Sunday, May 19, 2013

My Comments to FERC on CIP Version 5, Part I


All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

1/2/2014: I just realized that there's no link in this post to the one that followed it, which wasn't called Part II.  Here is the link.

8/28: In preparing for our V5 webinar last week, I realized there is another problem in CIP-002-5 related to the discussion in this post.  You can find that new post here.


Note: This post was intended to be one of two on the comments I intended to submit to FERC on the CIP Version 5 NOPR.  However, when I started to write the second part, I realized I really needed to rewrite CIP-002-5, not just make a bunch of comments on how it could be improved. That effort took place over two (really three) posts, starting here.

I don’t work for a NERC entity, but I do use electricity, so I plan to submit comments to FERC on CIP Version 5 during FERC’s 60-day comment period open through June 24.  The comments I’ll submit relate to CIP-002-5, and are based on what I discovered while writing (or trying to write) a blog post about asset identification in Version 5.  I hope that FERC requires that NERC incorporate these changes in the compliance filing that FERC will mandate when it approves Version 5 (the compliance filing will be called CIP Version 6, and will be the next version the industry has to comply with).  If FERC doesn’t require these changes, I strongly recommend that NERC incorporate them into the compliance filing itself.

This blog post (and the Part II post to follow) are not what I will actually file with FERC.  In these posts, I am including a lot of explanation that I don’t plan to include with the actual comments, in order to keep their length somewhat manageable.  In my comments, I will refer the FERC staff to this post if they want more explanation (some of them read my posts anyway, I’ve heard).

I really hadn’t planned originally on making comments, since I had made comments informally (to the SDT and in blog posts) during the process of drafting and balloting CIP Version 5, and I thought that – now that it was developed and approved by NERC – there was nothing for me to add at this point.  However, I recently started writing a post to provide some guidance to NERC entities as they start to prepare for compliance with CIP Version 5.  I started with the first standard, CIP-002-5, and tried to work my way through the standard  in the same way an entity that didn’t have much prior knowledge of CIP Version 5 (and I’m sure this is the majority of NERC entities) would have to. 

As I did this, I began to realize there are some real wording problems with CIP-002-5.  These problems are so severe that, should this standard be implemented as written, I don’t believe it could hold up in court if challenged (and NERC standards are regulatory law, meaning an entity can challenge any fines in court if so inclined).  More importantly, it will be hugely confusing for entities trying to comply with it, and for auditors trying to apply it.

This doesn’t mean there might not be some sort of workarounds to these problems – special training for the auditors and the entities, written guidance (although CANs have been discontinued), etc.  But why start out knowing you will need workarounds?  FERC will almost certainly mandate that certain changes be made to Version 5 (as Version 6), so the standards are being reopened anyway; why not fix CIP-002-5 at that time, rather than plan on having to implement workarounds – which may or may not work and which may not hold up in court in any case?

The fact that it is CIP-002-5 that has major wording flaws (and not the other Version 5 standards) makes this effort all the more important.  This is because, in all the CIP versions including Version 5, CIP-002 is the foundation for all of the rest of the standards.  In CIP-002, the entity identifies the facilities and cyber assets that will be subject to the remaining standards.  If this asset identification process turns out to be fundamentally flawed because of unclear wording in CIP-002-5, then it almost doesn’t matter what the remaining standards say (I personally think CIP-003-5 through CIP-011-1 are very well written standards, although I’m sure some who have studied them more than I have will find issues with them); if those standards aren’t applied to the right facilities and cyber assets (based on a clearly written CIP-002-5), the next CIP version will be an utter failure.

I have grouped my comments on CIP-002-5 into three headings.  I will deal with the first heading in this post, and the other two in the next post.  If you are making your own comments to FERC, you have my permission to excerpt any or all of my comments and include them in yours, even without attribution.

I.                    Facilities / Assets / Whatever
There are two types of things that need to be identified in CIP-002-5.  The first is what the Standards Drafting Team often referred to as the “big iron”.  This means the facilities that are subject to CIP: control centers, generating stations, transmission substations, etc.  They are called Critical Assets in CIP Versions 1-4. 

The second is “little iron”, meaning the cyber assets associated with those facilities; these cyber assets are what are actually in scope in NERC CIP.  In CIP-002-5 as currently written, there are very serious problems with identifying both types of “iron”.  I will start by discussing the wording problems I see with the process for identifying “big iron” in CIP-002-5, and then address the “little iron” problems in the next post.

Let’s start by looking at how CIP-002-5[i], in its current wording, lays out the process for identifying “big iron” that is subject to CIP Version 5.  Section 4.1 of CIP-002-5 lists the NERC functional entities that are subject to CIP-002-5.  Section 4.2 goes on to describe the “Facilities, systems, and equipment” owned by those entities, that are subject to the requirements of CIP Version 5.  For Distribution Providers, only four types of Facilities are in scope.  For every other functional entity listed in Section 4.1, all of their “BES Facilities” are in scope.  So we’ve learned something here:  If our organization has one or more of the functional entity registrations listed in Section 4.1, we know exactly which Facilities are in scope.[ii]

Now we’re ready to look at the first requirement of CIP-002-5, requirement R1.  As I described in my previous post, this requirement actually requires about 15 steps.  Some of these steps are only implied by the definitions of words and by syntax, which affords all NERC compliance people the opportunity to dust off their fourth-grade sentence-diagramming skills (see, there are all sorts of hidden benefits to being involved with NERC CIP compliance!).  R1 should really be broken into at least three requirements (as it is in CIP-002 in versions 1-3) and perhaps even more than that.  I will discuss this idea in the second post.

Since we already know from Section 4.2 which of our Facilities are in scope for V5 (i.e. all of our BES Facilities, unless we only have a DP registration), what we want to find out in R1 is a) which of those Facilities are High, Medium or Low impact, and b) how to identify the cyber assets that are associated with those High, Medium and Low impact facilities (since these will be the cyber assets in scope for Version 5).  The reason we think this way is this is exactly how CIP Versions 1-4 work.  In those versions, you first identify your Facilities that are Critical Assets; all others are non-critical assets (so there are two classifications of Facilities, not three as in Version 5).  Then you identify the Critical Cyber Assets associated with the Critical Assets.  At that point, you know what’s in scope for the rest of the standards in Versions 1-4.

What do you find in R1 of CIP-002-5 to help you classify your Facilities?  Nothing all all; there is no mention of Facilities!  Instead, there is a new term called assets.  The fact that it isn't capitalized means that it isn't defined in the V5 Definitions document or the NERC Glossary, so you’re kind of on your own in figuring out what it means.  It is defined by example, listing six types of assets that are to be considered in R1: control centers, transmission substations, etc.  So why did Section 4.2 make such a big point about Facilities when they don’t seem to be relevant once you get to the actual requirements?  Beats me, but we have to plod on with the assets concept.

In the first sentence of R1, the entity is told to “implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3”.   These are the six asset types I just mentioned; so these are what we need to consider in 1.1 through 1.3.  Now we go to the three sub-requirements[iii] R1.1 through R1.3.  These take us down to Attachment 1, where we hope to classify our Assets into High, Medium and Low impact.

As we start into Attachment 1, we find no surprises, at least in criteria 1.1 through 2.2.[iv]  In those criteria, we are presented with things that seem to correspond to the list of assets that we produced as a result of the first sentence of R1: control centers, generating plants and reactive resources that our entity owns (or operates).  But what do we find when we reach Criterion 2.3?  Our old friend “Facility”!  It seems reports of his death were greatly exaggerated (to paraphrase Mark Twain), and he has returned from whatever Purgatory he was in during the first sentence of R1.  We’re asked to identify a “generation Facility” in 2.3, followed by “transmission Facilities” in 2.4 through 2.8. 

Why did this happen?  If “asset” was good enough in the body of R1; why isn’t it good enough in parts of Attachment 1?  Because it wouldn’t suit the purpose of criteria 2.4 through 2.8, that’s why.  Those criteria deal with substations.  If you consider just the asset called a substation (there is no NERC Glossary definition of substation, but I will provide my own: “A lot of fancy and expensive equipment surrounded by a fence and maybe some razor wire, with a bunch of lines running in and out that you sure don’t want to touch”) and compare that to criteria 2.4 to 2.8, you will probably end up with a lot more equipment in scope for CIP Version 5 than needs to be.

This is because substations very often serve two purposes, Transmission (a BES function) and Distribution (not a BES function).  Having to bring all the Transmission equipment into the scope of CIP-003-5 through CIP-011-5 is bad enough, without having to do the same for all the Distribution equipment as well.  But if criteria 2.4 through 2.8 had read “asset”, you probably wouldn’t have much choice in the matter: you would have to include both sides in scope for Version 5, since the asset here is almost certainly the whole substation.  In other words, you would have to cover more of your assets.

But not to fear, the Standards Drafting Team has instead included the word Facility in criteria 2.4 to 2.8.  This was not due to perversity, but because Facility clearly is being used in a different sense from asset.  Hopefully, the term Facility will allow you to separate the Distribution from the Transmission equipment.  Does it do that? 

The NERC Glossary definition of Facility is “A set of electrical equipment that operates as a single Bulk Electric System Element...”  So if you want to define the Transmission equipment at a substation as the equipment that makes up a Transmission Element, then it seems you can logically separate it from the Distribution equipment (which would in turn make up the Distribution Element).

However, we entered Attachment 1 with a list of assets, not Facilities.  You can’t slice and dice an asset, so there needs to be some definition of how Facilities map into assets.  Presumably, an asset is composed of one or more Facilities, but that is nowhere stated in CIP-002-5 or in the V5 Definitions document (it’s also not explicitly stated in the Guidance included with CIP-002-5).

You might think I’m being a nit-picker here, since maybe everyone involved knows there can be multiple Facilities at work in one Asset (although I doubt that).   But just wait until a big IOU is hit with a big fine relating to how they have divided up the equipment in their substations (perhaps it is alleged they allocated too much equipment to Distribution and too little to Transmission, thus reducing their compliance footprint).  Their lawyers may point out that, to take the requirement literally as written, the criterion in question (presumably one of criteria 2.4 through 2.8) doesn’t apply to them at all.  They have an asset called a substation that they are running through the Attachment 1 criteria (per the instructions in R1).  Since criteria 2.4 through 2.8 don’t refer to assets at all, but some strange thing called a Facility that isn’t even mentioned anywhere in requirement R1, the substation should just fall into the Low impact category, since it clearly doesn’t meet any of the High or Medium impact criteria.  I’m not saying the IOU would necessarily win this argument.  But do we really want to have CIP compliance be so hard to figure out that it takes a team of lawyers willing to take FERC to court?  Just rewrite the standard so it can be clearly understood.

This is all a long way of saying something pretty simple: There needs to be a definition of asset, as well as some sort of statement that an asset can have multiple Facilities associated with it.  And since asset seems to be the more fundamental term in CIP-002-5 R1, Section 4.2 should probably be where it is defined and related to Facilities (meaning that the purpose of this section should really be to identify “Assets and their related Facilities” in scope for Version 5, rather than just “Facilities”).

Whew.  The next post (Part II) won’t be so easy.




[i] In looking up the link here, I just found out NERC has – finally – updated its website!   At first glance, it looks like a huge improvement.  I used to say that I knew the perfect way to hide critical infrastructure information from Al Quaeda.  Just post it on the NERC website; they’ll never find it there.  Now it seems I can’t say that anymore.
[ii] I’m glossing over the problem of what a “BES Facility” is.  While “Facility” is in the NERC glossary, “BES Facility” is not.  One can assume that a BES Facility is a Facility that is part of the BES.  But how do you know what the BES is?  Well, you presumably go by the BES definition balloted by the NERC membership and approved by FERC in Order 773 in December 2012.  But that Order left the door open for a rehearing of some of the issues, and FERC’s Order 773-A issued April 18, 2013 (the same day as the CIP Version 5 NOPR) granted that some of those issues will be reheard.  If the BES definition isn’t settled by the time CIP Version 6 actually is implemented (and hopefully it will be), then I can see some nice discussions with auditors about whether particular Facilities are BES Facilities or not, based on differing versions of the BES definition.
[iii] CIP Version 5 actually does away with the term “sub-requirement” and replaces it with “requirement part”.  I personally prefer the former, since the latter makes me think of “body parts” and brings up images of dismembered murder victims.  There’s already enough trauma in Version 5 that we don’t need to introduce more.
[iv] I’m completely ignoring for the moment the fact that Attachment 1 is telling you to classify BES Cyber Systems, not Facilities, as High, Medium or Low impact.  I’ll have a lot to say about that in the second post in this series.  In fact, this is a really debilitating problem.  The Asset/Facility problem is more of an annoyance (although they both need to be remediated).

5 comments:

  1. Brings to you excellent quality car insurance data at competitive prices. Accident at work leads generate quality leads for you to generate more business!

    ReplyDelete
  2. Buy pension leads from us and enjoy increased operational efficiency.When you buy pension Review leads from us, we will deliver live transfer leads on which will be instantly connected to your call centre.

    ReplyDelete
  3. About high quality Pension leads? Leads Bank specializes in providing fresh pension leads. Pension leads - High net worth financial advice. We are offering fresh debt leads ,debt settlement leads and many other leads at very highly competitive price.

    ReplyDelete
  4. You want to Get Pension Release. Looking for the Pension Release Services can help with general guidance about pensions release advice in UK, get more services like, Get Pension Release, Pension Release, Pension Release Services.

    ReplyDelete
  5. Are you looking for high quality Pension Leads? Leads Bank specializes in providing fresh debt leads. We are offering fresh debt leads ,debt settlement leads and many other leads at very highly competitive price.

    ReplyDelete