Scott Mix’s CIP V5 Presentation to TRE
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
On July 31,
Scott Mix of NERC gave an all day presentation to TRE (Texas Reliability
Entity) on CIP Version 5. The event was also
broadcast as a webinar; about 100 people attended this way, including myself.
This was an
excellent presentation. If you missed
it, you’ll be glad to know that the slides are available here,
but I don’t believe a recording was made.
However, I did take a lot of notes and am glad to share them with you.[i] The notes aren’t a summary of what he said,
but rather a set of things he said that I found quite interesting. So I’ll just list them in the order he said
them.
·
There are two ways in which FERC can approve a
standard: issue an Order or approve a Rule.
The latter first requires a NOPR and comment period, as happened with
CIP Version 4[ii]
and will happen with Version 5 (they have issued the V5 NOPR but haven’t
approved V5 yet). Some of the previous
CIP versions, like Version 3, were approved with a simple Order. I speculate that Version 6 will be approved
with an Order, since the NOPR and comment period for V5 really count for V6 as
well.
·
He discussed a topic I recently wrote a blog
post about: the fact that CIP Version 4 was pushed through approval by NERC
very quickly (it was first discussed in the spring of 2010 and received final
approval – after three ballots – in December of the same year). He says the reason V4 was pushed through was
panic on the part of various people at NERC and some of the larger NERC
entities; they believed that Congress was about to effectively take power
industry cyber security regulation away from FERC and write their own
legislation. He freely admitted this may
have been a mistake; I agree with that statement.
·
He pointed out that NERC and almost all of the
other commenters on the Version 4 NOPR supported Version 4. However, NERC’s tone changed markedly a year
later, when it became clear that CIP Version 5 would finally be approved by the
NERC membership – and since V4 wasn’t in effect yet and everyone preferred
Version 5, it made sense to try to push V5 instead.
·
One difference between the V4 and V5
Implementation Plans is that, in the V4 plan, the effective date is the first day
of the eighth calendar quarter after approval,[iii] while
the V5 plan says the same except for the ninth quarter. He admitted that the Standards Drafting Team
had simply miscounted with Version 4.
They wanted to provide two years for compliance, but ended up providing
seven quarters. They got it right in
Version 5 (perhaps with some engineering help – those people know how to
count).
·
The definition of BES Cyber Asset in Version 5
includes the provision that a cyber asset’s loss has to impact the BES within
15 minutes. Scott said the SDT would
have preferred to use the term “Real-time”.
However, the problem was that this is a defined NERC term, and the
definition is “Present time as opposed to future time.” This definition would have been totally
useless in this case, so they settled on 15 minutes instead. Given that FERC has challenged the “15
minutes” provision in their NOPR, it will be interesting to see what they
propose to replace it with (although they may just leave out any mention of
time at all, meaning every cyber asset whose loss would affect the BES ever –
even a year from now – would have to be a BES Cyber Asset).
·
In Version 5, the word “facility” appears
sometimes in lower and sometimes in upper case.
Scott says this was deliberate, since in some cases they wanted to use
the NERC Glossary definition and sometimes not.[iv]
·
Scott pointed out there is no NERC definition
for a “substation”, just as there isn’t for “control center” (although for the
latter, there is a definition within Version 5 itself. I believe that may become the NERC Glossary
definition when V5 is approved). In
fact, the IEC itself doesn’t have a
definition,[v] although
they’re working on it now. Just goes to
show that the most important definitions are the ones that cause the most
contention and thus never get written.
·
I submitted a question, which he answered. The question regarded the “1500MW rule” in
Criterion 2.1 of Attachment 1 of CIP-002-5.
I asked whether an entity, claiming that particular cyber systems at a
large plant weren’t BES Cyber Systems because they didn’t control 1500MW of
generation, would have to prove that they weren’t networked with other systems
that did control 1500MW; that seems to me to be the assumption behind this rule. Scott said the entity would have to show this
was the case.[vi]
·
One of the most important discussions in Scott’s
talk was CIP Version 4 – he spent an hour going over compliance timeline,
bright-line criteria, etc. This was
quite interesting given that almost nobody – himself included, I’m sure –
believes V4 will actually come into effect.[vii] He pointed out that Version 4 can’t be ruled
out until FERC actually approves Version 5, which in effect “stops the clock”
on V4.[viii]
·
One excellent question that Scott took was what
happens to open TFE’s for Version 3 when V5 comes into effect. Scott didn’t know, but agreed this will need
to be decided once FERC rules on V5.
·
One change in V5 is that the word
“sub-requirement” is gone, replaced by “requirement part”. I had thought this was just a wording
preference change, but Scott pointed out it had a real impact on compliance:
you can be written up for violating a sub-requirement, but not part of a
requirement. So there will be no more
violations of anything other than full requirements under V5 (this change is
evidently being made across the NERC standards).
·
He said NERC’s analysis of the CIP Version 5
NOPR identified the following: requests for comment on 48 topics, directives
for change on 11 topics, and an indication FERC “may” direct change on 16
topics.[ix] I don’t think this little nugget will help
you pass audits any better, but I was surprised there was that much in the
NOPR.
·
He gave quite an interesting discussion of the
question of requirements for Low impact facilities in Version 5. As you probably know, V5 as currently written
just requires the Lows to have four policies in place; in their NOPR, FERC said
they wanted specific technical requirements for Lows. Scott began by quoting Sun Tzu: “He who defends
everything, defends nothing.” The
meaning of this for Version 5 is that, if entities have to spread themselves
too thin defending everything they have, they aren’t going to be nearly as
effective as if they concentrate on providing a higher level of defense for the
most important facilities (i.e. the Highs and Mediums). Scott said he is willing to see more specific
requirements for Lows in Version 5, but not ones that are cyber asset specific.
·
He pointed out that FERC seems to be strongly
motivated now to move Version 5 through the approval process. They took just three months to issue their
NOPR after NERC submitted V5 (Jan-April 2013), vs. six months for V4 (Feb-Sept
2011); this was in spite of the fact that V5 is much more of a change than V4 was (V4 just changed CIP-002, while
V5 changed all the standards). He
thought this was a sign that FERC wouldn’t wait too long to approve V5; he
expects them to do so later this year (although I’ve heard that some people at
NERC think it could even happen in September – Scott is clearly not one of them).
[i]
I’m told he did a similar presentation for FRCC, and he may be coming to a
Regional Entity near you. Check your
local listings.
[ii]
Scott mentioned that, in Sept. 2011, the NERC cognoscenti were expecting FERC
to simply issue an order approving Version 4.
Instead, they issued a NOPR, got comments, and issued Order 761
approving it in April 2012.
[iii]
So the implementation date for Version 4, which was approved in the second
quarter of 2012, is April 1, 2014, the first day of the eighth quarter after
that.
[iv]
I have posted extensively about what I see as the sloppiness in CIP-002-5 with
respect to how facilities (control centers, substations, generating stations,
etc) are referred to. I think it’s bad
that two terms – asset (not a defined NERC term) and Facility (defined in the
NERC Glossary) – are used almost interchangeably. Now I hear that the SDT really intended there
to be three terms, with lower case “facility” being the third. Somehow this doesn’t fill me with any more
confidence in CIP-002-5 than the low amount I already had. If you’re going to use two or three different
terms, you need to make clear the difference between them. Unfortunately, the SDT didn’t do this. This is one reason why I rewrote
CIP-002-5 and submitted that to FERC during the NOPR comment period (although
the main reason was simply my own satisfaction, since I’m not at all expecting
my comments to be taken to heart).
[v]
He may have said IEEE. I’m sure they
don’t either, though.
[vi]
He may say that, but Criterion 2.1 certainly doesn’t, nor do I see anything in
the Guidelines. I think at the least this points out the need for something I’ve been advocating for: specific guidance on applying the bright-line criteria, beyond the very limited guidance included with CIP-002-5.
[vii]
His lengthy discussion of the V4 bright-line criteria is relevant to V5, however, since most of the V5 criteria are
little changed from V4.
[viii]
This is a very important question, which I have dealt with in three recent blog
posts: this,
this,
and this.
[ix]
Scott admitted there might be some overlap between the first category and the
other two.
Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it. They aren't posted yet, but to get copies, just email me at tom.alrich@honeywell.com
Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it. They aren't posted yet, but to get copies, just email me at tom.alrich@honeywell.com
No comments:
Post a Comment