All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
August 12: I just posted my analysis of what FERC's order today - extending the compliance date for CIP Version 4 - means.
After I published my post on The Real Cost of CIP Version 4, an Interested Party emailed me with two sets of questions for the beleaguered NERC entity whose travails due to CIP V4 were chronicled in that post. I facilitated a correspondence between them (without revealing either's identity to the other). The result was quite interesting, so I decided to make this a separate post for everyone to see.
Regarding CIP-006 Interpretation
Regarding the data fiber, was it possible to implement a logical solution (e.g., network connectivity monitoring) as opposed to a physical boundary solution (as permitted by the FERC-approved interpretation[i] that was 180 degrees opposite to the interpretation that FERC remanded)? Would that have been easier and less costly?
Beleaguered NERC Entity
In a full CIP 3 thru 9 environment with CCAs the rule as interpreted by our entity is that if an ESP network exits a PSP to traverse to another PSP then it must have six wall protection. An example is a DCS in a plant where a control system network fiber traverses a PSP in one area of the plant to another PSP area in the plant. We call these “Extended ESP networks”. Remember that this differs from the rules on networks that connect distinctly separate ESPs which do not require the same protection.
We have no evidence that connectivity monitoring would satisfy an auditor. All modern day control systems already have alarming for network connectivity in their redundant operator and control networks (at least ours do). In version 3 audits at some control centers in the past, we got pegged for not having the conduit which raises another issue – differing interpretations and violations among the 7 regional auditors.
If an auditor does not accept connection monitoring as an alternative to a six-wall border, you need to contest the finding. Take it to a hearing if need be. The FERC-approved interpretation specifically states “For Electronic Security Perimeter wiring external to a Physical Security Perimeter, the drafting team interprets the Requirement R1.1 as not limited to measures that are “physical in nature.” The alternative measures may be physical or logical, on the condition that they provide security equivalent or better to a completely enclosed (“six-wall”) border. Alternative physical control measures may include, but are not limited to, multiple physical access control layers within a non-public, controlled space. Alternative logical control measures may include, but are not limited to, data encryption and/or circuit monitoring to detect unauthorized access or physical tampering.” You need to be able to demonstrate that circuit failures are alarmed and quickly investigated even if the circuit comes back up after a couple of seconds. The interpretation recognized the impracticality of physically protecting cabling in circumstances like yours. Auditors are bound by FERC-approved interpretations. They cannot chose to ignore what FERC has approved.
Beleaguered NERC Entity
I want to thank you for this information. It raised some eyebrows here.
Regarding Hurry-Up Compliance Solutions
Are entities having to implement hurry-up band-aid solutions because of the time constraints? Are we substituting compliance for operability (as in air gapping) because we do not have time to do something more carefully thought out and appropriate?
Beleaguered NERC Entity
I can only speak for one entity and the answer is yes in some cases. When the law is passed and you say “OK, 2 years, no problem” but from my experience the assessments and funding phases consume about half of the schedule. In our case the air-gapping was implemented at very small single combustion turbine black start units that were already air-gapped in most cases (version 3 and 4). If they weren’t we gapped them anyway because it’s not worth the expense for something you start up monthly or quarterly. Very few companies hand over tens of millions of dollars to project teams without an exhaustive approval process (which was touched on in the blog). Implementing cyber security systems on control systems is not extremely complicated but the time it takes for compliance procedures, work procedures, training, hiring, contracting vendors, writing specifications for bids required by most companies for projects this large etc. etc. etc. becomes overwhelming. Then the 2 years doesn’t seem so long.
I know of other companies that are using diodes (for compliance) in large plants but the plant had remote start capabilities for a remote black start unit. They gapped the black starts and put diodes in the large plants so yes we are in some cases definitely substituting compliance for operability. The use of diodes prohibits remote support but - only in my opinion - the level of increased security is worth it. Again, buy a plane ticket. Having the ability to access megawatt critical and protection systems from the Internet is a serious security risk in today’s environment. The logic in these systems can have a direct effect on the physical world (human lives, the environment and billions of dollars worth of equipment).
Is anyone communicating this concern to FERC, who wants to shorten the V5 compliance window? What impact on reliability will we suffer as everyone takes unplanned outages to cut over to the CIP-compliant infrastructure?
Beleaguered NERC Entity
We do not have a direct pipeline to FERC. Hopefully they are reading stories like this. Shortening the compliance windows would most definitely increase cost, reduce reliability and increase the number of possible violations. I have no doubt about that. Whomever has proposed that has absolutely no idea what goes on in the day to day operations of a power utility or the budget cycles. If the timeline were reduced to the proposed durations we would have to treat our compliance spending exactly like when a hurricane destroys our transmission and distribution infrastructures. We have to instantly materialize tens or hundreds of millions of dollars and then count what we spent once we have restored power, thus the term in the blog “Storm Money”. You don’t have to be a rocket surgeon to realize how much that would increase the cost.
Hopefully you commented on the NOPR when you had the chance. FERC, not the industry, is behind the idea of shortening the compliance deadline. I think they believe much of the program is already in place from compliance with Version 3 and thus just a bit of tweaking is necessary. We get as much as two years today to bring a new Critical Cyber Asset into compliance. Now we are talking about many Cyber Assets at one time scattered across many locations. That will not magically take less time, especially with a major revamping of the overall program as well.
[i] Following is the relevant text from the CIP-006 Interpretation referred to:
If a completely enclosed border cannot be created, what does the phrase, “to control physical access" require? Must the alternative measure be physical in nature? If so, must the physical barrier literally prevent physical access e.g. using concrete encased fiber, or can the alternative measure effectively mitigate the risks associated with physical access through cameras, motions sensors, or encryption? Does this requirement preclude the application of logical controls as an alternative measure in mitigating the risks of physical access to Critical Cyber Assets?
For Electronic Security Perimeter wiring external to a Physical Security Perimeter, the drafting team interprets the Requirement R1.1 as not limited to measures that are “physical in nature.” The alternative measures may be physical or logical, on the condition that they provide security equivalent or better to a completely enclosed (“six-wall”) border. Alternative physical control measures may include, but are not limited to, multiple physical access control layers within a non-public, controlled space. Alternative logical control measures may include, but are not limited to, data encryption and/or circuit monitoring to detect unauthorized access or physical tampering.