Thursday, October 31, 2013

CIP-002-5: The Wars of Religion (Part II)

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

This is the second post in the series of three or four I am writing about ambiguities in CIP-002-5, and the different interpretations I've encountered that try to address these ambiguities.[i]  The last one had to do with how an entity identifies its BES Cyber Assets / Systems.  This one addresses a question I've debated with several other people who don’t have anything better to do than discuss CIP Version 5: Will all the cyber assets associated with a particular Facility take the ranking of that Facility, or can there be multiple levels of cyber assets (H/M/L) at the same Facility? 

But in the course of these debates – and especially a discussion with a veteran NERC compliance manager in the Generation arm of a large IOU – I have come to realize there are really two questions here:
  1. Can there be more than one level of BES Cyber Systems at a particular Facility?
  2. Can there be multiple levels of cyber assets at a particular Facility?
And let’s clarify something now: These questions can only apply to Medium or High impact Facilities.  At a Low impact Facility, there can’t be any question of having multiple levels of cyber assets.[ii]

Question 1: BES Cyber Systems
To address the first question, I’ll say at the outset that I believe there can only be one kind of BES Cyber System at a particular Facility.  I’ll admit that nowhere in CIP-002-5 is there any mention of whether or not this is a correct statement.  This is why I’m dealing with this issue as a religious one: absent the standard being rewritten or binding guidance being provided at some point by NERC, this is a question everyone will have to address to their own satisfaction.[iii]

Why would someone get the idea that there could be multiple levels of BES Cyber Systems at[iv] a single Facility?  That’s simple: because CIP-002-5 has many cases of sloppy wording.  It’s very easy to miss what the standard means by getting too hung up on what it says.[v] 

Exhibit A is the example my generation compliance friend brought up to me: Criterion 2.1 of Attachment 1 of CIP-002-5 reads (with its preamble sentence):

       (the entity needs to identify) Each BES Cyber System, not included in Section 1 above, associated with any of the following:

2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.

The preamble sentence clearly states that the purpose of this criterion is to classify BES Cyber Systems, and the second sentence of the criterion says “the only BES Cyber Systems that meet this criterion are…”  Thus, there must be the possibility of more than one level of BES Cyber System at the plant, right?  Otherwise, how could this sentence be distinguishing between different types of BES Cyber Systems?

Again, the problem is you’re looking at the words that are written, not what was intended.  As I've explained in previous posts such as this one (especially the last section), it is simply dishonest for Attachment 1 to say it’s for classification of BES Cyber Systems.  Attachment 1 is really for classifying the Facilities (or “assets”, since the two terms are used almost interchangeably in CIP-002-5) at which BES Cyber Systems are located.[vi]  And if you look at criterion 2.1 that way (i.e. as really just classifying a Facility, not BES Cyber Systems at a Facility), I think you’ll agree it doesn't lead to the idea that there could be multiple BCS levels at one Facility (note, all of this discussion could apply as well to Criterion 2.2, which is essentially the same language applied to reactive resources - and I want to thank my Generation friend for pointing that out).

Are there other examples of language in CIP-002-5 that would lead one to conclude there could be multiple levels of BES Cyber Systems at a particular Facility?  I don’t think so.  Some people might point to the fact that entities are allowed to “slice and dice” a substation that has both Transmission and Distribution elements, so that only the Transmission elements are subject to CIP Version 5.  If the Transmission elements were a Medium impact Facility, would the Distribution elements be a Low?  Certainly not, since the Distribution elements wouldn't be part of the Facility at all, and thus wouldn't even be in scope for CIP V5 (this assumes they aren't networked with the Medium elements, but if they were, the substation couldn't be “sliced and diced” in the first place.  This operation assumes that the two types of elements are on separate networks).

My Generation friend also pointed out that Criterion 2.3 might lead to multiple levels of BCS at a Facility.  This could happen in the case where the Planning Coordinator or Transmission Planner notified the owner of a large generating station that one or more units in the station - but not the whole station - were what's known as "Reliability Must Run".  In this case, the systems that control or impact those unit(s) are Mediums, while those that control the other units are Lows (although my friend believes the latter could be out of scope altogether for CIP V5 unless they are actually Low BES Cyber Systems.  I actually think such an animal - a Low BCS - doesn't exist, but even if it did it wouldn't make a difference in practice at all.  I hope to do a follow-on post based on the emails we've been exchanging on this and other questions related to this post).

Not hearing any dissent,[vii] I will now go to the second question:  “Can there be multiple levels of cyber assets at a particular Facility?”

Question 2: Cyber Assets
To answer the second question up front, I do believe there can be multiple levels of cyber assets at a High or Medium impact Facility.  Let’s be clear about the difference between this and the first question: The first question dealt with BES Cyber Systems and implicitly with their components, BES Cyber Assets; you identify BES Cyber Assets by looking at the total population of cyber assets at a Facility and deciding which of those meet the definition of BCA.[viii]  What we’re talking about in this question is the cyber assets that weren't identified as BCA’s.  

These “leftover” cyber assets can be further classified by whether or not they’re networked with a BES Cyber System.  If they are so networked, then they are Protected Cyber Assets under CIP Version 5; any requirements in CIP-003-5 through CIP-011-1 that apply to PCA’s will apply to these cyber assets.  But what about the cyber assets that aren't networked with BES Cyber Systems but are still at the Medium or High impact Facility in question?

Let’s consider what we would have done with these cyber assets in CIP Versions 1-3.  Those of you who had to comply with one or all of those versions hopefully followed an important practice: you needed to segregate your Critical Cyber Assets (the V1-3 equivalent of BES Cyber Systems) onto separate networks.  This would keep them from being so-called “non-critical cyber assets within the ESP” (the V1-3 equivalent of Protected Cyber Assets in V5).  In fact, they would be completely out of scope for V1-3; they might as well not exist at all.

Do you think you can do the same thing in Version 5?  That is, once you've identified your BES Cyber Assets / Systems, can you segregate as many cyber assets as possible on separate networks and then not have to worry about them anymore?  Once again, the language of CIP-002-5 isn't clear on this subject, but it seems to me (and to many others.  This is one area in which I do agree with most of the people I've discussed this with) that these cyber assets don’t just fade from view, as they do in V1-3.  I and the others believe they need to be treated as Lows.[ix]

As before, I can’t point to any particular language in CIP-002-5 to support this position (although it should be there, in a perfect world).  But I will go back to the example of the large generating station in Criterion 2.1 of Attachment 1.  Essentially, the wording in that criterion separates the one plant into two: one plant with BES Cyber Systems that affect more than 1500MW of generation, and the other with systems that don’t affect more than 1500MW.  The former systems are clearly Medium impact, but what of the latter?  If they were completely out of scope for Version 5 (not Lows), then this second “plant” would be treated completely differently from any other plant on the BES.  All BES Facilities will be at least Low impact in Version 5, and by saying this second “plant” wasn't even a Low, you would be saying it wasn't even a BES Facility.  That would really be stretching the standard.  So I think the cyber assets that don’t affect 1500MW at a Criterion 2.1 plant are Low impact.

And if these cyber assets (i.e. the non-1500MW assets at a plant subject to criterion 2.1) are Lows, I think you can make a pretty good analogy to cyber assets at other Medium or High impact BES Facilities that aren't networked with BES Cyber Systems.  They aren't Medium or High impact, but they also aren't completely out of scope; so they must be Lows as well.[x]

My Generation friend also pointed out that Criterion 2.3 might lead to multiple levels of BCS at a Facility.  This could happen in the case where the Planning Coordinator or Transmission Planner notified the owner of a large generating station that one or more units in the station - but not the whole station - were what's known as "Reliability Must Run".  In this case, the systems that control or impact those unit(s) are Mediums, while those that control the other units are Lows (although I believe my friend says the latter are out of scope altogether for CIP V5;  I don't believe that myself, as is hopefully clear by now.  Of course, we are talking about religious discussions here!).

It seems, Dear Reader, that we've reached the end of this post.  To summarize, I think there can’t be multiple levels of BES Cyber Systems at a single Facility.  But I do think there can be multiple levels of cyber assets at a Facility.  Of course, the only way I can say this is by ignoring some of the wording of CIP-002-5 that I contend  doesn't reflect the intentions of the drafting team.  But before you condemn me for that, consider this: I don't think it is possible to make any consistent interpretation of CIP-002-5 without ignoring at least some of the language. Not a great situation, but it's what we've got.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

[i] I’m calling this Part II, but there was really a follow-on to the first post that could have been called “Part IA”.

[ii] I’m sure someone will pipe up, “Hey, what about cyber assets that control one facility but are physically located at another one?  Like AGC, where a component is often located at a control center?”  I would agree this would be a valid question if we were dealing with CIP Version 3.  In that version, a cyber asset can be a CCA as long as it’s “essential to the operation of” a Critical Asset; it doesn’t have to be physically located at the Critical Asset.

However, the Version 5 SDT has – I believe accidentally – taken care of that problem for us.  For example, requirement part 1.1 reads “Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset” (italics are mine).  It seems there is no longer a possibility of a BES Cyber System (the functional equivalent of a CCA) being located anywhere but at the BES Facility it’s associated with.  I really think the SDT meant for Version 5 to be like Versions 1-4 in this regard – namely, that all cyber assets associated with a Facility should be considered as BES Cyber Assets for that Facility.  And they actually say this in Attachment 1, where entities are required to identify BES Cyber Systems “associated with” each of the different criteria.  However, I think language found in Requirement Parts 1.1 and 1.2, which call out Attachment 1, would take precedence over language in Attachment 1 itself.  And those two requirement parts clearly say “at” not “associated with”.  Of course, this is yet another ambiguity in CIP-002-5 that would best be cleaned up by rewriting the standard.  I’d like to think FERC will order that to happen, but I don’t know whether they will.

[iii] When I rewrote CIP-002-5 for my comments to FERC in June, I explicitly included the statement “All BES Cyber Assets associated with an Asset/Facility shall take the impact level of that Asset/Facility.”  You can find a discussion of this point (if you look hard enough) in this post.

[iv] As I mentioned in end note ii, I don’t believe the SDT really wanted to limit BES Cyber Systems to those that are physically located at a Facility; I believe they wanted to include remotely-located systems that can control (or otherwise have an impact on) that Facility.  If this is the case, then there could be multiple levels of BCS located “at” a Facility, since an AGC system that controlled a Medium impact generating station could theoretically be located at a Low impact station.  However, if CIP-002-5 is corrected (or perhaps interpreted) to consistently say “associated with”, then the question I asked at the beginning of this post becomes, “Can there be multiple levels of cyber assets associated with a single BES Facility?”  The answer to that question will be the same as the answer to the equivalent question (with “at”) at the beginning of this post.  Given that CIP-002-5 currently reads “at” not “associated with”, we have to work with that wording at the moment.

[v] Of course, I’m engaging in gallows humor here (the fact that I’m writing this on Halloween may have something to do with that).  Asking people to follow the intent of the standard rather than the wording isn’t exactly the textbook approach to compliance enforcement.  Of course, this is just one of the very serious problems I see in CIP-002-5.  I frankly don’t think the standard, as currently written, would ever hold up in a court of law were an entity to challenge a large fine.  And if CIP-002-5 gets invalidated, the other V5 standards become invalid as well.  Comforting thought, isn’t it?

[vi] For proof of this, see requirement parts 1.1 and 1.2 of CIP-002-5 2 (1.1 reads “Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset”).  I interpret these to mean (and I’ll admit that some might disagree with this interpretation) that Attachment 1 is being called out so the entity can use it to classify assets, not BES Cyber Systems.

[vii] This reminds me of a great cartoon I once saw.  It shows a dictator standing at a lectern, surrounded by menacing storm troopers glaring out at the crowd and Nazi-like flags.  He is saying, “...and I think I can state without fear of contradiction….”

[viii] Of course, there are some knowledgeable people who believe there is a different way to identify BES Cyber Assets.  I have discussed that difference of opinion in the first post in this series.

[ix] However, I’m not saying they should be treated as “Low impact BES Cyber Systems”.  I think that phrase is a contradiction in terms, like “English cuisine” or “business ethics”.  Now, I know that CIP-002-5 and CIP-003-5 both refer to “Low impact BES Cyber Systems”.  However, both say that no inventory of Low impact cyber assets is required; this means the entity is never required to identify these phantom Low impact BCS.  So this is a purely theoretical construct, and is explicitly removed from being applicable to compliance with CIP Version 5.  There are no requirements in CIP Version 5 that apply to Low impact BES Cyber Systems, only to the Low impact Facility as a whole.  Of course, FERC made noise about changing this in their NOPR in April, but I don’t think they will actually do that when they approve Version 5.

[x] I’ll be the first to admit that this “proof” isn’t exactly up to the highest mathematical standards.  But, given the many ambiguities in CIP-002-5 as currently worded, it’s the best I can do.

1 comment:

  1. Smartphone Security Apps Assac Networks’ mobile phone/smartphone security app provides 360° protection against tapping and data theft from your mobile phone.