Scott Mix’s CIP V5 Presentation to TRE

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

On July 31, Scott Mix of NERC gave an all day presentation to TRE (Texas Reliability Entity) on CIP Version 5.  The event was also broadcast as a webinar; about 100 people attended this way, including myself.

This was an excellent presentation.  If you missed it, you’ll be glad to know that the slides are available here, but I don’t believe a recording was made.  However, I did take a lot of notes and am glad to share them with you.[i]  The notes aren’t a summary of what he said, but rather a set of things he said that I found quite interesting.  So I’ll just list them in the order he said them.

·         There are two ways in which FERC can approve a standard: issue an Order or approve a Rule.  The latter first requires a NOPR and comment period, as happened with CIP Version 4[ii] and will happen with Version 5 (they have issued the V5 NOPR but haven’t approved V5 yet).  Some of the previous CIP versions, like Version 3, were approved with a simple Order.  I speculate that Version 6 will be approved with an Order, since the NOPR and comment period for V5 really count for V6 as well.

·         He discussed a topic I recently wrote a blog post about: the fact that CIP Version 4 was pushed through approval by NERC very quickly (it was first discussed in the spring of 2010 and received final approval – after three ballots – in December of the same year).  He says the reason V4 was pushed through was panic on the part of various people at NERC and some of the larger NERC entities; they believed that Congress was about to effectively take power industry cyber security regulation away from FERC and write their own legislation.  He freely admitted this may have been a mistake; I agree with that statement. 

·         He pointed out that NERC and almost all of the other commenters on the Version 4 NOPR supported Version 4.  However, NERC’s tone changed markedly a year later, when it became clear that CIP Version 5 would finally be approved by the NERC membership – and since V4 wasn’t in effect yet and everyone preferred Version 5, it made sense to try to push V5 instead.

·         One difference between the V4 and V5 Implementation Plans is that, in the V4 plan, the effective date is the first day of the eighth calendar quarter after approval,[iii] while the V5 plan says the same except for the ninth quarter.  He admitted that the Standards Drafting Team had simply miscounted with Version 4.  They wanted to provide two years for compliance, but ended up providing seven quarters.  They got it right in Version 5 (perhaps with some engineering help – those people know how to count).

·         The definition of BES Cyber Asset in Version 5 includes the provision that a cyber asset’s loss has to impact the BES within 15 minutes.  Scott said the SDT would have preferred to use the term “Real-time”.  However, the problem was that this is a defined NERC term, and the definition is “Present time as opposed to future time.”  This definition would have been totally useless in this case, so they settled on 15 minutes instead.  Given that FERC has challenged the “15 minutes” provision in their NOPR, it will be interesting to see what they propose to replace it with (although they may just leave out any mention of time at all, meaning every cyber asset whose loss would affect the BES ever – even a year from now – would have to be a BES Cyber Asset).

·         In Version 5, the word “facility” appears sometimes in lower and sometimes in upper case.  Scott says this was deliberate, since in some cases they wanted to use the NERC Glossary definition and sometimes not.[iv]

·         Scott pointed out there is no NERC definition for a “substation”, just as there isn’t for “control center” (although for the latter, there is a definition within Version 5 itself.  I believe that may become the NERC Glossary definition when V5 is approved).  In fact, the IEC itself doesn’t have a definition,[v] although they’re working on it now.  Just goes to show that the most important definitions are the ones that cause the most contention and thus never get written.

·         I submitted a question, which he answered.  The question regarded the “1500MW rule” in Criterion 2.1 of Attachment 1 of CIP-002-5.  I asked whether an entity, claiming that particular cyber systems at a large plant weren’t BES Cyber Systems because they didn’t control 1500MW of generation, would have to prove that they weren’t networked with other systems that did control 1500MW; that seems to me to be the assumption behind this rule.  Scott said the entity would have to show this was the case.[vi]

·         One of the most important discussions in Scott’s talk was CIP Version 4 – he spent an hour going over compliance timeline, bright-line criteria, etc.  This was quite interesting given that almost nobody – himself included, I’m sure – believes V4 will actually come into effect.[vii]  He pointed out that Version 4 can’t be ruled out until FERC actually approves Version 5, which in effect “stops the clock” on V4.[viii]

·         One excellent question that Scott took was what happens to open TFE’s for Version 3 when V5 comes into effect.  Scott didn’t know, but agreed this will need to be decided once FERC rules on V5.

·         One change in V5 is that the word “sub-requirement” is gone, replaced by “requirement part”.  I had thought this was just a wording preference change, but Scott pointed out it had a real impact on compliance: you can be written up for violating a sub-requirement, but not part of a requirement.  So there will be no more violations of anything other than full requirements under V5 (this change is evidently being made across the NERC standards).

·         He said NERC’s analysis of the CIP Version 5 NOPR identified the following: requests for comment on 48 topics, directives for change on 11 topics, and an indication FERC “may” direct change on 16 topics.[ix]  I don’t think this little nugget will help you pass audits any better, but I was surprised there was that much in the NOPR.

·         He gave quite an interesting discussion of the question of requirements for Low impact facilities in Version 5.  As you probably know, V5 as currently written just requires the Lows to have four policies in place; in their NOPR, FERC said they wanted specific technical requirements for Lows.  Scott began by quoting Sun Tzu: “He who defends everything, defends nothing.”  The meaning of this for Version 5 is that, if entities have to spread themselves too thin defending everything they have, they aren’t going to be nearly as effective as if they concentrate on providing a higher level of defense for the most important facilities (i.e. the Highs and Mediums).  Scott said he is willing to see more specific requirements for Lows in Version 5, but not ones that are cyber asset specific.

·         He pointed out that FERC seems to be strongly motivated now to move Version 5 through the approval process.  They took just three months to issue their NOPR after NERC submitted V5 (Jan-April 2013), vs. six months for V4 (Feb-Sept 2011); this was in spite of the fact that V5 is much more of a change than V4 was (V4 just changed CIP-002, while V5 changed all the standards).  He thought this was a sign that FERC wouldn’t wait too long to approve V5; he expects them to do so later this year (although I’ve heard that some people at NERC think it could even happen in September – Scott is clearly not one of them).

---

[i] I’m told he did a similar presentation for FRCC, and he may be coming to a Regional Entity near you.  Check your local listings.

[ii] Scott mentioned that, in Sept. 2011, the NERC cognoscenti were expecting FERC to simply issue an order approving Version 4.  Instead, they issued a NOPR, got comments, and issued Order 761 approving it in April 2012.

[iii] So the implementation date for Version 4, which was approved in the second quarter of 2012, is April 1, 2014, the first day of the eighth quarter after that.

[iv] I have posted extensively about what I see as the sloppiness in CIP-002-5 with respect to how facilities (control centers, substations, generating stations, etc) are referred to.  I think it’s bad that two terms – asset (not a defined NERC term) and Facility (defined in the NERC Glossary) – are used almost interchangeably.  Now I hear that the SDT really intended there to be three terms, with lower case “facility” being the third.  Somehow this doesn’t fill me with any more confidence in CIP-002-5 than the low amount I already had.  If you’re going to use two or three different terms, you need to make clear the difference between them.  Unfortunately, the SDT didn’t do this.  This is one reason why I rewrote CIP-002-5 and submitted that to FERC during the NOPR comment period (although the main reason was simply my own satisfaction, since I’m not at all expecting my comments to be taken to heart).

[v] He may have said IEEE.  I’m sure they don’t either, though.

[vi] He may say that, but Criterion 2.1 certainly doesn’t, nor do I see anything in the Guidelines.   I think at the least this points out the need for something I’ve been advocating for: specific guidance on applying the bright-line criteria, beyond the very limited guidance included with CIP-002-5.

[vii] His lengthy discussion of the V4 bright-line criteria is relevant to V5, however, since most of the V5 criteria are little changed from V4.

[viii] This is a very important question, which I have dealt with in three recent blog posts: this, this, and this.

[ix] Scott admitted there might be some overlap between the first category and the other two.


Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it.  They aren't posted yet, but to get copies, just email me at tom.alrich@honeywell.com