, I knew already that the wording of the requirements in CIP-002-5 was not the best. However, I believed it was at least unambiguous, so that some clarification would help my readers understand what was at stake as they start to gear up their CIP V5 programs (if they haven’t already, since I know some have). I had followed and written about the development of V5 for almost three years. I certainly thought I knew what wording was in that standard now, and that it was adequate for the purpose, although somewhat rough.
So I pored over CIP-002-5 and started writing my post on it. As I did so, I finally came to the conclusion that there are some serious problems in the wording of this standard! I believe they will prove to be a big obstacle to doing workable and fair audits when the time for auditing rolls around. I don’t think the current wording is completely unworkable[i] (as I did with the first draft of CIP-002-5 in 2011), but I do think that it needs to be substantially rewritten. Fortunately, there will be a chance to do this since a new CIP version will have to be drafted and approved to make the modifications that FERC will require. There are two areas in which I think the wording needs to be substantially changed.[ii]
I. Facilities/Assets
I have been telling people for some time that the fundamental concept in V5 is that of a BES “Facility”, and this corresponds to an “asset” in Versions 1-4. In V5, you identify high, medium and low impact BES facilities, while in V1-4 you identify Critical Assets. In both cases, you then go on to identify the cyber assets that are in scope, that are associated with those BES Facilities/Critical Assets.
So I started working down through the wording of CIP-002-5 (and this was the first time in more than a year that I’d gone through it in detail). I nodded my head when I read Section 4.2, which identifies “Facilities, systems and equipment” that are subject to the V5 standards. And I further nodded my head when I read the Guidelines paragraph on page 17 that provides a very good justification for the use of the term “BES Facilities”.
I then came to the actual requirements; there are only two of these, and R1 is the one where you would expect to see Facilities come into play. But guess what? “Facilities” aren’t mentioned at all in CIP-002-5 R1. Here is the first part of the requirement:
Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
Facilities have disappeared off the face of the earth, and it’s an undefined term called “assets” that is now the whole basis for CIP V5.[iii] There is some explanation in the Guidelines section (page 17):
For the purpose of identifying groups of Facilities, systems, and equipment, whether by location or otherwise, the Responsible Entity identifies assets as described in Requirement R1 of CIP-002-5. This is a process familiar to Responsible Entities that have to comply with versions 1, 2, 3, and 4 of the CIP standards for Critical Assets. As in versions 1, 2, 3, and 4, Responsible Entities may use substations, generation plants, and Control Centers at single site locations as identifiers of these groups of Facilities, systems, and equipment.
So it seems that, in order to identify “Facilities”[iv] subject to V5, the entity instead identifies “assets”. Then why didn’t Section 4.2 just refer to assets, not facilities?
I think I know the answer to this question. Go to the “Guidelines and Technical Basis” section, page 23. At the end of the first bullet point on that page you’ll find this:
..an identified BES asset may be a named substation, generating plant, or Control Center. Responsible Entities have flexibility in how they group Facilities, systems, and equipment at a location.
As we suspected (see end note iii), an “asset” is defined as one of the six things identified with lower-case Roman numerals in R1. However, we still don’t know why Section 4.2 goes through all the trouble of discussing Facilities if you actually have to consider “assets” not Facilities in Attachment 1 (and a new term has been introduced - "location". How does that relate to assets and Facilities?). If we go to the top of the same paragraph, we read:
When the drafting team uses the term “Facilities”, there is some latitude to Responsible Entities to determine included Facilities. The term Facility is defined in the NERC Glossary of Terms as “A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.).” In most cases, the criteria refer to a group of Facilities in a given location that supports the reliable operation of the BES. For example, for Transmission assets, the substation may be designated as the group of Facilities. However, in a substation that includes equipment that supports BES operations along with equipment that only supports Distribution operations, the Responsible Entity may be better served to consider only the group of Facilities that supports BES operation.
The SDT is making the point that, at least in the case of substations, an “Asset” isn’t the same as a “Facility”. This has real consequences, since many substations have both transmission (i.e. BES) elements and distribution elements. The latter aren’t usually subject to CIP at all; the former are. So by saying that there can be multiple “Facilities” at the substation (and this is consonant with the NERC Glossary definition of Facility that is cited in this quotation), the SDT is saying that the entity should be able to just take the transmission facility or facilities separately from the rest of the substation, then run them through the Attachment 1 criteria to see if they end up being Medium impact.[v]
Great, now we understand what they meant. There’s only one problem: R1 is what directs the entity to use Attachment 1, and R1 doesn’t mention “Facilities”, just assets! In fact, if you look at the six different types of assets listed in R1, only “substations” are mentioned, not “transmission Facilities at substations” or something like that.
So an entity with a combined transmission/distribution substation would have to take the whole substation asset through Attachment 1, not just the transmission Facility. When they come to the criteria that deal with substations (2.4, 2.5, 2.7, and 2.8), they would…well, what would they do? They might just skip those criteria altogether, since they all apply to “Transmission facilities” not an “asset” called a “substation”; therefore, no match. Or they might feel that they have to consider the entire substation as a transmission facility, so they wouldn’t be able to separate out the distribution elements; this will obviously result in much higher compliance costs. Or they might simply ignore the actual wording and just do what the SDT clearly intended for them to do: classify the transmission elements as a medium impact facility (if they meet one of the criteria), not the whole substation; hopefully, the auditors will also ignore the actual wording.
The paragraph I just cited above continues:
In that case, the Responsible Entity may designate the group of Facilities by location, with qualifications on the group of Facilities that supports reliable operation of the BES, as the Facilities that are subject to the criteria for categorization of BES Cyber Systems. Generation Facilities are separately discussed in the Generation section below. In CIP-002-5, these groups of Facilities, systems, and equipment are sometimes designated as BES assets.
Now we have a new category: a “group of Facilities by location”. In the case of our substation, the transmission sub-group of BES facilities is what would be medium impact. I believe that “group of Facilities by location” means the same as “Asset” in R1 (in fact, the last sentence above seems to imply that, although it doesn’t say that the two are interchangeable). Why not just say this explicitly in R1?
So there are some real ambiguities here, regarding the Facilities/Groups of Facilities/Assets/Whatever with which cyber assets are associated. If none of this language is changed, will it be the end of the world as we know it? No. I imagine the Regional Entities or someone else would issue some clarifying language (although I guess it won’t be a CAN, since they’re on their way out. Maybe there would be an RFI). But I think cleaning up this wording is very important (in fact, as you read through the second part of this post and especially some of the footnotes, you’ll see that the more serious problems discussed there are closely tied to the Facilities/Assets problem).
I would suggest changing the language in R1 to say in effect that
1. An Asset is defined as a group of Facilities at a single location (or maybe even drop the term ‘asset’ altogether and just say that the entity has to consider each ‘group of Facilities’ for sub-requirements 1.1 through 1.3).
2. Here are six examples of assets (i through vi in the current R1).
Phew. Now on to the bigger problem.
II. Cyber Asset Classification
When you look at CIP-002-5 and compare it to CIP-002-3, you will notice that it has just two requirements, not four as in CIP-002-3. Since the last requirement in each standard is for the “annual” review, this means that R1 of CIP-002-5 does what R1, R2 and R3 of CIP-002-3 do. Is this a marvel of concise language? I’ll admit the language is concise, but I won’t say it’s marvelous. Here is the requirement as it now reads:
Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;
1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and
1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
Let’s follow down through this as if we were reading it for the first time, trying to figure out what we need to do to comply. Here are the steps I believe this requirement is asking us to take:
1. We “implement a process” to “consider” each of the six asset types in addressing each of the three sub-requirements 1.1, 1.2 and 1.3. This might be considered the equivalent of CIP-002-3 R1, in which we develop an RBAM, but don’t actually apply it.
2. Let’s start with sub-requirement 1.1, “Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset.” So far, we’ve just talked about assets. How are we going to “identify BES Cyber Systems”? And what are these beasts, anyway?
3. We go to the V5 Definitions document (since we already know to look there or in the NERC Glossary for any capitalized word in CIP V5). There, we find the definition of BES Cyber System:
One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.
4. Aha, now we have to find out what a BES Cyber Asset is. Fortunately, the definition is right above:
A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.
5. Now what do we do? We know a BES Cyber System is made of BES Cyber Assets, but we’re being asked to “Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset.” How do we do that?
6. I guess it would be a good idea to go to Attachment 1, Section 1. The first line of that section reads “Each BES Cyber System used by and located at any of the following”. And “the following” is four criteria for Control Centers. Since we know Control Centers are one of the six asset types listed in the first part of R1, we can assume this means that we need to take each of our assets and compare it to each of these four criteria.
7. What do we do if there is a match with one or more of our assets? Since the heading of this section is “High Impact Rating”, we probably have to apply that rating to every[vi] BES Cyber System associated with any asset (control center, in this case) that meets one or more of those criteria (although it would be nice if we didn’t have to guess these things!).
8. Now we physically visit that asset (control center). We first consider every cyber asset associated with the control center, to see whether it meets the definition of BES Cyber Asset (of course, this is a laborious process, just as CCA identification is laborious in CIP V1-4).
9. Those cyber assets that meet the definition of BES Cyber Asset now need to be grouped into BES Cyber Systems. OK, we do that.[vii] Now each of those BES Cyber Systems is high impact.
10. We repeat this process for sub-requirement 1.2, and come out with our list of medium impact BES Cyber Systems (by first identifying the medium assets, then their systems, as in steps 6-9 above).
11. However, we can’t repeat this process for sub-requirement 1.3 (low impact BES Cyber Systems). There, we are told to identify
BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 – Facilities, of this standard:
This is followed by the same list of asset types that appears in the first part of R1. So it seems we take a pre-existing list of BES Cyber Systems, subtract out the ones that already were classified as high or medium impact, and designate the rest (those that meet the part 4.2 applicability criteria and are associated with one of the six asset types) as low impact.
12. But here we run into a problem: We don’t have a complete list of BES Cyber Systems![viii] With sub-requirements 1.1 and 1.2, we have first identified the assets that qualify as high or medium impact; only then have we visited each of those assets (control center, generating station, etc) and identified all the BES Cyber Assets and BES Cyber Systems. The only way we could have a complete list would be if we had gone to every asset that we own, inventoried all of the cyber assets associated with it, identified which of those were BES Cyber Assets, and then grouped them into BES Cyber Systems. Does this mean we have to first take this step? Of course not. In fact, 1.3 says “a discrete list of low impact BES Cyber Systems is not required.” So how could we possibly have such a list to start with?
13. Let’s be honest about this: We’re not really classifying BES Cyber Systems in Attachment 1, no matter how the language reads. We’re really classifying BES assets (substations, control centers, etc). And we certainly do have a total list of BES assets for our entity. That list is what we’re applying the criteria in Attachment 1 to. We’re actually just subtracting the high and medium impact assets off that list, to come up with our list of Lows.
14. But that’s where we stop in sub-requirement 1.3. Even though Section 3 of Attachment 1 says we’re identifying
BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 – Facilities, of this standard:
we’re not actually doing that. We’re just finding the low impact assets (substations, generating stations, etc) on our asset list, and then we’re stopping, since we’ve been told in sub-requirement 1.3 that an inventory isn’t required.[ix]
We’ve reached the end of our long journey through Requirement 1 of CIP-002-5. Let’s ask a simple question: If it takes 14 steps to comply with this requirement, and those steps can only be discerned by parsing carefully through the words (except for sub-requirement 1.3, where you need to ignore the words in Attachment 1 part 3 in order to be able to understand what you’re really being asked to do), how in h___ is this ever going to be understood by Joe or Jane NERC Entity, let alone audited by Bill or Betty CIP auditor?
And before you say it’s a good thing that this can’t be audited, let me remind you that in the history of CIP, ambiguity has more often redounded to the detriment of NERC entities than it has to their benefit. I don’t think there will be any winners, given this fundamental ambiguity in CIP-002-5.
So what needs to be done about the cyber asset classification problem in CIP-002-5?[x] Two things at a minimum:
1. R1 should be broken into multiple requirements. Maybe not 14 as I have done, but definitely at least three, as in CIP-002-3 – and maybe more. I think it is terrible that entities will have to become lexicographers and diagram sentences (which most of us stopped doing in the fourth grade)[xi], just to discern what R1 is asking them to do.
2. The dishonesty of saying that Attachment 1 is for classifying BES Cyber Systems rather than assets needs to stop.[xii] As I’ve shown, it leads to one sub-requirement (1.3) that simply cannot be obeyed as written. But it also leads to a number of extra steps - and a lot of confusion - in complying with sub-requirements 1.1 and 1.2 - that could all be avoided with a simple change of wording.[xiii]
[i] As I finalize this for posting, I must say that the problems got worse and worse the more I looked at the standard. If you read the footnotes below, you’ll see at least two or three places where I haven’t even bothered to suggest how something should be rewritten – I was getting too tired of doing that, and this is already my longest post (the NOPR post is the second-longest). What surprises me is that the FERC staff members didn’t seem to see any of this. They only had to do what I did – start off as someone who knows nothing about V5 and try to figure out how to comply with this standard. It was frankly quite a depressing experience to realize how muddled the language in this standard is after so many meetings and rewrites, and how it will be a big problem if none of this is changed, whatever NERC does with FERC’s NOPR complaints.
[ii] BTW, I still intend to do the series of posts on Version 5. I’ll just have to fence off the many ambiguities, including those in CIP-002-5 discussed in this post.
[iii] It isn’t completely undefined, since the six items listed with lower case Roman numerals constitute a definition by example.
[iv] I’ve heard that some CIP auditors aren’t happy with the fact that the SDT used the NERC Glossary definition of Facilities, which is fairly narrow, instead of defining a broader term in the CIP V5 Definitions document.
[v] I think having the ability to “slice and dice” an asset into Facilities also has a bearing in Criterion 2.3;
Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year.
The fact that this says “generation Facility” rather than “Generating asset” or something like “Generating station” means that, if a PC or TP says that a single unit or maybe a couple units at a plant is “necessary”, the GO/GOP only has to designate those unit(s) as medium impact. The other units can be low impact, since they could be considered a separate Facility. However, this is entirely my own interpretation. This points to the need for a guidance document to be developed on CIP-002-5 (just as there were guidance documents on Critical Asset and Critical Cyber Asset identification in CIP Versions 1-3). I would put out a post about that and get all worked up in righteous indignation that it wasn't being done, except for one thing: nobody can even write a good guidance document on CIP-002-5 as it currently stands. It would be like trying to nail Jell-O (tm) to the wall.
[vi] I have had disagreements with a couple knowledgeable people – one an SDT member, another an auditor – about whether every BES Cyber System associated with a high or medium impact asset will have the same classification as the asset itself, or whether you could have multiple classifications of BES Cyber Systems at a single asset. I have yet to be convinced that there could be multiple classifications of BES Cyber Systems associated with one asset. If a control center is a high or medium impact, all of the BES Cyber Systems associated with it will be high or medium; if the control center meets at least one high criterion and at least one medium criterion (and only a control center could do this, since the only high impact assets are control centers), then it will be a high impact and all its BES Cyber Systems will be high impact (somewhere in the Guidance for CIP-002-5 it discusses the idea of a "high-water mark" which affirms this statement, but I can't find it now). Any other cyber asset/system at the control center - that isn't an access point or something like that - isn’t a BES Cyber Asset/System at all (although it would probably be a Protected Cyber Asset if it’s on the same network as the BES Cyber Systems).
[vi] I have had disagreements with a couple knowledgeable people – one an SDT member, another an auditor – about whether every BES Cyber System associated with a high or medium impact asset will have the same classification as the asset itself, or whether you could have multiple classifications of BES Cyber Systems at a single asset. I have yet to be convinced that there could be multiple classifications of BES Cyber Systems associated with one asset. If a control center is a high or medium impact, all of the BES Cyber Systems associated with it will be high or medium; if the control center meets at least one high criterion and at least one medium criterion (and only a control center could do this, since the only high impact assets are control centers), then it will be a high impact and all its BES Cyber Systems will be high impact (somewhere in the Guidance for CIP-002-5 it discusses the idea of a "high-water mark" which affirms this statement, but I can't find it now). Any other cyber asset/system at the control center - that isn't an access point or something like that - isn’t a BES Cyber Asset/System at all (although it would probably be a Protected Cyber Asset if it’s on the same network as the BES Cyber Systems).
To explain this – and I’d do a footnote here if I weren’t already in a footnote! – remember that a system is a BES Cyber System by virtue of fulfilling one or more BES Reliability Operating Services (BROS); the BROS are discussed on pages 17-21 of CIP-002-5. Let’s say a control center meets one criterion as a high impact, say criterion 1.2 (“perform the functional obligations of the Balancing Authority….”). A system that performs one of the BROS for a BA control center (say “balancing load and generation”) will be a high impact BES Cyber System. But say another system at the control center performs a BROS for one of the medium impact control center criteria, say 2.11 (“functional obligations of the Generation Owner…”). Does this mean that this system is medium impact? It certainly seems that it should be.
[June 13: I really have to do a footnote within a footnote here. I no longer believe that a cyber asset is a BES Cyber Asset by fulfilling one of the BROS. It is a BES Cyber Asset because it is associated with a BES Facility and meets the definition of BES Cyber Asset. The BROS do have an informal role in the asset identification process, though. See the paragraph after "Fantasy R4" in my post on Fantasy CIP-002-5.]
However, I believe this is really a case of there being two Facilities at one asset. One Facility satisfies criterion 1.2; the other satisfies criterion 2.11. They should be treated by the entity as if they were completely separate assets (or facilities) – their own compliance documentation, SME’s, etc. I think it would be prudent (and perhaps absolutely essential) for the asset owner to separate the two types of BES Cyber Systems on different networks – this would avoid having to protect every cyber asset on the network as a High impact, which would presumably be the case without that separation. But frankly, this is speculation that goes way beyond the language of CIP-002-4 (or any of the commentary provided by the SDT). And that's the point: This is yet another area that should be fleshed out in CIP Version 6.
[June 13: I really have to do a footnote within a footnote here. I no longer believe that a cyber asset is a BES Cyber Asset by fulfilling one of the BROS. It is a BES Cyber Asset because it is associated with a BES Facility and meets the definition of BES Cyber Asset. The BROS do have an informal role in the asset identification process, though. See the paragraph after "Fantasy R4" in my post on Fantasy CIP-002-5.]
However, I believe this is really a case of there being two Facilities at one asset. One Facility satisfies criterion 1.2; the other satisfies criterion 2.11. They should be treated by the entity as if they were completely separate assets (or facilities) – their own compliance documentation, SME’s, etc. I think it would be prudent (and perhaps absolutely essential) for the asset owner to separate the two types of BES Cyber Systems on different networks – this would avoid having to protect every cyber asset on the network as a High impact, which would presumably be the case without that separation. But frankly, this is speculation that goes way beyond the language of CIP-002-4 (or any of the commentary provided by the SDT). And that's the point: This is yet another area that should be fleshed out in CIP Version 6.
There is one specific exception to the rule of all BES Cyber Systems at an asset (or Facility) having the same rating; it was pointed out to me in a comment on my NOPR post. Criterion 2.1 in Attachment 1 of CIP-002-5 deliberately creates two classes of BES Cyber Systems associated with one asset (a generating station greater than 1500MW):
For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.
So BES Cyber Systems that can impact more than 1500MW are medium impact; all other BES Cyber Systems would be lows. But I believe this is the only Attachment 1 criterion that creates two classes of BES Cyber Systems at one asset.
[vii] Of course, grouping BES Cyber Assets into BES Cyber Systems will probably develop into a black art of its own. Fortunately, you won’t be audited on whether you did this step right or not; it is there mainly to make your compliance life easier, and that’s where the art comes in. When I do my blog post(s) on how to identify BES Cyber Systems, I may make suggestions about how to practice this black art.
[viii] I do realize that, in taking this step, the entity is actually following sub-requirement 1.3, which says “Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any”. So very technically, they are being told to identify assets, not systems. However, they’re not being asked to identify a low impact asset but an "asset that contains a low impact BES cyber system." This means that the only way to comply with this is to identify the low impact systems as described in section 3 of Attachment 1.
[ix] As I pointed out in my post on the NOPR, FERC seems to strongly disagree with the idea that an inventory of low impact BES Cyber Systems isn’t required. If this gets changed, then we won’t stop when we've identified an asset as a low impact one. We’ll have to do what we did at the high and medium assets: inventory the cyber assets, identify BES Cyber Assets among them, and group those into BES Cyber Systems.
[x] You may ask, “Why does Attachment 1 say that it’s for classifying BES Cyber Systems rather than BES assets? Isn't that the root of the problem?” I’m afraid the answer is probably just stubbornness. The first draft of Version 5 – balloted in November and December of 2011 – really did try to start with identifying BES Cyber Systems by themselves; then it classified them according to the Facility (not asset) they were associated with. I and Donovan Tindill of Honeywell (as well as two CIP compliance managers from a large IOU, who had to remain anonymous but were very helpful) pointed out in a post in December 2011 that this approach simply couldn’t work and would be unauditable as well. This contributed – in a small way - to the overwhelming defeat of CIP-002-5 on the first ballot (although every other V5 standard also was resoundingly defeated on that ballot).
When the SDT met in January 2012, it immediately scrapped the previous approach and went with roughly the current language. However, they unfortunately left a number of remnants of the old language in CIP-002-5; what I have just discussed is probably the most egregious example of that. I will admit that, when I wrote my post on the V5 NOPR last week, I mentioned this problem (footnote vii). I said it would be the source of a lot of confusion, but I didn’t say the wording should be changed. I have since realized that it would be a huge shame if FERC and NERC didn’t take advantage of having to revise CIP V5 to fix the many serious wording problems with CIP-002-5. Trying to fix the problems once the standard is implemented will be much more expensive for entities and NERC, both in terms of time wasted and money spent, than fixing them now.
[xi] An auditor pointed out to me that they have to diagram sentences all the time in the course of determining whether an entity is compliant with a particular CIP requirement. Fourth-grade teachers across the continent should be proud of their contribution to securing our critical infrastructure.
[xi] An auditor pointed out to me that they have to diagram sentences all the time in the course of determining whether an entity is compliant with a particular CIP requirement. Fourth-grade teachers across the continent should be proud of their contribution to securing our critical infrastructure.
[xii] This points to another fundamental disagreement I have with a few other interested parties (I realize I'm beginning to sound like I'm a very argumentative person - maybe it's true). Not only do I believe there can be only one level of BES Cyber System at a particular Facility (or asset, if the asset only has one Facility), but I believe there is no such thing as a BES Cyber System that is independent of any Facility. It was pointed out to me last year by the SDT chairman that an example of an independent system is a “leak detector”, which sits on a transmission line out in a field somewhere but performs a BES Reliability Operating Service in spite of not being part of a generating station, transmission substation, etc. I hadn’t heard of these before, but I will certainly stipulate that it would meet the definition of a BES Cyber System (and there are probably other cyber assets, not part of any other Facility, that do as well). However, my feeling is that this should be defined as its own Facility.
Of course, someone will point out that defining a cyber asset as its own Facility is simply an artificial construct, since the Facility is, in this example, being defined as just the leak detector, nothing more. I agree this is artificial, but consider the consequences if we don’t do this. In other words, what if the current language, which implies that there can be BES Cyber Systems independently of assets/Facilities, is allowed to stand? Every NERC entity subject to CIP Version 5 will have to start their asset identification process by inventorying every cyber asset they have that touches the BES. This includes cyber assets at all BES Facilities, but also cyber assets not associated with any Facility at all (such as the leak detectors). They will then have to consider whether each cyber asset (or the system it’s part of) is a BES Cyber System, and this will all be before they classify their Facilities/Assets as High, Medium or Low impact (in other words, we end up in pretty much the position we were in in the first draft of Version 5 in November of 2011). This will be a massive job, and I hereby assert that it will add very little to BES reliability – certainly not on a scale commensurate with the cost. Is this really what we want the industry to have to do?
[xiii] You may ask (and if not, I have certainly asked myself), “You’ve pointed out you attended a number of SDT meetings while V5 was being drafted. Why didn’t you bring up these problem then?” Here's my answer: After the even bigger problem – that I’d pointed out in my December 2011 post – was fixed, a) I didn’t have a lot of stomach for more controversy (or it shifted to other areas, to be more accurate) and b) I stopped paying so much attention to the details of the wording of CIP-002-5. I do remember pointing out in one SDT meeting that I really thought they hadn’t gone all the way to take out the idea that identifying BES Cyber Systems came before classifying Facilities, but I certainly didn’t make a complete nuisance of myself by bringing it up again.
There’s another reason: after Version 5 failed on the second ballot (not quite as overwhelminingly as on the first), I, as well as all SDT members, was quite aware that CIP Version 5 needed to pass on the third ballot. If it didn’t, that would most likely be the end of the Version 5 effort. The SDT would go home without a lot to show for their last two or three years of very hard work. And either NERC would start over on Version 6 with a new SDT, or – more ominously – FERC might just figure out a way to write V6 itself, leaving NERC out. I frankly didn’t want to jeopardize that by making a big deal of wording problems that could presumably be fixed in the future (like now, for instance).
Thanks for sharing! This page was very informative and I enjoyed it. Asset reliability
ReplyDelete