Friday, April 19, 2013

The CIP Version 5 NOPR

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

I have been able to spend some quality time with FERC’s NOPR (Notice of Proposed Rulemaking) for CIP Version 5, which was published yesterday afternoon after being approved (but not read) in FERC’s morning Sunshine Meeting.  As I had thought, there are a lot of important implications to be gleaned from this document, which were not indicated at all in the short press release and statements released after the meeting.  Here are what I consider the most important implications (and not necessarily in order of importance):

FERC’s da (Wo)man! 
I have to say I am very impressed with FERC after reading the NOPR.  Their ‘solution’ to the problem of having multiple CIP versions to comply with over the next few years was very elegant (more on that below).  They are clearly genuinely concerned about both a) not putting any unnecessary regulatory burden on the industry and b) ensuring good cyber security.  I think the very well-thought-out NOPR addresses both of those seemingly incompatible goals to the maximum extent possible.
Version 4 is Dead 
Commissioner LaFleur’s statement yesterday morning said that CIP Version 4 would be superseded when FERC approves Version 5.  It also hinted that FERC would require substantial changes in V4.  My initial reaction was to doubt that the superseding could really happen, since there will likely be a lengthy process required for NERC to draft and ballot on the changes required by FERC – and this might still push the final approval date for the new version past April 1, 2014 (when Version 4 is currently scheduled to come into effect).  But reading the NOPR and discussing this with a couple other people have convinced me that Version 4 will be superseded regardless of how long it takes NERC to respond to FERC’s order for changes in Version 5 (more on this below).  So I’d say that’s a certainty.

FERC Wants Substantial Changes in Version 5 
The news release and statements from yesterday morning suggested that FERC might want some changes in V5, but they didn’t leave me with the impression that this was a certainty.  However, reading the NOPR made it clear that there is a very strong likelihood that FERC will require substantial changes (which go beyond the two mentioned in Commissioner LaFleur’s statement).  I will address the most important of these below.
“Identify, Assess and Correct” 
Ms. LaFleur’s statement mentioned these three words – which are used in 17 of the 40-odd requirements in CIP Version 5 – as something that FERC has a lot of concern with; she said FERC would “seek comment on several concerns related to this language”.  But if you read the discussion of this in the NOPR (pages 23-31), you will probably agree with me that there isn’t much doubt they will require this language be removed when they issue their final order approving V5.

This is of course unfortunate, since this approach to compliance (i.e. focusing on the program for identifying and correcting deficiencies rather than on every single deficiency itself) seemed to many people (including me) to be a significant improvement in the CIP standards (it wasn’t introduced until July 2012, when the SDT was working on the third revision of Version 5 – i.e. after the first two ballots didn’t pass the previous versions).  This approach was made much of in the two webinars the SDT conducted on Version 5 in the fall of 2012.

However, warning flags appeared in February when NESCO posted a paper by Stephen Flanagan of the FERC staff essentially saying this language would result in un-auditable requirements (I wrote a post about this at the time).  And the NOPR language is if anything stronger than what is in the paper (Flanagan is actually not one of the staff members who would have participated in writing the NOPR, so his opinion is clearly shared by others); in my mind, it seems to border on sarcasm at a few points.

Since “identify, assess and correct” appears in seventeen requirements in CIP Version 5, this will be a big deal to fix, and will undoubtedly ruffle many feathers at NERC and at the entities.  More on the mechanism by which corrections will be made below.
Low Impacts 
As everyone knows, CIP Version 5 classifies all cyber systems that impact the Bulk Electric System as High, Medium or Low impact.  Highs and Mediums correspond roughly to the Critical Assets in Versions 1-4; they have to implement security controls (policies, procedures and technologies) that are if anything more strict than those required in Versions 1-4. 

However, the Lows only have one requirement that applies to them.  It is CIP-003-5 Requirement 2, which reads:

R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part R1.3 [i.e., low impact systems], shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: …

2.1 Cyber security awareness;
2.2 Physical security controls;
2.3 Electronic access controls for external routable protocol connections and Dial-up Connectivity; and
2.4 Incident response to a Cyber Security Incident.

An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required.

FERC discusses this requirement on pages 35-38 of the NOPR, but their opinion can be accurately summarized in this sentence from page 37:

While the Commission believes that an individual Medium or High Impact asset will have higher potential reliability impacts as compared to an individual Low Impact asset, the Reliability Standards must also enumerate specific, technically-supported cyber security controls for Low Impact assets.

In other words, they don’t think just articulating and implementing four policies is enough – they want requirements for specific controls.  This is going to cause a huge change in CIP Version 5.  Up until now, it has seemed that complying with Version 5 would not be a big deal for entities that have Low impact BES facilities.  They will essentially have to develop four policies and make sure those policies are implemented.  But to be honest, since there is no specification of what exactly is required by these policies, it is hard to see what they really have to do – other than to make sure whatever they do follows those policies.  FERC doesn’t think this is enough.

NERC will have to develop specific requirements for Lows.  These will probably not be particularly onerous compared to the requirements for Highs and Mediums – things like deploying a firewall, authenticating users, physical access controls, etc.  But Lows will be audited on how well they take these steps, not just on whether they have implemented the policies which might or might not require these steps.

So why is this huge?  Because there are so many Lows, and because there are so many NERC entities that only have Low impact BES facilities now, that will have to put in place a V5 compliance program somewhat like what owners of High and Medium impact facilities have to have in place.

Some numbers here.  I believe there are about 2,000 NERC Registered Entities.  Of these, I’m guessing about half are distribution-only entities that aren’t subject to CIP Version 5 at all.[i]  I’m guessing that maybe 200-250 entities[ii] will have one or more facilities that meet the V5 bright-line criteria (yes folks, we have a whole new set of BLC in Version 5 – similar although not identical to those in Version 4).  So the remaining 750-800 non-distribution entities just have Lows.  In other words, the CIP program will now apply in a significant way to about four times as many entities as it does today!

And entities that already have Critical Assets (or High and Medium impact facilities) will also be seriously affected by this.  These entities probably own thousands of BES facilities that will be Lows under V5 – generating stations and transmission substations, primarily.  Instead of just having to create four policies and ‘implement’ them at all those facilities, they will now have to implement the new controls at every single one of those facilities.[iii]

Just as significantly, FERC concludes the discussion with this paragraph (p. 38):

Also, we seek comment on the lack of a requirement to have an inventory, list or discrete identification of Low Impact BES Cyber Systems. The definition of BES Cyber Systems is a threshold for determining applicability of the CIP Reliability Standards, so we assume responsible entities will in fact start by identifying all covered systems. If so, the rationale or benefit for not requiring an inventory, list or identification is unclear.

This one paragraph also has huge implications.  Here’s some background on the issue of inventory of Lows:

  1. Many NERC entities will admit to you that they don’t have an inventory of all of their cyber assets – computers, switches, PLCs, RTUs, etc. – in most of their facilities, and that it would be a big deal to generate one (no pun intended).  For facilities that are Critical Assets - or High or Medium impact under Version 5 – there is no choice: they have to have an inventory in order to figure out which of those assets are in scope for CIP and which aren’t.  But to inventory all of the Lows would be a very large effort (I will say that some entities I’ve talked to already have this inventory and it is up to date.  I will also say that I think they are in the minority, perhaps a small minority).[iv]
  2. The first official draft of Version 5 (posted and balloted in the fall of 2011) was overwhelmingly rejected by the NERC ballot body (most of the standards didn’t win much more than 20% approval).  One of the big issues in the minds of voting entities was the fact that there was one requirement in that version (requiring vendor passwords to be changed) that applied to Lows, which could only be audited by looking at each cyber asset – meaning that an inventory would be required.  This in spite of the fact that even the first draft of V5 had the statement that an inventory wasn’t required.[v]
  3. At their first meeting after that ballot, the SDT removed that one requirement; I posted about that meeting (the discussion on inventory for Lows is in Section I of the post).  From then on, the only requirement for Lows was CIP-003-5 R2, cited above, which as you see makes clear that an inventory isn’t required.
  4. However, a big warning flag on this was given by FERC in Order 761 (April 2012), which approved Version 4.  In there, FERC (paragraph 87) stated clearly that they wanted all BES Cyber Systems (High, Medium and Low impact, although they didn't say this explicitly) to be enclosed within an electronic security perimeter in CIP Version 5.  I had discussions – well, arguments – with SDT members both in phone meetings and at their July 2012 onsite meeting in Minneapolis in which I contended that there was no way they could comply with this request from FERC (it didn’t constitute a directive, since FERC didn’t have CIP Version 5 on their desks at the time and couldn’t make any official ruling on it.  FERC obviously knew all about developments in V5, since FERC staff members attended all SDT meetings) and retain the statement that no inventory of Low impact BES Cyber Systems was required.  The SDT members didn’t agree with me, and the statement remained in Version 5.  I discussed this in my post after that July meeting (although I admit my prediction that this could be the end of NERC was overblown.  NERC is still alive and well, even though FERC is going to get their way on this issue).
  5. I did realize that the SDT was between a rock and a hard place on the inventory issue.  If they had removed the statement that an inventory wasn’t required, that alone could very well have made CIP Version 5 fail on the third ballot (in October 2012).  If that had happened, it would probably have been the end of the V5 effort.  All of their work (over two years) on V5 would have been for naught.  Whatever they personally thought, they had to support the statement that an inventory wasn't required of Lows.  Essentially, they were saying to FERC, “This is too politically difficult a subject for us.  Please help us out and tell the membership that they have to do this or else.”  Essentially, FERC did just that in the NOPR.
 The result of this is that there is going to be a huge effort required to inventory all of the cyber assets in many thousands of Low impact BES facilities in North America, as well as to put in place substantial CIP compliance programs at somewhere around 750 (and I’ll admit that “somewhere” could mean 400 or 1200) entities that own or operate only Low impact BES facilities.
Besides approving the V5 standards themselves, FERC also has to approve the Definitions document that was balloted along with the standards themselves.  They discuss five definitions they might want to require changes for; I will discuss the three of these I think are most important. 

 15 Minutes
The definition of BES Cyber Asset is foundational to CIP Version 5 (BCA’s make up a BES Cyber System, which is the fundamental compliance category for cyber assets in Version 5, like Critical Cyber Assets are in Versions 1-4).  FERC begins this discussion (which runs from pages 39 to 41) by quoting part of the BCA definition:

The definition begins with “[a] Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment….”

FERC’s problem with this part of the definition is that they don’t understand where “15 minutes” came from; they seem to think there shouldn’t be any time limit in the definition.

The definition of BES Cyber Asset continues:

 A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

Essentially, this says that laptops connected within the ESP for 30 days or less don’t have to have the CIP Version 5 controls applied to them.  On pages 41-42, FERC makes it clear they are quite skeptical of this exclusion.[vi]
Cyber Asset Definition
Since all of CIP is about protecting cyber assets, it is important that the definition of cyber asset be right.  FERC begins their discussion of this by noting that the current NERC Glossary definition reads:

Programmable electronic devices and communication networks including hardware, software, and data.

while the definition in CIP Version 5 reads:

Programmable electronic devices, including the hardware, software, and data in those devices.

Their question is simple (page 43): Why did NERC take “communications networks” out of the definition?  In fact, they point out that the Federal Power Act (the 2005 act that gave FERC power to enforce mandatory reliability standards on the bulk electric system) defines these networks as essential to BES reliability.
On pages 32-35, FERC makes it clear they are not happy with the Version 5 classification of cyber assets as Low, Medium or High based on their impact on BES reliability, rather than on their impact on confidentiality, integrity and availability as in the NIST framework.  However, they also make it clear that they don’t plan to make a big deal of this at this point (since it would obviously require almost rewriting CIP Version 5 from scratch).[vii]
Implementation Plan
The V5 Implementation Plan gives entities with High and Medium impact facilities 24 months to comply (after FERC approval) and entities with Low impact facilities 36 months.  On pages 45-47 of the NOPR, FERC asks several questions, including:

  1. Why 24 and 36 months?
  2. Could there be a shorter compliance period for cyber assets already subject to CIP V3 compliance?
  3. Heck, why not a shorter period for all cyber assets subject to CIP Version 5?
 However, they don’t just ask these questions.  They make clear that they want a shorter implementation schedule, and that they’ll implement one if nobody gives them a compelling argument why they shouldn’t.

So what might be the V5 implementation schedule when all the dust is cleared?  I’m guessing they’ll go to one year for Highs and Mediums and two for Lows (the justification for the longer period for Lows is that few if any of them had to comply with CIP Version 3, so this will all be new to them). 
Please Help Us
In a final section entitled Other Technical Issues (starting on page 54), FERC brings up other areas where improvements may also be required in V5.  They don’t say that they are currently considering particular changes, but they would like comments on cryptography, protecting assets connected with non-routable protocols (even though the non-routable protocol ‘exemption’ has been removed in V5, there are still some requirements that only apply to assets connected routably.  They clearly think this is missing something), remote access security, separation of duties – and a few other areas.

CIP Version 6?
I’ve completed my painfully detailed discussion of the NOPR.  What is the likely course of events that will lead – finally – to a new version of CIP that everyone can start preparing for?  Here is what I (and a couple knowledgeable persons) see:

  1. A 60-day comment period will commence when the NOPR is published in the Federal Register.
  2. After that period, FERC will mull over the comments.  They might come back for more information (for instance, I have thought for a while that they would ask for a new survey of probable High, Medium and Low impact BES facilities.  However they don’t show a sign of that being a concern in the NOPR – but that could still change later.  And it was pointed out to me that FERC held a couple workshops while considering approval of CIP Version 1.  Given that V5 is such a radical change, they may want to do this again).
  3. They will issue a final order (like Order 761 for Version 4).  This might be close to the end of this year, even early next year (of course, before Thursday I didn’t think they would issue the NOPR itself until about that time, so you need to take this with a shaker full of salt).
  4. That final order will approve CIP Version 5 as it currently stands, and also mandate a “compliance filing” by NERC of a new version of CIP, based on Version 5 but incorporating a set of changes that FERC wants made.  There will probably be a time limit for this filing; hopefully it won’t be just 90 days (when FERC approved CIP Version 2 in September 2009, they at the same time mandated a new filing that modified CIP-006 to include a requirement for physical visitor escort.  NERC had to file this new version in 90 days, which they did, as CIP Version 3).  On the other hand, FERC doesn’t want the new version to come back in five years, either (this is how long it took to file Version 5 after FERC approved Version 1 in Order 706 in January 2008; V5 is meant to be the final answer to Order 706.  However, in their defense NERC ended up having to file three other versions in between!).  So I'm guessing they might require V6 be delivered to them in six months.  Even that would be a big stretch for NERC to get done, considering all the changes that FERC will likely require in the standards.  I recommend the SDT members spend as much time with their families as they can in the coming months.
  5. The new version will be called – are you sitting down? – CIP Version 6.  When it is filed, FERC will hopefully review it very quickly, issue a NOPR, and then issue a final order.
  6. You may be thinking, “Great, so we’ll have to comply with Version 5, then maybe a year later we’ll have Version 6?  What was all this stuff about avoiding having to comply with two versions?”  Calm down.  It is likely the implementation plan for V6 will read something like the V5 one does now.  That plan says that V4 will be skipped if FERC approves V5 before V4 comes into effect.  If you just increment each of those version numbers by 1, you’ll get the V6 implementation plan.[viii]
 And here you have the final piece of news: The next CIP version you have to comply with will in all likelihood be Version 6.

[i] Pure Distribution Providers (i.e. not having other registrations subject to V5) are subject to CIP Version 5 if they own one of the types of facilities described in about four of the V5 bright-line criteria – i.e. High or Medium impact facilities.  If they are brought into CIP V5 that way, their other BES Facilities will not have to be considered as Lows.
[ii] This is how I come by this range.  It compares to the number of entities with Critical Assets and Critical Cyber Assets in CIP Versions 1-3.  There are no published numbers on this of course, but judging from a single number published by WECC a few years ago (53 such entities in that region), I am guessing there are between 100-150 such entities now in North America.  I really don’t see the V5 bright-line criteria bringing in that many more entities as Highs or Mediums, so I feel safe in saying 200-250 is a good estimate for entities with High and Medium BES Cyber Systems, with 200 being more likely.  Of course, I’m safe because I doubt this number will ever be published, so we'll never know for sure what it is.
[iii] It would be nice to think that every BES facility already has wonderful security and this won’t require much effort at all.  It would also be nice to think that world peace is about to break out, or that the Cubs will win the World Series this year.
[iv] And NERC won’t get names even if they waterboard me.
[v] I and Donovan Tindill of Honeywell wrote a blog post in December 2011 that mentioned this problem (footnote 10).  More on that in footnote VII below.
[vi] This sentiment is obviously the same as what is expressed in FERC’s recent order remanding (i.e. killing) the Duke Energy Request for Interpretation on CIP-002-4.
[vii] I want to comment on this issue, since I think I have an answer to FERC’s question of how this situation came to be (they could have just called me before they wrote this!  Would have saved some time).  In the first official draft of Version 5 (balloted in December 2011), the approach taken to asset identification was first to look at all of an entity’s cyber assets and evaluate each for its impact on one or more of the “BES Reliability Operating Services” defined in Version 5.  So you would determine whether there was an impact by looking at the cyber asset itself, not the facility it was associated with; you would then look at the facility (using the V5 bright-line criteria) to determine whether this was High, Medium or Low impact; the cyber asset would then inherit the facility's rating.
I and Donovan Tindill – working with an unnamed but much appreciated CIP compliance manager at a large IOU - pointed out in a blog post (linked in footnote V above) that this was a completely unworkable and un-auditable approach, since in very few cases would a cyber asset have an impact on the BES separately from the facility with which it was associated (I had actually had this discussion in emails with SDT members a few months previous to this).  I believe this post contributed in a small way to CIP-002-5’s resounding defeat (along with all the other V5 standards) in the first ballot.
In the next draft, the SDT changed the asset identification approach so that you start with the facility (and its H/M/L rating), then identify the BES Cyber Systems that support the facility.  These BCS’s then take the rating of the facility.  This is of course pretty much the approach in CIP Versions 1-4: You first identify Critical Assets, and then the Critical Cyber Assets are the cyber assets that are associated with each of the Critical Assets.

As I see it, the big problem – which has caused a lot of confusion in online discussions and will I’m sure cause much more confusion as entities start to work on CIP Version 5 compliance – is that the SDT wouldn’t make a clean break with the old approach.  CIP-002-5 R1 still makes it sound like the BES Cyber Systems themselves have the H/M/L categorization, whereas it is really the BES facilities that do.  So FERC’s issue is really with this language.  The H/M/L categorization is properly based on reliability impact, but that’s because it applies to the facility, not to the cyber system.  Another way of putting this is that BES Cyber Systems that support a particular facility – say a generating station – will always all have the same classification H/M/L as the facility itself  (this doesn't mean that all of the cyber assets located at a particular facility will have that facility's classification.  They might actually be associated with a different facility.  For example, servers at a generating station might actually be supporting other generating stations, so they would take the rating of those other stations).  The classification comes from the facility, not the cyber asset.
But enough theological discussion.
[viii] You get extra credit if you noticed something about the timeline.  I’m saying FERC will issue the final order approving V5 around the end of 2013 and then give NERC more than three months to come up with V6.  This means V6 will be submitted after the 4/1/2014 date that V4 is scheduled to go into effect – does this mean there’s still a chance V4 will happen?  No.  You may also realize why: V4 is set aside when FERC approves V5, not V6 (even though as I said, you’ll hopefully never have to comply with V5).  So you don’t have to worry.  As I said at the start, V4 is dead, dead, dead.  Requiescat in pace.


  1. Hello Tom - in your discussion point [vii], you discuss the confusion of if the facilty or the cyber system has the H/M/L impact classification. I think this all gets into semantics a bit, but I don't see the problem with the present approach. Per the V5 standards, there isn't (as far as I can tell)anything that implies that a facility has an impact classification. So I don't think we would ever say, for example, that a 1700MW generation site is "medium-impact". That terminology would only apply to the underlying cyber systems. In many cases, I'm seeing sites with multiple units where the site is >1500MW, so the first part of CIP-002-5, Attachment 1, Criteria 2.1 is met. But then there are not any shared cyber systems that can, within 15 minutes, impact > 1500MW at that site. So while the MW rating of the site itself makes you need to evaluate 2.1, the separated network nature of the underlying control systems does not classify the cyber systems as "medium impact". The cyber systems would, of course, default to the "low impact" category. However, if a similar site had a single common control system, then that cyber system very likely would impact > 1500MW within 15 minutes, thereby resulting in a "medium impact" classification for that control system.

    So I suppose my long winded point is that for two >1700MW plant sites with the exact same mechanical components, the underlying cyber systems could have different impact ratings, depending on the network architecture. So the cyber system classification does not really come from the facility - it derives from the impact the associated cyber systems can have on that facility.

    Keep up the good work!

    1. Thanks, Chip. You're technically correct that Attachment 1 identifies systems, not facilities, as H/M/L. But in my mind this is simply dishonest. If every cyber system that supports a facility has to have the same rating as the facility itself (which I believe it does in V5), then it's really the facility that has the rating, not the cyber system.

      However, there is one exception to this rule, and that's the example you cite: systems at a 1500+MW site that don't support 1500MW of generation. I will grant that there could be 1500+MW plants that have BES Cyber Systems that fall into either Medium or Low impact categories because of this (perhaps there might actually be both at one plant as well). However, this is the only exception I know of, although if you can think of another let me know.

      The idea that you're rating the system, not the facility, is a legacy of the first draft of V5, which did actually have you first identify your BES Cyber Assets (BES Cyber Systems weren't in the picture yet) by finding which BES Reliability Operating Services they supported. Then you would go to Attachment 1 to find out whether the BCA was H/M/L. This was an unworkable process, and I argued against it at the time

      The asset ID process was changed after the first ballot to go more like the V1-4 process: classify the facilities (Critical Assets vs. not), then the cyber assets in them (CCAs, etc). But - very unfortunately in my opinion - the language was left in that implied that you were really clasifying the cyber assets, not the facilities. As I pointed out in footnote vii above, this language seems to have tripped up even FERC. And it will definitely trip up many NERC entities as they try to figure out V5. Totally unnecessarily (in fact, maybe this will be a comment I'll post on the NOPR: fix the language so this is clear).

  2. Thanks Tom - good stuff. I think the only other situation where you could have a cyber system impact rating different from the facility "rating" would be the 1000 MVAR reactive resource criteria of 2.2 since it has a similar classification approach as the 1500 MW criteria of 2.1.

  3. I am quite aware that for a year I advocated - forcefully at times - for NERC entities to just focus on CIP V4, not on V5. I have just posted my analysis of what I did wrong
    I welcome any comments on this.


  4. A consultant pointed out to me today that I misread FERC's intent on the "Identify, Assess and Correct" language in Version 5. They aren't so much saying they will require it be taken out as saying that they want NERC to justify it. They say "Therefore, we seek comment on the meaning of this language and on how it will be implemented and enforced. Depending on the comments and explanations received, we may determine that it is appropriate to direct NERC to develop modifications."

    I totally agree with this consultant - I did miss the boat here, and I thank her for bringing this to my attention. Of course, NERC might fail to justify this and FERC will then require the language be taken out of V5. But they clearly want to give "Identify, Assess and Correct" a chance - which makes sense, given how much NERC is relying on this approach as the wave of the future for many of the standards, not just CIP.

    I imagine that NERC will especially have to address the auditability issue, since I believe that is the big one with FERC It certainly is in the Stephen Flanagan paper discussed in my February post:

  5. The consultant I just referred to has now given me permission to use her name. She is Katherine Tourigny, who has been leading CIP standards development in the province of Alberta.