Wednesday, May 8, 2013

Meanwhile, Back at the (CIP V3) Ranch....

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Anybody from outside the power industry who read my recent blog posts would quickly get the idea that the only important thing going on in the world of NERC CIP was the new versions and all the intrigue regarding which version is up, which is down, etc.  However, those of you who are dealing with CIP every day know that what is most important at the moment is maintaining compliance with CIP Version 3.  This version has been in effect since 2010 and will almost certainly stay in effect for another two years, perhaps longer.

This is why I want to bring to everyone’s attention what may be a very significant development for Version 3 – but also for future CIP versions as well.  It has to do with the CIP Interpretations Drafting Team (IDT), which is charged with drawing up and getting NERC and FERC approval for Interpretations (requested by NERC entities) of the current CIP standards.  They are comparable to the CSO706 Standards Drafting Team, which is charged with developing a new version of CIP that meets FERC Order 706.[i]

This group has been in operation for a year and a half or so.  They have been toiling largely in obscurity but have been doing an excellent job, working on a number of Requests for Interpretation.  They have moved at least two RFI’s all the way through the NERC balloting and Board approval process and submitted them to FERC.

However, on March 21 the IDT ran into a roadblock when FERC remanded (i.e. killed) two Interpretations they had worked very hard on.  One Interpretation was based on the request from Progress Energy about wiring that is external to an ESP but nevertheless links cyber assets within the ESP – whether the wiring needs to be protected the same as Critical Cyber Assets within the ESP.[ii]  The Interpretation said it didn’t; FERC said it did.  On the face of it, it seems to me this is a straightforward disagreement on what the standard says.  And FERC is the one who always wins these arguments.

However, it is the remand of the second Interpretation that, in NERC’s opinion and mine as well, is quite troublesome.  This Interpretation, requested by Duke Energy[iii], concerned CIP-002-4[iv] R3, regarding identification of Critical Cyber Assets.  There were two parts to the Interpretation. 

The first part regards the sentence in CIP-002-4 R3[v]:

Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time inter-utility data exchange.

The question was whether these examples are meant to be prescriptive – meaning that any cyber asset that fulfilled one of those functions had to be a CCA – or whether these are merely examples of the systems that need to be considered.  The IDT said they were merely examples.  FERC agreed with them.[vi]

So it’s the second part of the Interpretation that is causing the problems.  The question on which it is based is:

What does the phrase “essential to the operation of the Critical Asset” mean? If an entity has an asset that “may” be used to operate a Critical Asset, but is not “required” for operation of that Critical Asset, is the asset considered “essential to the operation of the Critical Asset”? [vii]

The IDT’s answer to this question (in their Interpretation) is:

The word “essential” is not defined in the Glossary of Terms used in NERC Reliability Standards, but the well-understood meaning and ordinary usage of the word “essential” implies “inherent to” or “necessary.” The phrase “essential to the operation of the Critical Asset” means inherent to or necessary for the operation of the Critical Asset. A Cyber Asset that “may” be used, but is not “required” (i.e., without which a Critical Asset cannot function as intended), for the operation of a Critical Asset is not “essential to the operation of the Critical Asset” for purposes of Requirement R3.  Similarly, a Cyber Asset that is merely “valuable to” the operation of a Critical Asset, but is not necessary for or inherent to the operation of that Critical Asset, is not “essential to the operation” of the Critical Asset.

FERC responds to this first by stating:

The proposed interpretation fails to consider that a computer (e.g., a laptop) used by utility staff or contractors to control the functions and operations of a Critical Asset is, during such usage, “inherent to or necessary for the operation of a Critical Asset,” and thus falls within the scope of CIP-002-4, Requirement R2.

In the next paragraph (paragraph 14), FERC says:

For example, a laptop computer connected to an EMS network through the Internet may be used to supervise, control, optimize, and manage generation and transmission systems, all of which are essential operations. However, the proposed interpretation of “essential” may leave certain cyber assets lacking the required CIP Reliability Standards protection that could, if compromised, affect the operation of associated Critical Assets even though the unprotected cyber assets are using similar access and exerting the same control as cyber assets that are deemed under the proposed interpretation to be “necessary or inherent to the operation of the Critical Asset.” The proposed interpretation, in effect, would create a window into the EMS network that could be exploited.

FERC now supports their argument by pointing to the NERC Guidelines for Critical Cyber Asset Identification:

A Cyber Asset could be considered essential to the reliable operation of a Critical Asset, if one or more of the following criteria is met:
1. The Cyber Asset participates in, or is capable of, supervisory or autonomous control that is essential to the reliable operation of a Critical Asset.
2. The Cyber Asset displays, transfers, or contains information relied on to make Real-time operational decisions that are essential to the reliable operation of a Critical Asset.
3. The Cyber Asset fulfills another function essential to the reliable operation of the associated Critical Asset and its Loss, Degradation, or Compromise would affect the reliability or operability of the BPS.

While FERC doesn’t amplify on this quotation, it seems they are pointing out that NERC’s own guidelines say that a cyber asset only has to “participate in” or be “capable of” control, meaning it doesn’t have to continuously exert that control in order to be “essential” (of course, determining a cyber asset is essential leads directly to its being on the short list for being a CCA).
As far as FERC is concerned, QED.  They conclude:

In the Commission’s view, laptop computers connected to an EMS network through the Internet[viii] used to supervise, control, optimize, and manage generation and transmission systems would be “considered essential” under the definition in the Identifying Critical Cyber Assets document (footnote is mine).

NERC filed a “Request for Clarification” of the Remand Order on April 22.  They requested clarification on two points:

(1) Clarification that the language in Paragraph 14 of the Remand Order is for illustrative purposes only and is not meant to provide a determination that all laptops must be included in the scope of CIP-002-4, Requirement R2.
(2) Clarification that the Commission’s references to and discussion of the NERC Guideline Documents in Paragraph 15 of the Remand Order were included for illustrative purposes only rather than forming the basis for the remand, and that the Reliability Standards and requirements determine how a Reliability Standard should be interpreted.

Regarding the first clarification, NERC doesn’t argue FERC’s point that any laptop that is used at times to control a Critical Asset needs to be a CCA.   But NERC asks FERC to confirm they’re not saying that any laptop that could be used to control a Critical Asset has to be a CCA (since the quotation from paragraph 14 shown above seems to say that).  This obviously would have the potential to bring a lot of laptops into scope that are never used for essential tasks in the ESP.

Regarding the second clarification, NERC is clearly disturbed by the idea that FERC would reference the Guideline document – which was prepared by a subcommittee of the CIPC and has not been balloted or approved (by NERC or FERC) as standards are supposed to be – as an authority to make their argument.  They feel FERC is drawing the wrong conclusion from the Guidelines document (that any cyber asset that could be used to control the Critical Asset is therefore essential to it), but their big concern is that FERC is even referring to the Guidelines document at all.

I know this whole affair has been very disturbing to the Interpretations Drafting Team.  If you have ever attended one of their meetings (by phone or in person), you’ll know the words “four corners of the standard” are continually bandied about – they are very concerned about basing their Interpretations strictly on the words of the standard or requirement and nothing more.  So they go through the trouble of putting together an Interpretation on that basis, and FERC remands it based on words in a document that isn’t part of any standard or requirement.

I believe this has led the IDT to take a step back and wait for FERC to clarify this last point before they do any more work at all (I have noticed no meeting notices from them in my email lately).  And who’s to blame them?  There really isn’t a lot of reason for them to continue their work if this is going to keep happening in the future.

So what’s the moral of this story?  There are three:
  1. Entities subject to CIP Version 3 should take a look at all laptops that are used to access the ESP for any purpose.  Those that ever perform a task that is essential to the Critical Asset are themselves “essential” and likely to be Critical Cyber Assets.  Hopefully, FERC won’t come back and say that any laptop that is capable of performing an essential task is also essential.[ix]
  2. If FERC doesn’t back down from citing the Guideline document as justification for their decision to remand (whether or not they cancel the remand itself), then we have a whole new ball game.  Now, FERC can use a ruling on an Interpretation to make changes to the standard.  This isn’t the way it’s supposed to work, folks.  As was (supposedly) said by Mark Twain, “No man’s life, liberty, or property is safe while the legislature is in session.”  Just substitute FERC for legislature.
  3. The NERC CIP Interpretations process (I don’t know about other NERC standards) may be broken for good if FERC doesn’t back down on the Guidelines point, since the IDT won’t want to submit any more Interpretations to FERC that can then be used as a platform to modify the standards themselves.

[i] Of course, the SDT did such a good job that they not only drafted one new version of CIP but four (Versions 2-5)!  And since I believe they will be tasked with developing the compliance filing (which will most likely be called CIP Version 6) which FERC will very likely mandate when they approve Version 5 later this year, they still have another version to work on soon.  I believe there are one or two members whose kids are 7 or 8 and still don’t know who they are, other than “the man/woman on Skype”.
[ii] I admit I may not be summarizing this completely accurately, since this Interpretation isn’t really the subject of this post.
[iii] Conspiracy theorists may have a field day by noting that Duke bought Progress Energy after both of these Interpretations were requested.  Coincidence?  You be the judge.
[iv] Note that the Interpretation really applied to CIP Version 4, which now is almost certain never to come into effect, not to Version 3.  However, I believe it would have applied to V3.  It’s of course a moot point now, since it was remanded.
[v] NERC made an errata filing after the original filing to point out that the language in question had been dropped from Version 4, but was still in Versions 1-3. 
[vi] Interestingly enough, in CIP Version 5, a few of these same services – with many others – appear as BES Reliability Operating Services.  Any cyber asset at a BES Facility that provides one of these services has to be designated a BES Cyber Asset (the Version 5 ‘equivalent’ of CCA).  So the answer would be very different if Version 5 were in question here.
[vii] NERC’s errata filing (see footnote v) also pointed out that this phrase is actually in Requirement 2 of CIP-004, although it is in R3 in Versions 1-3.  It does seem it would have been helpful for NERC to actually read the requirement before the Interpretation was submitted (since Version 4 has been set in stone since February 2011).
[viii] FERC isn’t saying this applies only to laptops used through the Internet.  I believe they’re assuming that NERC entities already understand that any device – laptop or not – that physically connects within the ESP and performs an essential function while it is connected, is itself essential.  The big example of this is contractors’ and vendors’ laptops.
[ix] It has been pointed out to me by an auditor that one discriminating feature, indicating a laptop is “capable” of controlling the Critical Asset, is if there is software specifically installed on it (e.g. a thick HMI client) that for example makes it capable of performing an operator function.  But this doesn't mean that, if there is a capability of controlling the asset strictly from a web browser, you don’t have to declare all of your laptops with web browsers as essential! 

This consideration also applies to non-laptop computers that connect remotely directly to the ESP: If any of those ever perform a task essential to the operation of the Critical Asset (or are capable in the sense just discussed), they will be essential as well.  However, the best way to eliminate this problem – both for laptops brought physically into the ESP and for any machine that connects remotely – is to install a “jump host” (proxy server, Citrix server, Windows Terminal Server, etc) so that the laptop or remote machine doesn’t have to be logically connected into the ESP at all (and thus won’t have to be a Critical Cyber Asset).  You can justify the expenditure by pointing out to your boss that this will be required by CIP Version 5 in any case. 

1 comment:

  1. There has been a little misunderstanding of what I said (or intended to say, anyway) in this post. I wasn't agreeing or disagreeing with the substance of FERC's remand orders. What is disturbing in one of those orders is that they seem to be introducing two fundamental changes to the standards process set out in Section 215 of the Federal Power Act:

    1) They are using a document that isn't part of the Standard in question (and wasn't approved with it) to justify their remand of the Duke Energy Interpretation.

    2) They have effectively killed the Interpretations process. If an Interpretation now has to consider other documents beside the Standard itself, then it is no longer an interpretation but a revision to the Standard. And a revision to a Standard needs to go through the same NERC balloting and Board approval (followed by FERC approval) that the initial development of the standard does.