Monday, May 27, 2013

The Transition to CIP Version 5

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Oct. 18, 2014: Can someone tell me why this post is getting so many hits lately?  If you're all history buffs, I guess it has a certain value that way.  But don't expect to find anything that is going to help you now.  I admit I need to address this topic again soon, but this post from July gives some guidance.  I expect to have another on the actual transition - rather than the timeline - within a couple weeks.

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

July 25: I just put up a new post on NERC's Version 5 transition plan - or at least the "proposed" plan they released this week.  You can find it here.

Last week (May 21 and 22) I attended the excellent CIP workshop put on annually by SPP in Dallas.  I regret that I didn’t mention this workshop in previous blog posts, since it isn’t limited to SPP entities and provides a lot of good information (they did have good attendance).  Next year, look for the announcement on SPP’s website around Feb. or March.

One highlight of the meeting was a presentation by Kevin Perry, the Chief CIP Auditor for SPP (and member of the original NERC CIP Standards Drafting Team).  The title was “The CIP Version 4 Transition”.  Now before you start wondering what that has to do with the transition to Version 5 (especially since FERC’s NOPR makes it clear they don’t intend to let Version 4 come into effect), listen to his argument.  His reasoning goes like this (although a little of this is my own enhancement of what he said):

  1. There is only one fully approved new version of NERC CIP at the moment – Version 4.  The date for full compliance with V4 is April 1, 2014.
  2. While FERC said in the NOPR that V4 won’t come into effect, we can’t be absolutely sure that will happen.  As of today, NERC entities can’t just assume that V4 won’t come into effect.
  3. But there is a saving grace in this, in that a lot of what an entity has to do to prepare to comply with V4 will be exactly the same as what’s required to prepare for V5.  So the entity can take certain steps now that will be required no matter which way the wind blows in the future.
  4. NERC has said they will come out with a transition plan for Version 5 in July, which will hopefully address many questions that entities have on this.  As of the moment, Kevin has no idea what will be in the plan.[i]
  5. I pointed out in a question to Kevin that, while there are certainly a lot of common steps that need to be taken to prepare for either Version 4 or Version 5, there are also some steps that would be very specific to one version.  For example, an entity complying with Version 4 (who didn’t already have to comply with Version 3) would have to prepare a lot of specific documentation templates, etc. before 4/1/2014.  If Version 4 doesn’t happen, these items can’t be reused for Version 5.  There still is potentially a big opportunity to waste resources on Version 4 compliance activities.
  6. At that point, Scott Mix of NERC (for those of you who don’t know him, he’s the Obi Wan Kenobi of NERC CIP) pointed out that NERC is quite aware of this problem, and hopes to address it in the transition plan.  The specific way I hope they address it is to say that, if an entity chooses not to spend a lot of money on becoming V4 compliant on 4/1/2014 but then (due to some strange and unforeseen occurrence) V4 does come into effect on that date, they will be given extra time to comply .  Or maybe they won’t even have to comply with V4 at all, if V5 is approved soon after that date (of course, NERC wouldn’t have actual legal authority to do this.  They also didn’t have full authority to say in the V4 transition plan that blackstart resources wouldn’t be audited.  But it seems likely that FERC isn’t going to come down hard on them for this, and might indeed have given them some signal that this was OK).  We’ll have to wait until July to know exactly how NERC’s Version 5 transition plan is worded.
I know the V4-V5 transition is an important question because I have had two large IOU’s tell me in the last few days that they are plowing forward on their Version 4 implementation plans - since they can’t take any chance of having it come into effect and being caught non-compliant on 4/1/2014.  What can those entities (and any others in the same boat) do now, that will move them toward both V4 compliance and V5 compliance at the same time?  I will divide the discussion into several areas.

I. Critical Assets / High and Medium Impact BES Facilities
If you’re concerned about the possibility of having to comply with CIP Version 4 before Version 5, you will be glad (perhaps that’s not the right word) to know that your facilities that are Critical Assets for V4 will almost all be High and Medium impact Facilities in scope for V5 (which will require similar controls to those required of Critical Assets now).  The bright line criteria are very similar in V4 and V5, with the exception of blackstart facilities (blackstart plants and substations in the cranking path).  However, NERC’s April Version 4 transition plan specifically stated that blackstart facilities won’t be audited when/if V4 comes into effect, so they are in effect no longer critical under Version 4 either.

With blackstarts out of the way, the differences between the two versions are mainly in these areas[ii]:

  • More control centers are High or Medium impact under Version 5 than are Critical Assets under V4.  But since all V4 control centers will be High or Medium under V5 as well, you won’t be wasting your time by implementing security controls at V4 control centers that aren’t currently critical under Version 3.
  • There are definitely wording differences between V4 and V5 in the criteria for substations, but given how complicated the criteria are, your Operations people will need to tell you what the impact will be for your organization.
  • FACTS (Flexible AC Transmission Systems) seem to me to be the one case where an asset is critical under V4 but not High or Medium under V5, since there is no criterion in V5 that specifically mentions FACTS.  But your Operations people need to look at this.[iii]
  • Of course, in V5 every BES Facility that isn’t High or Medium impact will be a Low impact.  But given that almost none of these facilities are critical under Version 4, this doesn’t affect the decision of what to do now.

Kevin did devote a lot of his discussion in Dallas to the question of adopting the Version 4 bright-line criteria as your RBAM for CIP Version 3.  NERC’s CIP Version 4 Transition Plan (you can see my post about that plan here ) says there are two options for this:

  1. You can adopt some or all of the V4 bright-line criteria as your RBAM.  That means you will have to show there is a risk basis for adopting those criteria (and you could of course include other “criteria” in your RBAM as well).
  2. You can adopt the V4 criteria without change (meaning you can’t pick and choose among them).  The plan said specifically that you can ignore the criteria having to do with blackstart resources, but you have to include all of the other criteria unchanged.[iv]  In this option, you don’t have to provide a risk basis.

Whether or not FERC ends up approving V5, you can adopt the Version 4 criteria now since this is part of the V4 transition plan, which has been officially promulgated by NERC.  Kevin did also recommend the following:

  1. If you do follow Option 2, get this signed by your CIP Senior Manager just like you would do with the RBAM.
  2. Don’t wait until you’re about to be audited to adopt the bright line criteria.  If you do, you’ll still be audited on the basis of your old RBAM up until the point where you switched.  In other words, if you’re going to adopt the BLC, do so soon.

Many will ask: can we adopt the V5 criteria, rather than the V4 ones?  That will presumably be answered in NERC’s V5 transition plan in July.  However, don’t assume that the plan will allow adopting the V5 criteria now.  Remember, the V4 criteria are set in stone since FERC has approved them.  The V5 criteria are still fluid, and FERC may still require changes in them.  Fortunately, given how close the criteria now are between V4 and V5, it probably wouldn’t be much of an imposition if you were only allowed to adopt the V4 criteria, even though V5 (really V6 of course) is probably the next CIP version to come into effect.

III. What should I do?  What shouldn’t I do?
Here is my handy dandy guide to figuring out what is worth doing and what isn’t worth doing during the V3-V4-V5 transition period.  My feeling is this should cover most entities, even in the unlikely event that V4 comes into effect.  However, caveat emptor.  There is still much uncertainty (of course, there has essentially been nothing but uncertainty regarding the path to the new CIP versions since at least 2010.  Every month I have thought the uncertainty was finally about to end, and almost every month it’s ended up increasing).

1.                   If you have assets that are currently critical under your RBAM but won’t be critical under the v4 criteria, you should definitely look at adopting the V4 BLC now, so you can remove them as Critical Assets.  Even if the V4 BLC will add any Critical Assets, remember the V4 transition plan says you won’t be audited on them until V4 comes into effect (and hopefully the V5 transition plan will say something similar).  Of course, keep in mind, if you drop Critical Assets, that they will still be Low impact under V5, meaning you shouldn't start ripping out your security controls.
2.                   If you have assets that will be critical under V4 and High/Medium impact under V5 (and almost all V4 Critical Assets will be High/Medium under V5, except of course for blackstart resources), you can certainly start to put in place the controls that will be common to both standards.  For example, both standards require ESPs, personnel risk assessments, patch management, monitoring of physical access, incident response plans, etc.
3.                   What you shouldn’t do now is invest a lot in developing procedures, training and documentation specific to Version 4 – that is effort that will be wasted if Version 4 does not in fact come into effect, as seems very likely to happen.
4.                   You should start thinking about your Low impact assets – essentially, everything you own or operate that touches the BES, that won’t be a High or Medium impact under V5.  While the Version 5 compliance date for Lows is probably at least three years away, the problem is there are so many Lows.  If you wait to do anything at all until FERC approves Version 6 (which probably won’t be until later 2014), you may then have a big scramble to get them all compliant in the two years or so that FERC allows for compliance.[v]
5.                   Remember, FERC broadcast loud and clear in their NOPR that they want specific controls to be applied to Lows (not just the four policies that are in Version 5 now).  And they also made clear they want cyber assets at Low impact facilities to be inventoried.  A good first step would be to conduct an inventory of all cyber assets at all Low impact facilities.  This will be a large job for many entities, but it will have to be done for Version 5 anyway, and it’s the foundation for any further cyber security program.

P.S. Be sure to sign up for Honeywell’s upcoming webinar with EnergySec, “Covering your Assets in CIP Version 5”.  You can sign up for it here.  The webinar is on August 21st 10:30CDT.  If you can’t make the webinar but want to see the video, sign up anyway.  You’ll get the link to the video as soon as it is posted after the webinar.

[i] Ironically, NERC came out with their Version 4 transition plan – which had been promised for about a year – around April 11, one week before FERC issued their NOPR and changed the whole situation.  But as you'll see in this post, the plan does still have a lot of significance.  August 2: Even though NERC came out with a draft V5 transition plan last week, it seems likely they will never come out with an official one until FERC approves V5 and makes the way clear.  So the V4 transition plan remains in effect, although you should confirm this with your Regional Entity.

[ii] When I say “mainly”, this is the judgment of Tom Alrich, non-EE.  There are wording differences between V4 and V5 in almost all of the criteria.  These seem trivial to me but need to be reviewed by your Operations people to make sure there isn’t some hidden gotcha that makes V5 more or less inclusive than V4 for a particular type of Facility.  I've been told by a number of entities that the V5 criteria for substations are much more inclusive than the V4 criteria.
[iii] They especially need to review whether Criterion 2.6 in Version 5 does actually cover FACTS; the V4-V5 mapping document the SDT sent out (which isn’t part of the standards) shows that criterion as corresponding to Criterion 1.9 (FACTS) in V4.
[iv] There is one other provision in the V4 plan that you should know about.  Let’s say your organization has a control center that controls blackstart plants; criterion 1.15 in CIP-002-4 Attachment 1 says that control center has to be critical since it controls a Critical Asset.  Since the blackstarts won’t effectively be critical under V4, will the control center also not be critical?  No.  The transition plan says (page two) “Control centers associated with Blackstart Resources (Criterion 1.15) and Cranking Paths (Criterion 1.16) shall continue to be deemed critical regardless of the aforementioned exclusion” (the exclusion referred to is the exclusion of blackstart resources from audits once V4 is implemented).  Plus, in Version 5 most control centers will be High or Medium impact anyway.

[v] While the Version 5 implementation plan now allows three years for the Lows to become compliant after FERC approval, FERC expressed big reservations about this in their NOPR.  I am guessing that FERC will require about a two-year implementation period for Lows (and about a one-year period for Medium/Highs), although keep in mind this will be from late 2014 or early 2015, when I believe that FERC will approve CIP Version 6, the next version you will have to comply with.

Tuesday, May 21, 2013

A Correction: Distribution Providers in CIP Version 5

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

My post on the CIP Version 5 NOPR has had well over 600 page views in the month it has been available.  So it was with a little dismay that I just noticed a mistake in one of the footnotes.

The footnote had to do with Distribution Providers.  DPs are one of the NERC entity types listed as being subject to CIP Version 5 in Section 4.1 of CIP-002-5; however, they are only subject to V5 if they own one of four specific types of BES facilities listed in that section.  Section 4.2 then indicates which BES Facilities owned (or operated) by each type of entity subject to Version 5 are actually in scope for V5 (as at least a Low impact facility). 

I hadn’t read Section 4.2 carefully enough when I wrote the NOPR post, and I assumed that DP’s were like all of the other entities listed in 4.1: every BES Facility they own (operate) is subject to V5.  However, in going back over CIP-002-5 much more carefully while writing subsequent posts, I have come to realize this is wrong.  For DPs, the only facilities that are in scope are the four specific types listed in section 4.1 (and also in 4.2). 

Of course, if an entity has multiple registrations including DP and one of those other registrations makes it subject to V5, then this doesn’t matter.  Because of those other registrations, the entity will still have to comply for all of their BES Facilities.  This only matters for pure DPs.

I apologize for this mistake.  I hope it hasn’t caused unnecessary heartburn in DPs.

Sunday, May 19, 2013

My Comments to FERC on CIP Version 5, Part I

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

1/2/2014: I just realized that there's no link in this post to the one that followed it, which wasn't called Part II.  Here is the link.

8/28: In preparing for our V5 webinar last week, I realized there is another problem in CIP-002-5 related to the discussion in this post.  You can find that new post here.

Note: This post was intended to be one of two on the comments I intended to submit to FERC on the CIP Version 5 NOPR.  However, when I started to write the second part, I realized I really needed to rewrite CIP-002-5, not just make a bunch of comments on how it could be improved. That effort took place over two (really three) posts, starting here.

I don’t work for a NERC entity, but I do use electricity, so I plan to submit comments to FERC on CIP Version 5 during FERC’s 60-day comment period open through June 24.  The comments I’ll submit relate to CIP-002-5, and are based on what I discovered while writing (or trying to write) a blog post about asset identification in Version 5.  I hope that FERC requires that NERC incorporate these changes in the compliance filing that FERC will mandate when it approves Version 5 (the compliance filing will be called CIP Version 6, and will be the next version the industry has to comply with).  If FERC doesn’t require these changes, I strongly recommend that NERC incorporate them into the compliance filing itself.

This blog post (and the Part II post to follow) are not what I will actually file with FERC.  In these posts, I am including a lot of explanation that I don’t plan to include with the actual comments, in order to keep their length somewhat manageable.  In my comments, I will refer the FERC staff to this post if they want more explanation (some of them read my posts anyway, I’ve heard).

I really hadn’t planned originally on making comments, since I had made comments informally (to the SDT and in blog posts) during the process of drafting and balloting CIP Version 5, and I thought that – now that it was developed and approved by NERC – there was nothing for me to add at this point.  However, I recently started writing a post to provide some guidance to NERC entities as they start to prepare for compliance with CIP Version 5.  I started with the first standard, CIP-002-5, and tried to work my way through the standard  in the same way an entity that didn’t have much prior knowledge of CIP Version 5 (and I’m sure this is the majority of NERC entities) would have to. 

As I did this, I began to realize there are some real wording problems with CIP-002-5.  These problems are so severe that, should this standard be implemented as written, I don’t believe it could hold up in court if challenged (and NERC standards are regulatory law, meaning an entity can challenge any fines in court if so inclined).  More importantly, it will be hugely confusing for entities trying to comply with it, and for auditors trying to apply it.

This doesn’t mean there might not be some sort of workarounds to these problems – special training for the auditors and the entities, written guidance (although CANs have been discontinued), etc.  But why start out knowing you will need workarounds?  FERC will almost certainly mandate that certain changes be made to Version 5 (as Version 6), so the standards are being reopened anyway; why not fix CIP-002-5 at that time, rather than plan on having to implement workarounds – which may or may not work and which may not hold up in court in any case?

The fact that it is CIP-002-5 that has major wording flaws (and not the other Version 5 standards) makes this effort all the more important.  This is because, in all the CIP versions including Version 5, CIP-002 is the foundation for all of the rest of the standards.  In CIP-002, the entity identifies the facilities and cyber assets that will be subject to the remaining standards.  If this asset identification process turns out to be fundamentally flawed because of unclear wording in CIP-002-5, then it almost doesn’t matter what the remaining standards say (I personally think CIP-003-5 through CIP-011-1 are very well written standards, although I’m sure some who have studied them more than I have will find issues with them); if those standards aren’t applied to the right facilities and cyber assets (based on a clearly written CIP-002-5), the next CIP version will be an utter failure.

I have grouped my comments on CIP-002-5 into three headings.  I will deal with the first heading in this post, and the other two in the next post.  If you are making your own comments to FERC, you have my permission to excerpt any or all of my comments and include them in yours, even without attribution.

I.                    Facilities / Assets / Whatever
There are two types of things that need to be identified in CIP-002-5.  The first is what the Standards Drafting Team often referred to as the “big iron”.  This means the facilities that are subject to CIP: control centers, generating stations, transmission substations, etc.  They are called Critical Assets in CIP Versions 1-4. 

The second is “little iron”, meaning the cyber assets associated with those facilities; these cyber assets are what are actually in scope in NERC CIP.  In CIP-002-5 as currently written, there are very serious problems with identifying both types of “iron”.  I will start by discussing the wording problems I see with the process for identifying “big iron” in CIP-002-5, and then address the “little iron” problems in the next post.

Let’s start by looking at how CIP-002-5[i], in its current wording, lays out the process for identifying “big iron” that is subject to CIP Version 5.  Section 4.1 of CIP-002-5 lists the NERC functional entities that are subject to CIP-002-5.  Section 4.2 goes on to describe the “Facilities, systems, and equipment” owned by those entities, that are subject to the requirements of CIP Version 5.  For Distribution Providers, only four types of Facilities are in scope.  For every other functional entity listed in Section 4.1, all of their “BES Facilities” are in scope.  So we’ve learned something here:  If our organization has one or more of the functional entity registrations listed in Section 4.1, we know exactly which Facilities are in scope.[ii]

Now we’re ready to look at the first requirement of CIP-002-5, requirement R1.  As I described in my previous post, this requirement actually requires about 15 steps.  Some of these steps are only implied by the definitions of words and by syntax, which affords all NERC compliance people the opportunity to dust off their fourth-grade sentence-diagramming skills (see, there are all sorts of hidden benefits to being involved with NERC CIP compliance!).  R1 should really be broken into at least three requirements (as it is in CIP-002 in versions 1-3) and perhaps even more than that.  I will discuss this idea in the second post.

Since we already know from Section 4.2 which of our Facilities are in scope for V5 (i.e. all of our BES Facilities, unless we only have a DP registration), what we want to find out in R1 is a) which of those Facilities are High, Medium or Low impact, and b) how to identify the cyber assets that are associated with those High, Medium and Low impact facilities (since these will be the cyber assets in scope for Version 5).  The reason we think this way is this is exactly how CIP Versions 1-4 work.  In those versions, you first identify your Facilities that are Critical Assets; all others are non-critical assets (so there are two classifications of Facilities, not three as in Version 5).  Then you identify the Critical Cyber Assets associated with the Critical Assets.  At that point, you know what’s in scope for the rest of the standards in Versions 1-4.

What do you find in R1 of CIP-002-5 to help you classify your Facilities?  Nothing all all; there is no mention of Facilities!  Instead, there is a new term called assets.  The fact that it isn't capitalized means that it isn't defined in the V5 Definitions document or the NERC Glossary, so you’re kind of on your own in figuring out what it means.  It is defined by example, listing six types of assets that are to be considered in R1: control centers, transmission substations, etc.  So why did Section 4.2 make such a big point about Facilities when they don’t seem to be relevant once you get to the actual requirements?  Beats me, but we have to plod on with the assets concept.

In the first sentence of R1, the entity is told to “implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3”.   These are the six asset types I just mentioned; so these are what we need to consider in 1.1 through 1.3.  Now we go to the three sub-requirements[iii] R1.1 through R1.3.  These take us down to Attachment 1, where we hope to classify our Assets into High, Medium and Low impact.

As we start into Attachment 1, we find no surprises, at least in criteria 1.1 through 2.2.[iv]  In those criteria, we are presented with things that seem to correspond to the list of assets that we produced as a result of the first sentence of R1: control centers, generating plants and reactive resources that our entity owns (or operates).  But what do we find when we reach Criterion 2.3?  Our old friend “Facility”!  It seems reports of his death were greatly exaggerated (to paraphrase Mark Twain), and he has returned from whatever Purgatory he was in during the first sentence of R1.  We’re asked to identify a “generation Facility” in 2.3, followed by “transmission Facilities” in 2.4 through 2.8. 

Why did this happen?  If “asset” was good enough in the body of R1; why isn’t it good enough in parts of Attachment 1?  Because it wouldn’t suit the purpose of criteria 2.4 through 2.8, that’s why.  Those criteria deal with substations.  If you consider just the asset called a substation (there is no NERC Glossary definition of substation, but I will provide my own: “A lot of fancy and expensive equipment surrounded by a fence and maybe some razor wire, with a bunch of lines running in and out that you sure don’t want to touch”) and compare that to criteria 2.4 to 2.8, you will probably end up with a lot more equipment in scope for CIP Version 5 than needs to be.

This is because substations very often serve two purposes, Transmission (a BES function) and Distribution (not a BES function).  Having to bring all the Transmission equipment into the scope of CIP-003-5 through CIP-011-5 is bad enough, without having to do the same for all the Distribution equipment as well.  But if criteria 2.4 through 2.8 had read “asset”, you probably wouldn’t have much choice in the matter: you would have to include both sides in scope for Version 5, since the asset here is almost certainly the whole substation.  In other words, you would have to cover more of your assets.

But not to fear, the Standards Drafting Team has instead included the word Facility in criteria 2.4 to 2.8.  This was not due to perversity, but because Facility clearly is being used in a different sense from asset.  Hopefully, the term Facility will allow you to separate the Distribution from the Transmission equipment.  Does it do that? 

The NERC Glossary definition of Facility is “A set of electrical equipment that operates as a single Bulk Electric System Element...”  So if you want to define the Transmission equipment at a substation as the equipment that makes up a Transmission Element, then it seems you can logically separate it from the Distribution equipment (which would in turn make up the Distribution Element).

However, we entered Attachment 1 with a list of assets, not Facilities.  You can’t slice and dice an asset, so there needs to be some definition of how Facilities map into assets.  Presumably, an asset is composed of one or more Facilities, but that is nowhere stated in CIP-002-5 or in the V5 Definitions document (it’s also not explicitly stated in the Guidance included with CIP-002-5).

You might think I’m being a nit-picker here, since maybe everyone involved knows there can be multiple Facilities at work in one Asset (although I doubt that).   But just wait until a big IOU is hit with a big fine relating to how they have divided up the equipment in their substations (perhaps it is alleged they allocated too much equipment to Distribution and too little to Transmission, thus reducing their compliance footprint).  Their lawyers may point out that, to take the requirement literally as written, the criterion in question (presumably one of criteria 2.4 through 2.8) doesn’t apply to them at all.  They have an asset called a substation that they are running through the Attachment 1 criteria (per the instructions in R1).  Since criteria 2.4 through 2.8 don’t refer to assets at all, but some strange thing called a Facility that isn’t even mentioned anywhere in requirement R1, the substation should just fall into the Low impact category, since it clearly doesn’t meet any of the High or Medium impact criteria.  I’m not saying the IOU would necessarily win this argument.  But do we really want to have CIP compliance be so hard to figure out that it takes a team of lawyers willing to take FERC to court?  Just rewrite the standard so it can be clearly understood.

This is all a long way of saying something pretty simple: There needs to be a definition of asset, as well as some sort of statement that an asset can have multiple Facilities associated with it.  And since asset seems to be the more fundamental term in CIP-002-5 R1, Section 4.2 should probably be where it is defined and related to Facilities (meaning that the purpose of this section should really be to identify “Assets and their related Facilities” in scope for Version 5, rather than just “Facilities”).

Whew.  The next post (Part II) won’t be so easy.

[i] In looking up the link here, I just found out NERC has – finally – updated its website!   At first glance, it looks like a huge improvement.  I used to say that I knew the perfect way to hide critical infrastructure information from Al Quaeda.  Just post it on the NERC website; they’ll never find it there.  Now it seems I can’t say that anymore.
[ii] I’m glossing over the problem of what a “BES Facility” is.  While “Facility” is in the NERC glossary, “BES Facility” is not.  One can assume that a BES Facility is a Facility that is part of the BES.  But how do you know what the BES is?  Well, you presumably go by the BES definition balloted by the NERC membership and approved by FERC in Order 773 in December 2012.  But that Order left the door open for a rehearing of some of the issues, and FERC’s Order 773-A issued April 18, 2013 (the same day as the CIP Version 5 NOPR) granted that some of those issues will be reheard.  If the BES definition isn’t settled by the time CIP Version 6 actually is implemented (and hopefully it will be), then I can see some nice discussions with auditors about whether particular Facilities are BES Facilities or not, based on differing versions of the BES definition.
[iii] CIP Version 5 actually does away with the term “sub-requirement” and replaces it with “requirement part”.  I personally prefer the former, since the latter makes me think of “body parts” and brings up images of dismembered murder victims.  There’s already enough trauma in Version 5 that we don’t need to introduce more.
[iv] I’m completely ignoring for the moment the fact that Attachment 1 is telling you to classify BES Cyber Systems, not Facilities, as High, Medium or Low impact.  I’ll have a lot to say about that in the second post in this series.  In fact, this is a really debilitating problem.  The Asset/Facility problem is more of an annoyance (although they both need to be remediated).

Wednesday, May 8, 2013

Meanwhile, Back at the (CIP V3) Ranch....

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Anybody from outside the power industry who read my recent blog posts would quickly get the idea that the only important thing going on in the world of NERC CIP was the new versions and all the intrigue regarding which version is up, which is down, etc.  However, those of you who are dealing with CIP every day know that what is most important at the moment is maintaining compliance with CIP Version 3.  This version has been in effect since 2010 and will almost certainly stay in effect for another two years, perhaps longer.

This is why I want to bring to everyone’s attention what may be a very significant development for Version 3 – but also for future CIP versions as well.  It has to do with the CIP Interpretations Drafting Team (IDT), which is charged with drawing up and getting NERC and FERC approval for Interpretations (requested by NERC entities) of the current CIP standards.  They are comparable to the CSO706 Standards Drafting Team, which is charged with developing a new version of CIP that meets FERC Order 706.[i]

This group has been in operation for a year and a half or so.  They have been toiling largely in obscurity but have been doing an excellent job, working on a number of Requests for Interpretation.  They have moved at least two RFI’s all the way through the NERC balloting and Board approval process and submitted them to FERC.

However, on March 21 the IDT ran into a roadblock when FERC remanded (i.e. killed) two Interpretations they had worked very hard on.  One Interpretation was based on the request from Progress Energy about wiring that is external to an ESP but nevertheless links cyber assets within the ESP – whether the wiring needs to be protected the same as Critical Cyber Assets within the ESP.[ii]  The Interpretation said it didn’t; FERC said it did.  On the face of it, it seems to me this is a straightforward disagreement on what the standard says.  And FERC is the one who always wins these arguments.

However, it is the remand of the second Interpretation that, in NERC’s opinion and mine as well, is quite troublesome.  This Interpretation, requested by Duke Energy[iii], concerned CIP-002-4[iv] R3, regarding identification of Critical Cyber Assets.  There were two parts to the Interpretation. 

The first part regards the sentence in CIP-002-4 R3[v]:

Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time inter-utility data exchange.

The question was whether these examples are meant to be prescriptive – meaning that any cyber asset that fulfilled one of those functions had to be a CCA – or whether these are merely examples of the systems that need to be considered.  The IDT said they were merely examples.  FERC agreed with them.[vi]

So it’s the second part of the Interpretation that is causing the problems.  The question on which it is based is:

What does the phrase “essential to the operation of the Critical Asset” mean? If an entity has an asset that “may” be used to operate a Critical Asset, but is not “required” for operation of that Critical Asset, is the asset considered “essential to the operation of the Critical Asset”? [vii]

The IDT’s answer to this question (in their Interpretation) is:

The word “essential” is not defined in the Glossary of Terms used in NERC Reliability Standards, but the well-understood meaning and ordinary usage of the word “essential” implies “inherent to” or “necessary.” The phrase “essential to the operation of the Critical Asset” means inherent to or necessary for the operation of the Critical Asset. A Cyber Asset that “may” be used, but is not “required” (i.e., without which a Critical Asset cannot function as intended), for the operation of a Critical Asset is not “essential to the operation of the Critical Asset” for purposes of Requirement R3.  Similarly, a Cyber Asset that is merely “valuable to” the operation of a Critical Asset, but is not necessary for or inherent to the operation of that Critical Asset, is not “essential to the operation” of the Critical Asset.

FERC responds to this first by stating:

The proposed interpretation fails to consider that a computer (e.g., a laptop) used by utility staff or contractors to control the functions and operations of a Critical Asset is, during such usage, “inherent to or necessary for the operation of a Critical Asset,” and thus falls within the scope of CIP-002-4, Requirement R2.

In the next paragraph (paragraph 14), FERC says:

For example, a laptop computer connected to an EMS network through the Internet may be used to supervise, control, optimize, and manage generation and transmission systems, all of which are essential operations. However, the proposed interpretation of “essential” may leave certain cyber assets lacking the required CIP Reliability Standards protection that could, if compromised, affect the operation of associated Critical Assets even though the unprotected cyber assets are using similar access and exerting the same control as cyber assets that are deemed under the proposed interpretation to be “necessary or inherent to the operation of the Critical Asset.” The proposed interpretation, in effect, would create a window into the EMS network that could be exploited.

FERC now supports their argument by pointing to the NERC Guidelines for Critical Cyber Asset Identification:

A Cyber Asset could be considered essential to the reliable operation of a Critical Asset, if one or more of the following criteria is met:
1. The Cyber Asset participates in, or is capable of, supervisory or autonomous control that is essential to the reliable operation of a Critical Asset.
2. The Cyber Asset displays, transfers, or contains information relied on to make Real-time operational decisions that are essential to the reliable operation of a Critical Asset.
3. The Cyber Asset fulfills another function essential to the reliable operation of the associated Critical Asset and its Loss, Degradation, or Compromise would affect the reliability or operability of the BPS.

While FERC doesn’t amplify on this quotation, it seems they are pointing out that NERC’s own guidelines say that a cyber asset only has to “participate in” or be “capable of” control, meaning it doesn’t have to continuously exert that control in order to be “essential” (of course, determining a cyber asset is essential leads directly to its being on the short list for being a CCA).
As far as FERC is concerned, QED.  They conclude:

In the Commission’s view, laptop computers connected to an EMS network through the Internet[viii] used to supervise, control, optimize, and manage generation and transmission systems would be “considered essential” under the definition in the Identifying Critical Cyber Assets document (footnote is mine).

NERC filed a “Request for Clarification” of the Remand Order on April 22.  They requested clarification on two points:

(1) Clarification that the language in Paragraph 14 of the Remand Order is for illustrative purposes only and is not meant to provide a determination that all laptops must be included in the scope of CIP-002-4, Requirement R2.
(2) Clarification that the Commission’s references to and discussion of the NERC Guideline Documents in Paragraph 15 of the Remand Order were included for illustrative purposes only rather than forming the basis for the remand, and that the Reliability Standards and requirements determine how a Reliability Standard should be interpreted.

Regarding the first clarification, NERC doesn’t argue FERC’s point that any laptop that is used at times to control a Critical Asset needs to be a CCA.   But NERC asks FERC to confirm they’re not saying that any laptop that could be used to control a Critical Asset has to be a CCA (since the quotation from paragraph 14 shown above seems to say that).  This obviously would have the potential to bring a lot of laptops into scope that are never used for essential tasks in the ESP.

Regarding the second clarification, NERC is clearly disturbed by the idea that FERC would reference the Guideline document – which was prepared by a subcommittee of the CIPC and has not been balloted or approved (by NERC or FERC) as standards are supposed to be – as an authority to make their argument.  They feel FERC is drawing the wrong conclusion from the Guidelines document (that any cyber asset that could be used to control the Critical Asset is therefore essential to it), but their big concern is that FERC is even referring to the Guidelines document at all.

I know this whole affair has been very disturbing to the Interpretations Drafting Team.  If you have ever attended one of their meetings (by phone or in person), you’ll know the words “four corners of the standard” are continually bandied about – they are very concerned about basing their Interpretations strictly on the words of the standard or requirement and nothing more.  So they go through the trouble of putting together an Interpretation on that basis, and FERC remands it based on words in a document that isn’t part of any standard or requirement.

I believe this has led the IDT to take a step back and wait for FERC to clarify this last point before they do any more work at all (I have noticed no meeting notices from them in my email lately).  And who’s to blame them?  There really isn’t a lot of reason for them to continue their work if this is going to keep happening in the future.

So what’s the moral of this story?  There are three:
  1. Entities subject to CIP Version 3 should take a look at all laptops that are used to access the ESP for any purpose.  Those that ever perform a task that is essential to the Critical Asset are themselves “essential” and likely to be Critical Cyber Assets.  Hopefully, FERC won’t come back and say that any laptop that is capable of performing an essential task is also essential.[ix]
  2. If FERC doesn’t back down from citing the Guideline document as justification for their decision to remand (whether or not they cancel the remand itself), then we have a whole new ball game.  Now, FERC can use a ruling on an Interpretation to make changes to the standard.  This isn’t the way it’s supposed to work, folks.  As was (supposedly) said by Mark Twain, “No man’s life, liberty, or property is safe while the legislature is in session.”  Just substitute FERC for legislature.
  3. The NERC CIP Interpretations process (I don’t know about other NERC standards) may be broken for good if FERC doesn’t back down on the Guidelines point, since the IDT won’t want to submit any more Interpretations to FERC that can then be used as a platform to modify the standards themselves.

[i] Of course, the SDT did such a good job that they not only drafted one new version of CIP but four (Versions 2-5)!  And since I believe they will be tasked with developing the compliance filing (which will most likely be called CIP Version 6) which FERC will very likely mandate when they approve Version 5 later this year, they still have another version to work on soon.  I believe there are one or two members whose kids are 7 or 8 and still don’t know who they are, other than “the man/woman on Skype”.
[ii] I admit I may not be summarizing this completely accurately, since this Interpretation isn’t really the subject of this post.
[iii] Conspiracy theorists may have a field day by noting that Duke bought Progress Energy after both of these Interpretations were requested.  Coincidence?  You be the judge.
[iv] Note that the Interpretation really applied to CIP Version 4, which now is almost certain never to come into effect, not to Version 3.  However, I believe it would have applied to V3.  It’s of course a moot point now, since it was remanded.
[v] NERC made an errata filing after the original filing to point out that the language in question had been dropped from Version 4, but was still in Versions 1-3. 
[vi] Interestingly enough, in CIP Version 5, a few of these same services – with many others – appear as BES Reliability Operating Services.  Any cyber asset at a BES Facility that provides one of these services has to be designated a BES Cyber Asset (the Version 5 ‘equivalent’ of CCA).  So the answer would be very different if Version 5 were in question here.
[vii] NERC’s errata filing (see footnote v) also pointed out that this phrase is actually in Requirement 2 of CIP-004, although it is in R3 in Versions 1-3.  It does seem it would have been helpful for NERC to actually read the requirement before the Interpretation was submitted (since Version 4 has been set in stone since February 2011).
[viii] FERC isn’t saying this applies only to laptops used through the Internet.  I believe they’re assuming that NERC entities already understand that any device – laptop or not – that physically connects within the ESP and performs an essential function while it is connected, is itself essential.  The big example of this is contractors’ and vendors’ laptops.
[ix] It has been pointed out to me by an auditor that one discriminating feature, indicating a laptop is “capable” of controlling the Critical Asset, is if there is software specifically installed on it (e.g. a thick HMI client) that for example makes it capable of performing an operator function.  But this doesn't mean that, if there is a capability of controlling the asset strictly from a web browser, you don’t have to declare all of your laptops with web browsers as essential! 

This consideration also applies to non-laptop computers that connect remotely directly to the ESP: If any of those ever perform a task essential to the operation of the Critical Asset (or are capable in the sense just discussed), they will be essential as well.  However, the best way to eliminate this problem – both for laptops brought physically into the ESP and for any machine that connects remotely – is to install a “jump host” (proxy server, Citrix server, Windows Terminal Server, etc) so that the laptop or remote machine doesn’t have to be logically connected into the ESP at all (and thus won’t have to be a Critical Cyber Asset).  You can justify the expenditure by pointing out to your boss that this will be required by CIP Version 5 in any case.