All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
August 12: I just posted my analysis of what FERC's order today - extending the compliance date for CIP Version 4 - means.
After I published my post on The Real Cost of CIP Version 4, an Interested Party emailed me with two sets of questions for the beleaguered NERC entity whose travails due to CIP V4 were chronicled in that post. I facilitated a correspondence between them (without revealing either's identity to the other). The result was quite interesting, so I decided to make this a separate post for everyone to see.
Regarding CIP-006 Interpretation
Interested Party
Regarding the data fiber, was it possible
to implement a logical solution (e.g., network connectivity monitoring) as
opposed to a physical boundary solution (as permitted by the FERC-approved
interpretation[i]
that was 180 degrees opposite to the interpretation that FERC remanded)?
Would that have been easier and less costly?
Beleaguered NERC Entity
In a full CIP 3 thru 9 environment with CCAs
the rule as interpreted by our entity is that if an ESP network exits a PSP to
traverse to another PSP then it must have six wall protection. An example is a
DCS in a plant where a control system network fiber traverses a PSP in one area
of the plant to another PSP area in the plant. We call these “Extended ESP
networks”. Remember that this differs from the rules on networks that connect
distinctly separate ESPs which do not require the same protection.
We have no evidence that connectivity
monitoring would satisfy an auditor. All modern day control systems already
have alarming for network connectivity in their redundant operator and control
networks (at least ours do). In version 3 audits at some control centers
in the past, we got pegged for not having the conduit which raises another
issue – differing interpretations and violations among the 7 regional auditors.
Interested Party
If an auditor does not accept connection
monitoring as an alternative to a six-wall border, you need to contest the
finding. Take it to a hearing if need be. The FERC-approved
interpretation specifically states “For Electronic Security Perimeter wiring
external to a Physical Security Perimeter, the drafting team interprets the
Requirement R1.1 as not limited to measures that are “physical in nature.” The
alternative measures may be physical or logical, on the condition that they
provide security equivalent or better to a completely enclosed (“six-wall”)
border. Alternative physical control measures may include, but are not limited
to, multiple physical access control layers within a non-public, controlled
space. Alternative logical control measures may include, but are not limited
to, data encryption and/or circuit monitoring to detect unauthorized access or
physical tampering.” You need to be able to demonstrate that circuit
failures are alarmed and quickly investigated even if the circuit comes back up
after a couple of seconds. The interpretation recognized the
impracticality of physically protecting cabling in circumstances like
yours. Auditors are bound by FERC-approved interpretations. They
cannot chose to ignore what FERC has approved.
Beleaguered NERC Entity
I want to thank you for this information. It raised some eyebrows here.
Regarding Hurry-Up Compliance Solutions
Interested Party
Are entities having to implement hurry-up
band-aid solutions because of the time constraints? Are we substituting
compliance for operability (as in air gapping) because we do not have time to
do something more carefully thought out and appropriate?
Beleaguered
NERC Entity
I can only speak for one entity and the
answer is yes in some cases. When the law is passed and you say “OK, 2 years,
no problem” but from my experience the assessments and funding phases consume
about half of the schedule. In our case the air-gapping was implemented at very
small single combustion turbine black start units that were already air-gapped
in most cases (version 3 and 4). If they weren’t we gapped them anyway because
it’s not worth the expense for something you start up monthly or quarterly.
Very few companies hand over tens of millions of dollars to project teams
without an exhaustive approval process (which was touched on in the blog).
Implementing cyber security systems on control systems is not extremely
complicated but the time it takes for compliance procedures, work procedures,
training, hiring, contracting vendors, writing specifications for bids required
by most companies for projects this large etc. etc. etc. becomes overwhelming.
Then the 2 years doesn’t seem so long.
I know of other companies that are using
diodes (for compliance) in large plants but the plant had remote start
capabilities for a remote black start unit. They gapped the black starts and
put diodes in the large plants so yes we are in some cases definitely
substituting compliance for operability. The use of diodes prohibits remote
support but - only in my opinion - the level of increased security is worth it.
Again, buy a plane ticket. Having the ability to access megawatt critical and
protection systems from the Internet is a serious security risk in today’s
environment. The logic in these systems can have a direct effect on the
physical world (human lives, the environment and billions of dollars worth of
equipment).
Interested Party
Is anyone communicating this concern to
FERC, who wants to shorten the V5 compliance window? What impact on
reliability will we suffer as everyone takes unplanned outages to cut over to
the CIP-compliant infrastructure?
Beleaguered
NERC Entity
We do not have a direct pipeline to FERC.
Hopefully they are reading stories like this. Shortening the compliance windows
would most definitely increase cost, reduce reliability and increase the number
of possible violations. I have no doubt about that. Whomever has proposed that
has absolutely no idea what goes on in the day to day operations of a power
utility or the budget cycles. If the timeline were reduced to the proposed
durations we would have to treat our compliance spending exactly like when a
hurricane destroys our transmission and distribution infrastructures. We have
to instantly materialize tens or hundreds of millions of dollars and then count
what we spent once we have restored power, thus the term in the blog “Storm
Money”. You don’t have to be a rocket surgeon to realize how much that would
increase the cost.
Interested Party
Hopefully you commented on the NOPR when
you had the chance. FERC, not the industry, is behind the idea of
shortening the compliance deadline. I think they believe much of the
program is already in place from compliance with Version 3 and thus just a bit
of tweaking is necessary. We get as much as two years today to bring a
new Critical Cyber Asset into compliance. Now we are talking about many
Cyber Assets at one time scattered across many locations. That will not
magically take less time, especially with a major revamping of the overall
program as well.
[i]
Following is the relevant text from the CIP-006 Interpretation referred to:
Question:
If a
completely enclosed border cannot be created, what does the phrase, “to control
physical access" require?
Must the alternative measure be physical in nature? If so, must the physical
barrier literally prevent
physical access e.g. using concrete encased fiber, or can the alternative
measure effectively mitigate
the risks associated with physical access through cameras, motions sensors, or
encryption? Does
this requirement preclude the application of logical controls as an alternative
measure in mitigating
the risks of physical access to Critical Cyber Assets?
Response:
For
Electronic Security Perimeter wiring external to a Physical Security Perimeter,
the drafting team interprets
the Requirement R1.1 as not limited to measures that are “physical in nature.”
The alternative
measures may be physical or logical, on the condition that they provide security
equivalent or
better to a completely enclosed (“six-wall”) border. Alternative physical
control measures may include,
but are not limited to, multiple physical access control layers within a
non-public, controlled space.
Alternative logical control measures may include, but are not limited to, data
encryption and/or circuit
monitoring to detect unauthorized access or physical tampering.
No comments:
Post a Comment