Thursday, June 27, 2013

10,000!

By next Monday (July 1), I will have surpassed 10,000 page views on this blog, since its inception in early February.  I want to thank all of you for the interest you have shown so far.  I will try to continue to deserve that interest as we go forward.

Of course, with the huge amount of uncertainty over CIP Version 5 - both in its timing and ultimate content - I don't see any lack of good topics for the next..oh, three years or so.  Stay tuned.

Tom

Saturday, June 22, 2013

Comments Submitted to FERC on June 24

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

8/28: In preparing for our V5 webinar last week, I realized there is another problem in CIP-002-5, so I've modified what I'm submitting to FERC.  That post is here.


Following is the exact text I submitted to FERC on June 24, 2013, in response to the request for comments in the April NOPR for NERC CIP Version 5.

I have found many problems with the wording of CIP-002-5, and have decided to rewrite the problematic parts (including the requirements and parts of Attachment 1). 

Note: At this point I submitted the full text of the following three posts (since I'm told FERC doesn't like to see links in the comments).  I will spare you all that verbiage here, but you're encouraged to read these if you haven't done so already.

http://tomalrichblog.blogspot.com/2013/05/my-comments-to-ferc-on-cip-version-5.html

The following are changes I propose to CIP-002-5, based on the reasons discussed in these posts:
1.       Change to Section 4.2
I propose to insert the following definition of Asset.  It can be inserted either in Section 4.2 or in the CIP Version 5 Definitions document:
An Asset is a Control Center or a group of one or more Facilities at a single location.

2.       Replacement of Requirement R1
I propose to replace CIP-002-5 R1 with the following four requirements:
R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets or Facilities for purposes of Requirement R2:

i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
R1.2 Develop a list of its Assets or Facilities including each type listed in R1.1.
R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Assets or Facilities in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact Assets or Facilities;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact Assets or Facilities;
2.3  After removing High and Medium impact Assets or Facilities from the list of Assets or Facilities developed in R1.2, identify the remaining Assets or Facilities as Low impact.

R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility.  Only BES Cyber Assets located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset.  All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.

R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 

3.       Renumber and Change CIP-002-5 R2
Because of the above changes, CIP-002-5 R2 needs to be renamed to CIP-002-5 R5, along with adding the italicized phrases:
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.

4.       Changes to Attachment 1
I propose that the phrases at the beginning of each of the three sections of Attachment 1 (for identifying High, Medium and Low impact Assets respectively) be replaced with the following.  Note that I am not proposing any changes to the criteria themselves and have not reproduced them here:
1. High Impact Rating (H)
Assets or Facilities that meet one or more of the following criteria are High impact:
(followed by existing criteria 1.1 – 1.4)

2. Medium Impact Rating (M)
Assets or Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by existing criteria 2.1 – 2.13)

3. Low Impact Rating (L)
Assets or Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3) 

Saturday, June 15, 2013

My (Final) Fantasy CIP-002-5

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

 
June 22: I haven't posted my comments to FERC yet, but will by Monday.  I'm glad I haven't, because I received a very important email this week from Armin Boschmann of Manitoba Hydro.  He pointed out that I had missed two things in CIP-002-5-taf.  One is an error I made, that is described and rectified in the discussion of Requirement R3 below.  The other is (another) serious error the Standards Drafting Team made (and everyone who has reviewed CIP-002-5 missed it, including me).  This is described and rectified in the discussion of Section 4.2 below.  I wish to thank Armin for both of these important corrections!


You can see the exact text I will submit on Monday here.
Introduction
I recently wrote my longest post so far, describing how I would rewrite Version 5 of CIP-002 to change what I see as fatal imprecision in the language of that standard.  However, I decided to leave part of the required changes for another post, since I wanted to think about them a little more before writing it.  Here is that post.  It presents my final version of what I am calling Tom Alrich Fantasy CIP-002-5, or CIP-002-5-taf.
In the previous post, I reasoned there are two main areas that need substantial wording changes in CIP-002-5:  identification of “big iron” and of “little iron”. [i] Big iron refers to the facilities that are in scope for Version 5: generating stations, control centers, etc.  Little iron refers to the cyber assets that are in scope.  The goal of CIP-002-5 (and note that CIP-002-5 without the “-taf” refers to the “real” version submitted to FERC by NERC in January) is for the entity to identify their cyber assets in scope for V5 (called BES Cyber Systems).  However, in order to do this, the entity first has to identify and classify their facilities (or assets) in scope, so that the BES Cyber Systems can inherit the facility classifications.
The first post provided a CIP-002-5-taf that I think is much more coherent than CIP-002-5, as far as identification of little iron is concerned.  However, I punted on the changes that are needed for big iron identification, and just inserted the term “asset/Facility” as a placeholder wherever CIP-002-5 uses either “asset” or “Facility”.  I will now (note - without using a net!) remove that placeholder by fixing the big iron wording problem in CIP-002-5, resulting in my final version of CIP-002-5-taf.
However, this new post will be shorter than the previous one, since I have already discussed the big iron problems in CIP-002-5 and provided an idea of what the cure could be.  I did this in an earlier post titled “My Comments to FERC on CIP Version 5, Part I”.[ii]  If you haven’t read that post, I recommend you do it now, since I don’t intend to repeat the arguments here, although I will summarize them.
As discussed in the previous post, the “big iron” problem in CIP-002-5 is found in the use of the two terms “asset” and “Facility”.  To summarize the argument of that post:
  1. Section 4.2 of CIP-002-5 (which comes before the actual requirements) states that NERC functional entities listed in Section 4.1 must include all of their “BES Facilities” (Facilities is a defined term in the NERC Glossary) in scope for Version 5[iii].
  2. However, when you come to Requirement R1, you find it talks only about “assets” (which isn’t defined in the Glossary or the Version 5 Definitions document); you’re left to guess that the assets may in some way correspond to the BES Facilities (R1 does list six types of assets that must be included, including control centers, generating stations, etc.  This constitutes an operational definition but not a formal one).  R1 essentially tells you to take your list of assets and run it through the “bright-line” criteria in Attachment 1, to classify the assets as High, Medium or Low impact (meaning impact on the BES).
  3. As you start this process, you find that when you come to criterion 2.3, the term Facility reappears.  And it supplants “asset” in 2.3 through 2.8, although asset makes a triumphant comeback in the third section of Attachment 1, which discusses Low impact assets.
  4. I believe the reason Facility is used in criteria 2.4 – 2.8 is that those criteria have to do with substations.  Substations often include both Transmission and Distribution elements.  Since only the Transmission elements are subject to CIP, it will be very helpful for entities to be able to “slice and dice” the substation into separate Transmission and Distribution Facilities, one of which is a BES Facility and the other not; that way, the entity’s compliance “footprint” is much smaller.  The problem is that CIP-002-5 itself doesn’t make this clear, although the idea is discussed in the Guidance.[iv]
 Section 4.2
We clearly need to start with Section 4.2.  It currently reads:
4.2. Facilities: For the purpose of the requirements contained herein, the following Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicable. For requirements in this standard where a specific type of Facilities, system, or equipment or subset of Facilities, systems, and equipment are applicable, these are specified explicitly.
(the remainder of this section mainly indicates that all BES Facilities are in scope for all entity registrations listed in Section 4.1, except DP’s)
At the very end of the “My Comments..” post, I list what I think needs to be done: "There needs to be a definition of asset, as well as some sort of statement that an asset can have multiple Facilities associated with it."
(the following section was inserted on June 22) Now I want to bring up what Armin Boschmann said about the use of Facilities in Section 4.2.  Armin points out that the NERC definition of Facility includes the defined term Element.  That definition reads:
Any electrical device with terminals that may be connected to other electrical devices such as a generator, transformer, circuit breaker, bus section, or transmission line. An element may be comprised of one or more components.
 And to refresh your (and my) memory, here is the definition of Facility:  
A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)
Armin raises an interesting question about this.  Given that Section 4.2 claims to designate the entire set of a NERC entity's stuff (to avoid the term asset or facility) that is subject to CIP Version 5, and given that control centers are definitely intended to be in scope, how in the world can a control center fit in with these two definitions?  To quote Armin, "I don’t think a Control Center can be thought of as a Facility. The Glossary definition for “Bulk Electric System” essentially says electrical equipment at 100 kV and above. The Glossary definition for Element says an electrical device with terminals to be connected to a generator/transformer/breaker/bus/line. So, a BES Element would be an Element at 100 kV. So a Facility is defined as a set of 100 kV Elements. No Control Center would have 100 kV equipment in it."

In other words, in Section 4.2 as written by the SDT, no control center would ever be subject to CIP Version 5!  Kind of a small oversight, no?  Of course, when you get to R1, it specifically calls out control centers as being in scope, and it was clearly the SDT's intent that control centers be included in Section 4.2.  But an entity could certainly make the argument that, since Section 4.2 logically precedes R1, R1 is really just operating on the list that came out of 4.2.  So if there's no control center on that list, it can't suddenly be added back in R1.


Now I strongly doubt any auditor wouldn't say that control centers are covered in CIP Version 5.  But were an entity to take them to court on this, I think NERC would have a hard time making that case.  So this is just another example of how the poor wording in CIP-002-5 will likely lead to all sorts of headaches - for NERC entities and auditors - down the line, if not fixed before then.

To address this issue, we need to define Asset as a more general term than Facility, that will include Control Centers (which is of course defined in the V5 Definitions document).  However, I don't think Facilities should be rejected just because it doesn't include Control Centers.  We need the Facilities concept to handle the problem with substations.  Therefore, I propose the following definition of Asset.  This should presumably be included in the V5 Definitions document, but I guess could alternatively appear in Section 4.2 itself:



An Asset is a Control Center or a group of one or more Facilities at a single location.

You're not happy with this?  I'm not either.  But I can't think of a nice elegant word that will encompass both the concept of a Control Center and a Facility / Facilities.  And I submit that it was a concern more for the elegance of the language than for its auditability that has led to the current mess in CIP-002-5.[v]

So the only change required in Section 4.2 is the addition of the definition of Asset, and that might be more appropriate in the Definitions document anyway.[vi]
The Requirements
Now we go down to the requirements.  Here are the four requirements in my previous CIP-002-5-taf that replace R1 in CIP-002-5:
Fantasy R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following assets/Facilities for purposes of Requirement R2:
(here, the same list of six asset types will appear as is found in the ‘real’ CIP-002-5 R1)
R1.2 Develop a list of its assets/Facilities including each asset/Facility type listed in R1.1.
Fantasy R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Facilities/assets in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact Facilities;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact Facilities;
2.3  After removing High and Medium impact Facilities from the list of assets developed in R1.2, identify the remaining Facilities as Low impact.

Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset/Facility.  All BES Cyber Assets associated with an Asset/Facility shall take the impact level of that Asset/Facility.

Fantasy R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 

I’ve boldfaced all of the words we need to look at and possibly replace.  However, I think “Assets or Facilities” is the best replacement in each case.  This is simply because some of the criteria in Attachment 1 apply to Assets, others to Facilities.   So we get:
Fantasy R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets or Facilities [vii] for purposes of Requirement R2:
(here, the same list of six asset types will appear as is found in the ‘real’ CIP-002-5 R1)
R1.2 Develop a list of its Assets or Facilities including each type listed in R1.1.
Fantasy R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Assets or Facilities in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact Assets or Facilities;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact Assets or Facilities;
2.3  After removing High and Medium impact Assets or Facilities from the list of Assets or Facilities developed in R1.2, identify the remaining Assets or Facilities as Low impact.

Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility.  All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.

Fantasy R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 

(This paragraph inserted June 22)  We have now replaced R1 of CIP-002-5 with R1 - R4 of CIP-002-5-taf.  However, R3 will need to be modified because of the second problem that Armin Boschmann pointed out to me in his email (the one that was my fault).  I can't discuss that until after the discussion of Attachment 1, though.
There is one other requirement, R2, in CIP-002-5.  This needs to be renumbered to R5 in CIP-002-5-taf, along with the italicized wording changes:
Fantasy R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.

Attachment 1

Now we have to address Attachment 1.  Let’s restate the problem with Attachment 1, as discussed in the “My Comments…” post:
  1. In R1, the entity is told to bring a list of “assets” into the Attachment 1 criteria for classification.
  2. Most of the criteria refer simply to types of assets – “Control Center”, “Commissioned  generation”, “BES reactive resource”, etc.  In the third section (regarding Low impact assets), the word “asset” is explicitly used.  So there is no problem regarding any of these criteria – they all cover Assets (as I have defined the term in my discussion of Section 4.2 above.  Note that, being defined, we will need to capitalize it in CIP-002-5-taf).
  3. However, in six of the criteria the word “Facility” is used, including all five that refer to substations (2.4 – 2.8).  This creates a problem, since CIP-002-5 R1 requires the entity to classify “assets” in Attachment 1.  If an entity were given a PV for not counting any substations as Medium impact under Version 5, they could (if they’re enterprising) challenge this by saying they’re supposed to be classifying something called “assets” in Attachment 1, not “Facilities”.  Given the amount of money that will have to be spent on V5 compliance for substations, it isn’t a big stretch to think that one or more entities will try this, possibly leading to all substations across NERC being classified as Low impact.[viii]  If that happens, I hope the other NERC TO’s and TP’s throw those entities a party.
I clearly need to change the language that introduces the first two sections of Attachment 1 to explicitly state the criteria apply to Assets or Facilities.  Here is the language from my previous CIP-002-5-taf Attachment 1:
Fantasy 1. High Impact Rating (H)
Facilities that meet one or more of the following criteria are High impact:
(followed by criteria 1.1 – 1.4)

Fantasy 2. Medium Impact Rating (M)
Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by criteria 2.1 – 2.13)

Fantasy 3. Low Impact Rating (L)
BES Assets/Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above:
(followed by the same list of types of facilities as in CIP-002-5 Attachment 1 part 3.  I wish to thank Bob Case of Black Hills Corp. for suggesting improved wording for this part)

Here is my proposed new wording for CIP-002-5-taf Attachment 1:
Fantasy 1. High Impact Rating (H)
Assets or Facilities that meet one or more of the following criteria are High impact:
(followed by criteria 1.1 – 1.4)

Fantasy 2. Medium Impact Rating (M)
Assets or Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by criteria 2.1 – 2.13)

Fantasy 3. Low Impact Rating (L)
Assets or Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3. 
(Added June 22) Now it’s time to address Armin Boschmann’s other point, regarding an error I made.  Armin says 'CIP-002-5 Attachment 1 has a difference in its opening sentences for Sections 1 and 2. Section 1 says ”used by and located at”, while Section 2 says “associated with”. I may not be remembering everything correctly about Drafts 1 and 2, but the impression I was left with was that the phrase “used by and located at” was there to clarify that the BES Cyber Systems of High Impact Control Centers were to include only cyber assets at the Control Centers, and to explicitly exclude cyber assets in the field such as RTUs. The concern was that an RTU could be said to be “associated with” a Control Center – after all, an old-fashioned hard-wired RTU typically is used only for remote control, and therefore to serve the Control Center, and it is not involved in any way with local controls at a station. So the RTU could be said to be more associated with a Control Center than with the station itself. In CIP-002-5-taf, the opening sentences of Attachment 1 have essentially been moved to R3, and the wording has been boiled down to just “associated with”, so I think that ambiguity gets re-introduced.'
This was an excellent observation, and it also points to the remedy.  We need to amend CIP-002-5-taf R3 to include the italicized sentence:
Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility.  Only BES Cyber Assets located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset.  All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.

Summary

Believe it or not, we’re done!  To get my CIP-002-5-taf, you do the following to CIP-002-5:
  1. Add my definition of Asset into either Section 4.2 or the Definitions document.
  2. Replace R1 with my Fantasy R1-R4 above;
  3. Replace R2 with my Fantasy R5; and
  4. Replace the wording at the beginning of the three parts of Attachment 1 with the wording shown above.
As I said in the previous post, I don’t expect FERC or NERC to simply impose my version, or even parts of it.  However, I do hope they will consider these suggestions as they try to make CIP-002-5 much more understandable and enforceable than it is today.
I welcome any comments on this.  You can leave them below (if you have a Gmail account or want to open one), or email them to me at tom.alrich@honeywell.com.  As usual, if someone wants me to post their comment anonymously, I’ll do that.

P.S. Be sure to sign up for Honeywell’s upcoming webinar with EnergySec, “Covering your Assets in CIP Version 5”.  You can sign up for it here.  The webinar is on August 21st 10:30CDT.  If you can’t make the webinar but want to see the video, sign up anyway.  You’ll get the link to the video as soon as it is posted after the webinar.















[i] Of course, saying these are the only two problem areas in CIP-002-5 is like saying the only problem areas in the Gospel of John are the references to Jesus.  The whole purpose of CIP-002-5 is to identify big and little iron, and if it doesn’t do this reliably it has failed.
[ii] When I wrote that post, I thought I would just provide comments on CIP-002-5, not rewrite it.  But when I started to write Part II, I realized that continuing to make a bunch of comments wouldn’t be very helpful.  The problems in CIP-002-5 are so severe that it needs to be completely rewritten.  So Part II turned into the Fantasy CIP-002-5 post, although with an asterisk to indicate it was still incomplete.  In other words, this post is actually the third in a series on the comments I intend to submit to FERC regarding the NOPR (I’ve also decided what I submit to FERC will be simply CIP-002-5-taf itself, along with links to these three posts for explanation on why I made the changes I did).
[iii] With the exception of Distribution Providers, which only have to include four types of Facilities.
[iv] I think having the ability to “slice and dice” an asset into Facilities also has a bearing in Criterion 2.3;
Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year.

The fact that this says “generation Facility” rather than “Generating asset” or something like “Generating station” means that, if a PC or TP says that a single unit or maybe a couple units at a plant is “necessary”, the GO/GOP only has to designate those unit(s) as a medium impact Facility.  The other units can be low impact, since they could be considered a separate Facility.  However, this is entirely my own interpretation.  This points to the need for a guidance document to be developed on Attachment 1 of CIP-002-5 (just as there were guidance documents on Critical Asset and Critical Cyber Asset identification in CIP Versions 1-3.  I also pushed for a guidance document on Attachment 1 of CIP-002-4, although nobody listened to me.  That is just as well, since V4 is now just a historical curiosity).  I would put out a post about that and get all worked up in righteous indignation that it wasn't being done, except for one thing: nobody can even write a good guidance document on CIP-002-5 as it currently stands.  It would be like trying to nail Jell-O (tm) to the wall. Hopefully we’ll be able to do this in about a year, once FERC issues their order approving Version 5 and mandating the changes they want to see in a compliance filing.

[v] I am also not sure whether there shouldn’t be some statement having to do with the network topology of the Facilities and the Asset.  If the cyber assets in an Asset are all on one large network, you really can’t separate the Asset into Facilities.   This is because all of the cyber assets on that network, that were not part of the BES Facility, would still have to be protected in the same way as those that are part of the BES Facility (i.e. they would be Protected Cyber Assets in Version 5, the equivalent of “non-critical” cyber assets within the ESP in Versions 1-4).  I think there should probably be a further statement that the networks in the different Facilities within the Asset need to be separated, but writing that statement won’t be easy.  Fortunately, that’s above my pay grade.
[vi] I must also admit I’m uneasy about the “Facilities, systems and equipment” language in 4.2.  Why do we need "systems" and "equipment"?  I think including these terms literally could lead to entities having to consider each piece of equipment or system at, say, a control center or generating station as possibly meeting one or more of the Attachment 1 criteria all by itself (and document the whole process, of course).  I suspect this language is yet another relic of the fact that the first draft of Version 5 really did require the entity to identify BES Cyber Systems before Facilities/assets.  Even though the standard was officially changed so that Facilities were identified first, remnants of that first draft still live on in CIP-002-5, and are the main cause of the problems I’ve expended so many words discussing lately.  I call this the Original Sin of CIP-002-5.  For more on this, see footnote x in the Asset Identification post.
[vii] You may point out that it is redundant for me to say “Assets or Facilities”, since the definition of Asset includes Facilities.  This is more my judgment that the ability to slice and dice substations might be lost if all of Attachment 1 were based on Assets alone.  I’m not set in stone on this point, however.
[viii] Here’s an interesting anecdote of another instance where an entity took advantage of a simple wording error in CIP.  Those who remember the CIP Version 1 rollout will recall there were four Tables which determined your compliance dates.  Table 1, which had the earliest dates, was listed as applying to entities that “were required to comply with Urgent Action 1200” (the predecessor to CIP).  One entity who had complied with UA1200 realized that even then, they were not required to comply with it.  In fact, nobody was “required” to comply with UA1200 since compliance with it, as well as with all NERC standards before the Federal Power Act of 2005, was voluntary!  So this entity got another year or so to comply with CIP Version 1 by falling under Table 2, due to some quick thinking by their compliance person.  That person recently verified this story for me, since I’d heard it from a third party.

Sunday, June 9, 2013

My Fantasy CIP-002-5*

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

7/26/2014: I see that this post is suddenly getting a lot of hits, more than a year later.  I'm of course glad to see that, but I want to warn you that my thinking has evolved way beyond this, so you shouldn't take this as being indicative of how I would rewrite CIP-002-5 R1 now if given the chance.  My more recent posts like this one are a much better guide.  However, I do want to "rewrite" the requirement again, and hope to do that soon - even though it is of course way too late to hope that the requirement can be rewritten.  As I've said at various times, someone like NERC is going to have to issue a comprehensive "interpretation" of CIP-002-5 R1, and I might be able to aid that process by detailing how I think the standard should have been written in the first place - which is fairly different from what I thought when I wrote this post.

6/15: I just posted the follow-on to this post, including my final version of Fantasy CIP-002-5. 
This post started off as the second of two posts discussing comments I plan to make to FERC[i] in response to their NOPR on CIP Version 5, during the comment period that ends on June 20.  The first post is here.  As with that post, this one is confined to CIP-002-5, because a) I see a lot of problems with the wording of that standard, and b) CIP-002-5 is the foundation for all of the remaining CIP V5 standards – if the foundation is rotten, the house falls down.  I contend the foundation is rotten.
However, as I started to write this new post, even I – perennial skeptic and generally gloomy fellow – was taken aback by how rotten that foundation really is.  I found I couldn’t discuss one problem with CIP-002-5 without uncovering another problem to which it was linked; and that problem was usually linked to another.  Just listing a bunch of problems, as I did in the first post and I had planned to do in this one, seems to miss the point.  I want to discuss what needs to be done to address those problems.  I believe CIP-002-5 needs to be substantially rewritten.  That is what I propose to do in this post.
When I say ‘rewritten’, I do want to point out that I don’t want to change the intended meaning of CIP-002-5, only to clear away the sizable buildup of mud and debris that seems to have grown on top of it as the standard was revised and re-revised by many players and in response to two decisive rejections by the NERC ballot body.  The problem is that it is awfully hard to tell what CIP-002-5 is trying to do with regards to asset identification.  The Guidance section doesn’t provide any true step-by-step guide through the whole asset identification process.

So how can we find out the intended meaning of CIP-002-5?  The best I can think of is to actually read through the standard and map out the entire asset identification process, without paying attention to anything else – the Guidance sections, the wording of previous drafts of CIP-002-5, comments made during the three comment periods, Supreme Court rulings, the four Gospels, etc.  The standard has to be allowed to speak for itself, since entities will be audited on what it means, nothing more than that.  This is important partly because many entities will not approach CIP-002-5 with a lot of prior knowledge, but more importantly because only the actual steps required by the standard can be audited against.
For example, I just mentioned that the CIP-002-5 Guidance (which starts on page 17) spends a lot of time discussing “BES Reliability Operating Services”; these are services that can be performed by cyber assets to support the reliable operation of the BES.  The implication of this discussion is that the entity will start to identify their BES Cyber Assets by first determining what BES Reliability Operating Services each one performs; if a cyber asset performs one or more of these, it is a BES Cyber Asset.  There is only one problem with this: the actual wording of the standard itself never once refers to BES Reliability Operating Services.[ii]  A Knowledgeable Person has explained to me where exactly the BROS does fit in with the asset identification process, and I agree with what they said; I will note that at the appropriate point below.
Fortunately, I have already analyzed CIP-002-5 to determine what the standard as written does require the entity to do in order to identify assets in scope for CIP Version 5.  In my recent post “Asset Identification in CIP Version 5” I tried to go through CIP-002-5 from the point of view of a NERC compliance person that was reading it for the first time – with no prior knowledge of how it was developed, etc. – in order to map out the actual steps such a person would need to take in order to identify their BES Cyber Systems.  When I wrote that post, I was appalled at the number of steps required – I documented fourteen – and how the need to take each step was often not stated directly but only implied through the syntax of the standard, definitions of key terms, etc.    But I have to use what was written in the actual standard, since that is the only thing we can rely on to tell us what the standard wants us to do. 

However, even though I identified fourteen steps that an entity would have to take in order to comply with CIP-002-5, this doesn’t mean the asset identification process really has to take that many.  I believe that a properly written standard would require the following steps (and these are all included – directly or by implication - in the list of fourteen from the previous post):
  1. Develop a list of all of the entity’s Facilities that are in scope for CIP Version 5;
  2. Using Attachment 1, identify High impact Facilities from that list;
  3. Using Attachment 1, identify Medium impact Facilities;
  4. Identify Low impact Facilities as those on the list that do not meet either High or Medium impact criteria;
  5. Identify BES Cyber Assets associated with each Facility, using the definition found in the Version 5 Definitions document.  The BES Cyber Asset will take the Facility’s impact rating;
  6. Aggregate BES Cyber Assets into BES Cyber Systems for Version 5 compliance purposes.
The revised version of CIP-002-5 that I describe in this post will include these six steps, nothing more or less.  However, even though I do intend to provide a rewritten CIP-002-5 in this post, it won’t address all of the problems I see in that standard (and that is why I have the asterisk in the title).  As I discussed in the first post, there are two primary things that need to be identified as in scope in CIP-002-5 (and for that matter, the previous CIP versions), the “big iron” (generating stations, control centers, substations, etc), and the cyber assets associated with them (called BES Cyber Assets and BES Cyber Systems in V5), aka “little iron”.  I see serious problems with how CIP-002-5 describes the identification process for both big and little iron. 

The first post addressed the big iron problems, primarily the confusion over the terms “asset” and “Facility”.  This new post is intended to address the little iron identification process – i.e. how BES Cyber Systems are identified once the assets/Facilities in scope for V5 are identified.  I did honestly start out to simply summarize the problems I saw in the little iron area, just as I had done for big iron in the previous post.  However, I realized that just listing a bunch of problems would only leave the reader very confused about what had to be done - the problems are so intertwined. 
This is why I decided to rewrite CIP-002-5, creating my Tom Alrich Fantasy version, which I will refer to as CIP-002-5-taf.  I make this version available royalty-free to anyone who wishes to reproduce (or modify) it in any way.  If FERC decides that the next compliance version of CIP (which I believe will be Version 6, not 5, but that’s the last I’ll mention that in this post) should include CIP-002-5-taf rather than the CIP-002-5 submitted by NERC in January, that is fine with me (of course, this is a joke.  They’d never consider that.  But I hope the standard I lay out in this post does help FERC and NERC as they work to come up with a CIP-002 that is more to FERC’s liking than CIP-002-5 is).
In this, post, I will lay out a version of CIP-002-5 that addresses the “little iron” problems I see in the current version.  What it won’t address is the “big iron” problems, which I listed in the first post (but I didn’t suggest specific changes to address those problems).  Those problems are also quite severe, and it’s not just a question of whether “Facility” or “asset” is the right term to use.  It will take some work to get to the bottom of those issues.  I will kind of leave a “placeholder” for that discussion by using “Asset/Facility” instead of one term or the other in my CIP-002-5-taf.  I hope to do a new post soon that will lay out my complete CIP-002-5-taf (i.e. without an asterisk).  It will address both the big and little iron problems.
Let’s turn to the “little iron” problems in CIP-002-5.  The purpose of CIP-002-5 is to enable you to identify your BES Cyber Systems that will be in scope for CIP Version 5, just as the purpose of CIP-002 in Versions 1-4 was to enable you to identify Critical Cyber Assets in scope for those versions.  How do you do that?  I contend it is literally impossible to do this, given the way CIP-002-5 is currently written, without crossing your fingers and taking a few huge leaps of faith (and hoping your auditors will join you in those leaps).  Here is why.
Conciseness is not Godliness
As I have already mentioned, in my post “Asset Identification in CIP Version 5” I pretended I was from a NERC entity and was reading CIP-002-5 for the first time, in order to figure out what was going to be in scope for Version 5.  I went through what I saw as the logical steps required to identify BES Cyber Systems using the current wording in CIP-002-5; I came up with 14 steps. 
Having this many logical steps isn’t in itself the problem.  The problem is that the standard doesn’t explicitly state that these steps are required.  All of these steps are taken in the process of complying with just one requirement, CIP-002-5 R1.  And most of these steps are not explicitly spelled out within that requirement – they are “required” through either the syntax of a sentence or the meaning of a term used in the sentence.  So the fact that CIP-002-5 is very concisely written isn’t an asset but a liability.  Poor Mr/Ms NERC Compliance Person needs to pull out their fourth-grade sentence diagramming textbook (you still have that around, don’t you?) and start parsing through the sentences in CIP-002-5 as well as in the Version 5 Definitions document (and the NERC Glossary).
Of course, this isn’t to say that Mr/Ms NERC Compliance Person (hereafter, “NCP”) can’t do those things.  But how on earth can CIP-002-5 be a precise, auditable standard if you have to go through such machinations in order to comply with it?  And how will NCP’s work ever be audited by the poor CIP auditor?  Will they require the entity to document their sentence diagrams along with their lists of BES Cyber Systems?  Compliance will be hugely more difficult if not impossible.  Audits will be hugely more difficult if not impossible.  If fines are levied and contested, the entity will need to hire a set of English teachers to explain the sentence diagrams.  And if the entity ends up contesting their fine in court (which they can ultimately do), I think the judge will take one look at the wording of CIP-002-5 and simply dismiss the fine as being levied on a standard that is impossible to follow.[iii]  
My Replacements for R1
What can be done to fix this problem?  Here’s an idea: Since the steps for identifying Critical Cyber Assets were fairly clearly spelled out in CIP-002 in Versions 1-3, why not use that structure as a rough model for identifying BES Cyber Systems in CIP-002-5?  Let’s go through the six logically-required compliance steps I listed above and figure out how to map them into requirements and sub-requirements that roughly line up with the requirements in CIP-002 Versions 1-3.
In CIP-002 Versions 1-3, the entity starts out with a list of its assets (although this list is implied, not actually required by the standard).  R1 requires the entity to develop a Risk-Based Assessment Methodology (the beloved RBAM) that “considers” the asset types in R1.2; the RBAM will later be applied to the pre-existing asset list in R2.  Since this is a fairly straightforward step, how can we “replicate” it as the first step in my CIP-002-5-taf? 
When we’re complying with CIP-002-5, we come into the first requirement with a list of assets (really Facilities) developed in Section 4.2 (which precedes the actual requirements).  This is different from the previous CIP versions, where the entire compliance process begins with the first requirement.  In Section 4.2 we find that, for all NERC functional entities in scope for CIP-002-5 (the functional entities are determined in Section 4.1) except for Distribution Providers, the "big iron" that is in scope for V5 are all of their “BES Facilities” (“Facility” is defined in the NERC Glossary); DP’s only have to comply for four very specific types of facilities.
Given this previous step, what will be the Version 5 equivalent of CIP-002 R1 in Versions 1-3?  Actually, this is the first task that the current wording of CIP-002-5 R1 requires: The entity needs to “implement a process” to “consider” each of six asset types[iv] as High, Medium or Low impact.  In other words, the entity needs to document a process (at this point, they’re not actually applying that process, just as they’re not actually applying the RBAM in CIP-002 R1 in Versions 1-3).  The details of the process will be clear as you read the further requirements in my CIP-002-5-taf.  So here is Requirement R1 of CIP-002-5-taf.   
Fantasy R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets/Facilities for purposes of Requirement R2:
(here, the same list of six asset types will appear as is found in the ‘real’ CIP-002-5 R1)
R1.2 Develop a list of its assets/Facilities including each asset/Facility type listed in R1.1.
                                                                                                                                                          
Why is R1.2 in there?  I just got through saying that Versions 1-3 don’t require that the entity have a list of all its Assets before it identifies Critical Assets – so why am I requiring it in Fantasy CIP-002-5?  Even though such a list isn’t required by CIP-002 in Versions 1-3, I know auditors ask for it to make sure the entity has properly complied with R2.  Moreover, as you’ll see in my Fantasy R2 below, it needs to be in place, since otherwise Low impact assets/Facilities can’t be identified at all.
We’ve settled R1.  What about R2?  Going back to CIP-002 in Versions 1-3, R2 has the entity apply the RBAM to the asset list it started with (but which wasn’t required by R1 in those versions).  The result of that process is a list of Critical Assets.  In Version 5, there are three types of assets/Facilities to be identified, not just one.  There are High, Medium and Low impact assets.  How do we identify these?  Obviously, not using an RBAM.  We use the bright-line criteria in Attachment 1[v].  Here is my Fantasy R2:
Fantasy R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Facilities/assets in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact Facilities;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact Facilities;
2.3  After removing High and Medium impact Facilities from the list of assets developed in R1.2, identify the remaining Facilities as Low impact.

Now we have our lists of High, Medium and Low impact Facilities, which correspond to the list of Critical Assets in Versions 1-3.  The next step, as it is in Versions 1-3, is to identify the cyber assets associated with those Facilities that are in scope for Version 5.  In V1-3, CIP-002 R3 identifies Critical Cyber Assets at Critical Assets, using the definition that they are cyber assets “essential to the operation of the Critical Asset”.  My CIP-002-5-taf R3 will identify BES Cyber Assets at the High, Medium and Low impact Facilities[vi]; the identified cyber assets will then become Low, Medium or High impact depending on the rating of the Facility.   But what is the definition of BES Cyber Asset?  Here is what the V5 Definitions document says:
A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.[vii]
Essentially, we need to do a similar analysis to what we currently do in Version 3.  There, we determine which cyber assets are “essential to the operation of” the Critical Asset.  In Version 5, we have to take a more inclusive view.  BES Cyber Assets are those that “if rendered unavailable, degraded, or misused would, within 15 minutes[viii] of (their) required operation, misoperation, or non-operation, adversely impact” the Facility/Asset.   So my Fantasy CIP-002-5 R3 reads:
Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset/Facility.  All BES Cyber Assets associated with an Asset/Facility shall take the impact level of that Asset/Facility.
That’s quite simple, right?  Hardly.  Both sentences will be quite controversial, although probably with different audiences.
The first sentence will be controversial mainly because it requires identification of BES Cyber Assets at Low impact facilities.  CIP-002-5 says in a couple places there is no requirement to inventory or identify cyber assets at Lows.  However, FERC in the NOPR makes it pretty clear they don’t like this provision and want it changed, for two reasons (you can find my full discussion of the NOPR in this post):
  1. They will most likely require there be specific technical requirements developed for Low impact BES Cyber Systems (instead of the current situation, in which Low impact Facilities are only required to draw up and implement four policies).   Those requirements couldn’t be audited without a list of those systems.
  2. They question the purpose of this provision since it goes against what seems to be the purpose of CIP-002-5.  That is, CIP-002-5 is supposedly for the identification of Low, Medium, and High impact BES Cyber Systems.  How is this compatible with the idea that the entity doesn’t have to identify the Low impact systems?[ix]
The second sentence, “All BES Cyber Assets associated with an Asset/Facility shall take the impact level of that Asset/Facility”, will also be controversial, but with a different group.  I have had discussions with SDT members and others on this very topic: whether it is possible for there to be multiple impact levels of BES Cyber Systems associated with one Asset/Facility or not.  I contend it is not possible, but I admit that CIP-002-5 as currently written doesn’t rule out that possibility. So I’m making this explicit in Fantasy CIP-002-5.  If you follow through the steps of CIP-002-5-taf, I think you’ll agree there is no possibility of this happening according to my standard, even without having this second sentence in R3.[x] 

I have now drawn up three requirements for CIP-002-5-taf that correspond to the three requirements of CIP-002 Versions 1-3.  However, there still needs to be one more requirement in CIP-002-5-taf.  Do you know what that is?  Of course you do – you’re so bright.  We’ve identified and classified BES Cyber Assets, but CIP Version 5 deals with BES Cyber Systems.  How do we move our assets into systems?  Fortunately, this is pretty straightforward.  We simply read the definition of BES Cyber System.  It says:
 One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. 
So the fourth requirement of CIP-002-5-taf is: 
Fantasy R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 
I said at the outset that I would point out where the BES Reliability Operating Services (which are discussed at length in the Guidance and Techical Basis section of CIP-002-5 but never once appear in the requirements themselves) are applicable.  It is at this point, where the entity is identifying BES Cyber Systems as groupings of BES Cyber Assets.  As was explained to me by a Knowledgeable Person, the BES Reliability Operating Services provide guidance on the types of systems that should be considered as BES Cyber Systems, depending on where the entity falls in the NERC Functional Model. 

In particular, the table on page 18 of CIP-002-5 identifies which BROS would logically apply to which Functional Registration types.  It is certainly advisable - although not mandatory - that the entity determine which BROS apply to it, given its registrations.  The entity should then examine the descriptions of the BROS that apply to it (e.g. a TO should examine each of the BROS with an X in its column), to determine which systems it should definitely consider as BES Cyber Systems (of course, there may be other systems that should be considered as well). 


Now to Attachment 1
With the three requirements I have just described, my CIP-002-5-taf has straightened out the problems with CIP-002-5 R1 (except for the big iron problem, of course).  I don’t see that the current CIP-002-5 R2 needs to be changed at all, other than numbering it R5.  The big problem now is Attachment 1.  What changes need to be made there?
As I did in my changes to CIP-002-5 R1, I need to put aside Big Iron issues as I change Attachment 1.  Specifically, the whole asset/Facility[xi] wording in Appendix 1 needs to be redone, although I have to spend some time thinking about how to do that.  As with what I did above, I’ll leave that issue aside by saying asset/Facility whenever needed.
I also don’t want to even suggest any changes in the bright-line criteria themselves.  These have been determined by the SDT and voted on by the NERC ballot body and the board, so there is no point in opening up any questions about them (nor would I be competent to do so).  What I will suggest be changed are the three short (1-3 line) introductory phrases that precede the criteria in each section.  I’ll go through these by section.  Keep in mind that each of the sections of Attachment 1 of the current CIP-002-5 is logically and syntactically preceded by sub-requirement 1.1, 1.2, or 1.3 of CIP-002-5 R1.  In the same way, each of my Fantasy sections of Attachment 1 is preceded by sub-requirement 2.1, 2.2 or 2.3 of CIP-002-5-taf R2.
As I have previously alluded, and as I said explicitly in my post on asset identification in V5, I consider it dishonest to state that the entity is using the Attachment 1 criteria to classify BES Cyber Systems, rather than the assets/Facilities themselves (it also leads to a situation where the entity literally cannot identify anything at all – Facilities, assets, BES Cyber Systems, whatever – that is Low impact.  This will make NERC entities happy since they won’t have any Low impact stuff at all, but it hardly reflects the intent of either the Standards Drafting Team or FERC).  The only sensible statement that can be made about the bright-line criteria in Attachment 1 is that they are for classifying big iron, not little iron.
The heading of Section 1 of Attachment 1 currently reads:
1. High Impact Rating (H)
Each BES Cyber System used by and located at any of the following:
(followed by the High impact criteria)

What needs to be done with this?  Pretty simple.  We just need to say:
Fantasy 1. High Impact Rating (H)
Facilities that meet one or more of the following criteria are High impact:

Section 2 reads:
2. Medium Impact Rating (M)
Each BES Cyber System, not included in Section 1 above, associated with any of the following:
(followed by the Medium impact criteria)

I propose this replacement:
Fantasy 2. Medium Impact Rating (M)
Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:

Section 3 is more interesting.  It currently reads: 
3. Low Impact Rating (L)
BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets and that meet the applicability qualifications in Section 4 - Applicability, part 4.2 – Facilities, of this standard:
3.1. Control Centers and backup Control Centers.
3.2. Transmission stations and substations.
3.3. Generation resources.
3.4. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements.
3.5. Special Protection Systems that support the reliable operation of the Bulk Electric System.
3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

Here is my suggestion for this part:
Fantasy 3. Low Impact Rating (L)
BES Assets/Facilities meeting the applicability qualification in Standard Section 4, that are not included in Sections 1 or 2 above: [xii]
(followed by the same list of types of facilities)
(I wish to thank Bob Case of Black Hills Corp. for suggesting improved wording for this part)

Well, that’s it.  I have outlined my Fantasy version of CIP-002-5, with the big proviso that I haven’t addressed the Big Iron problems in the current version.  I will hopefully soon be able to do that, and will then provide my complete Fantasy version, all ready for FERC to adopt unchanged (hey, a guy can fantasize, right?).

P.S.  In writing this post, I saw a problem with the definition of BES Cyber Asset in the V5 Definitions document (this definition is reproduced above in the discussion of my Fantasy R2).  The phrase “one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System” is quite disturbing.  It’s another of those phrases that includes an entire requirement embedded in its syntax.  What it’s saying is that before an entity can say that a cyber asset is a BES Cyber Asset, it has to make sure it’s associated with a Facility that’s essential to the BES.
Why is this disturbing?  Consider CIP Versions 1-4.  In those, the definition of Critical Cyber Asset (embedded in one of the requirements) is that it is “essential to the operation of the Critical Asset”.  The definition doesn’t say what attributes an asset (big iron, of course) must have in order to be a Critical Asset; that is the job of CIP-002 R1 in those versions.  However, the V5 Definition of BES Cyber Asset not only defines the required attributes of the cyber asset (the little iron), but it also – in the above phrase – describes the attributes of an Asset/Facility that is in scope for Version 5 (the big iron).    
This is in complete conflict with the wording of CIP-002-5 Section 4.2 described above, which states that Facilities in scope for V5 are all BES Facilities owned or operated by a functional entity type listed in Section 4.1.  The determination of how critical a facility is to the BES has already been made by the SDT, in the course of developing the bright-line criteria in Attachment 1.  It is not up to the entity to make its own determination just in order to follow the definition for BES Cyber Asset.  The solution is clear: This phrase needs to be completely taken out of the BES Cyber Asset definition.  The definition should just be about the cyber asset, not the Facility it’s associated with. 
One more question: Did anyone bother to read any of this stuff?  Just curious.

The second part of this post can be found here.


[i] I just hope I have time to make the comments by June 20.  I keep finding new problems I need to write posts about! 

[ii] The first draft of CIP-002-5 did refer to BES Reliability Operating Services, and in fact asserted that the first step in compliance was to identify cyber assets that fulfilled one or more of these services.  As I and three colleagues (two anonymous because they work for a large IOU) pointed out in this blog post at the time (December 2011), this approach led to a completely unworkable standard.  The first draft of CIP-002-5 was resoundingly defeated in the first ballot, and the second draft removed all reference to BES Reliability Operating Services in the requirements of CIP-002-5.

[iii] Other than these minor quibbles, I have no problems with CIP-002-5.
[iv] I don’t understand why the list of six asset types is in CIP-002-5 R1.  The entity has already been told in Section 4.2 that Version 5 will apply to all of their BES Facilities.  Is this list of six types meant to constrain that list further?  If so, it would be better just to include it in Section 4.2, rather than say all BES Facilities are in scope in that section and then constrain it in R1 (I don’t know how many BES Facilities wouldn’t be included in this list of six types, but I assume there must be some).  However, I’m assuming there is a good reason for the list being in R1, so I am including it in my Fantasy R1.
[v] However, we need to disregard the language that precedes each of the sections of the current Attachment 1.  That language should be indicted for perpetrating a fraud, since it pretends that we’re identifying BES Cyber Assets in Attachment 1, when we’re really just identifying Facilities/assets as High, Medium or Low impact.  In other words, Attachment 1 is really about identifying big iron, not little iron.  This shows that CIP-002-5-taf needs to make modifications to the Attachment 1 language as well, which I will do.
[vi] CIP-002-5-taf will make explicit that the entity needs to identify BES Cyber Assets first, then will clearly state that these need to be included in BES Cyber Systems.  I won’t start by telling the entity they need to identify the systems, then leave it to them to figure out that they really need to first identify assets not systems (since the V5 Definitions document just defines BES Cyber Systems as groupings of BES Cyber Assets) – as is done in CIP-002-5.   This will make things much clearer for the entities that have to comply.  Hey, I’m just that kind of guy – always trying to be helpful.
[vii] I’m leaving off the last sentence of the definition, which seems to exempt laptops used for less than 30 days within the ESP.  FERC made clear in their NOPR that they don’t think much of this and will probably order it be removed.
[viii] Given the skepticism FERC expressed in their NOPR regarding the 15-minute provision in the definition of BES Cyber Asset, I’d say it’s likely they will order that removed.  At that point, the question is whether they will put in a longer limit – say 2 hours, one day, etc. – or simply leave the limit out.  If there’s no limit, this means a cyber asset would be a BES Cyber Asset even if its loss or misoperation wouldn’t have an effect on the Facility for days.
[ix] If you read my post on asset identification in Version 5, you will notice I point out toward the end (paragraphs numbered 11-13) that this provision, that Low impact systems don’t need to be inventoried, literally makes it impossible fully to comply with requirement R1 (since the third section of Attachment 1 requires the entity to determine its Low impact BES Cyber Systems by subtracting the Highs and Mediums from a pre-existing total list of systems.  How could you have a total list of Low, Medium and High systems without identifying them all – Lows, Mediums and Highs?  Of course, in CIP-002-5-taf I'm requiring an initial list of assets/Facilities, not BES Cyber Systems).  So even if FERC did agree with the provision that no inventory was required for Low impact BES Cyber Systems, the standard would still need to be changed to make it even possible for entities to comply with CIP-002-5.  I could suggest language for that possibility, but since it appears clear to me that FERC is serious about removing the provision that there not be an inventory of Lows, I won’t bother to do that.
[x] There is one specific exception to the rule of all BES Cyber Systems at an asset (or Facility) having the same rating; it was pointed out to me in a comment on my NOPR post.  Criterion 2.1 in Attachment 1 of CIP-002-5 deliberately creates two classes of BES Cyber Systems associated with one asset (a generating station greater than 1500MW):
For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.
So BES Cyber Systems that can impact more than 1500MW are Medium impact; all other BES Cyber Systems would be Lows.  But this is the only Attachment 1 criterion that creates two classes of BES Cyber Systems at one asset. 
[xi] You may have noticed that I capitalize Facility but not usually asset.  That is because Facility is a defined term in the NERC Glossary, while asset is never defined, in either the NERC Glossary or in the Version 5 Definitions document.  This of course is part of the big iron problem in CIP-002-5, which I will address in a new post.
[xii] This is the same list that appears in R1.  I don’t see the need for it here, any more than I did in R1.  As I said in note iv above, if the intent is to constrain the types of BES Facilities to which Version 5 applies, it would be better to include this list in Section 4.2.  My Fantasy version of the Low impact introduction would then read “BES assets/Facilities that are not included in Sections 1 or 2 above:”

[xiii] I wish to thank Bob Case of Black Hills Corp. for suggesting improved wording for the Fantasy 3 section.