Following
are some of the posts from an interesting discussion about CIP Version 5 that
occurred this week on EnergySec's LinkedIn group, in response to my post about Order 791. I haven’t quoted every contribution to the
discussion, since some of the posts were duplicative or weren’t essential to
the discussion thread (they were all good, though). The main topic was whether an inventory is needed for Low impact cyber assets, although we get into some asset identification questions toward the end.
By the way,
if you’re not participating in the LinkedIn groups related to NERC CIP
compliance (as well as other topics like SCADA security and Smart Grid
security), you’re missing a good source of information. I won’t say all discussions are consistently
good, but some of them are excellent (such as this one). EnergySec’s group has some especially good
discussions.
(I started the discussion by announcing my post
on Order 791)
Stacy Bresler, EnergySec
You state
"They state clearly on page 65 of the Order that they don’t think it would
be a good idea to require an inventory for the Lows."
I'm not sure I read that the same way as you do. I understand that FERC isn't agreeing that a requirement be made to develop a list for Low Impact BES Cyber Assets; however, they do say "...an entity must have the ability to identify the nature and location of all Low Impact assets that it owns or controls for audit and compliance purposes." That certainly sounds like an inventory to me - not a list mind you - but an inventory ;-) I suppose that could come in the form of a list or be contained in a database or an asset management system. In the end, the compliance evidence that will be requested is most likely going to be "a list" of sorts.
Me
Thanks,
Stacy. I agree that you could interpret FERC's words as you say, although I
think a better interpretation is that by "assets" they mean the
"big iron" - substations, control centers, etc. An entity definitely
needs a list of those.
However, it doesn't matter how we interpret that statement. The compliance evidence that will be required of NERC entities subject to CIP V5 can only come from the requirements themselves, not from a statement FERC makes in their Order. They didn't order NERC to write a requirement for an inventory of Lows, nor did they ask that it remove the two instances where CIP-005's wording says that an inventory isn't required. I don't see any way that an entity can be required to have an inventory/list/whatever of Low impact cyber assets.
Stacy
The
Responsible Entity (RE) is not currently required by the CIP standards to
present a completed spreadsheet to the auditors that details a personnel
timeline regarding completed training dates, PRA dates, PRA contents,authorized
cyber access and authorized unescorted cyber access. However, they do so
because that is what the auditors need to see in order to substantiate
compliance with CIP-004-3a requirements (see ReliabilityFirst's Attachment
C-CIP spreadsheet here -https://www.rfirst.org/compliance/cip/Documents/Attachment%20C-CIP.xls ).
The compliance evidence shall end up being what is needed to demonstrate compliance under the current performance based audit approach. The CIP requirements do not detail all the evidence that must be brought to bear...we must all be aware of that fact. When it comes to evidencing the facts about Low Impact BES Cyber Systems I can see no other way for an auditor to review that requirement without seeing an inventory of the assets that make up that category of systems (assuming the RE has Low Impact Cyber Systems).
To me this is no different than counting the coins in your piggybank. You certainly wouldn't say you know the exact amount of money you have saved if you didn't count the nickels and pennies in your calculations. How can an auditor or an RE determine if they have everything accounted for (i.e. low impact policies applied) if they haven't counted (inventoried) the Low Impact BES Cyber Assets?
Me
Stacy, when
you say "evidencing the facts about Low Impact BCS", what requirement
in CIP Version 5 are you referring to? The only requirement that currently
references Lows in CIP-003-5 R2, and I don't see how that would require an
inventory - especially since it explicitly says it doesn't.
Of course, FERC has ordered that there be more specific requirements for Lows. It's possible (but not likely) the SDT will draft requirements that do lead to a need for an inventory, but that isn't what we're talking about here.
Stacy
I understand
that CIP-002-5.1 R1.3 states that there is not a requirement for a discrete
list of Low Impact BCS' but that doesn't negate the fact that an auditor is
going to need a list of the Low Impact BES Cyber Assets in order to audit the
requirement. How can an auditor know for sure that the Responsible Entity has
properly categorized it's High, Medium and/or Low Impact BES Cyber Systems
without seeing a list of what they all are? And for CIP-003-5 R2, how is it
that an auditor is going to be able to determine if the drafted cyber security
policies have been applied to Low Impact BES Cyber Assets (systems) if there
isn't an inventory to review? I know CIP-003-5 R2 doesn't use the term
"implemented" but it is a long standing principle that an entities
CIP-related policies, plans, procedures, processes, etc must be followed as
written. These are performance audits and the best way for an auditor to
determine performance is to sample a set of assets. Without an inventory, how
would they create a sample set? (yes...control-based audits is the apparent
goal but we do not yet have a control-based mandate. Still...in a control-based
audit there is going to be a performance "test" applied to validate
the control).
We also can't dismiss the fact that there are likely to be modifications to the low impact requirements in the assumed Version 6. One has to imagine that by increasing scope based on FERCs suggestions would require an inventory of sorts to carry this out. Given that there is a possibility for some attribute assignments to be placed on low impact BES systems then I would suggest that utilities start creating a list of their Low Impact BES Assets ASAP.
Putting the CIP requirements aside for a moment, I can't fathom how one can state they are managing something if they don't know what it is they are managing (or can't produce a "list" of what it is they are managing). An asset inventory is basic technology management 101. I'm sure it isn't easy to do as a retrofit but still...don't most TO/TOPs have a very robust inventory of all their poles and wires? In Corporate America there are companies with hundreds of thousands of employees and they have personnel records of each employee with many, many specific attributes. I'm ranting a little of course but to make the point - if the electric sector is the most critical of all critical infrastructures should we not expect that the cyber assets participating in those infrastructures (high, medium and lows) be inventoried?
We also can't dismiss the fact that there are likely to be modifications to the low impact requirements in the assumed Version 6. One has to imagine that by increasing scope based on FERCs suggestions would require an inventory of sorts to carry this out. Given that there is a possibility for some attribute assignments to be placed on low impact BES systems then I would suggest that utilities start creating a list of their Low Impact BES Assets ASAP.
Putting the CIP requirements aside for a moment, I can't fathom how one can state they are managing something if they don't know what it is they are managing (or can't produce a "list" of what it is they are managing). An asset inventory is basic technology management 101. I'm sure it isn't easy to do as a retrofit but still...don't most TO/TOPs have a very robust inventory of all their poles and wires? In Corporate America there are companies with hundreds of thousands of employees and they have personnel records of each employee with many, many specific attributes. I'm ranting a little of course but to make the point - if the electric sector is the most critical of all critical infrastructures should we not expect that the cyber assets participating in those infrastructures (high, medium and lows) be inventoried?
Chris Humphreys, The Anfield Group
You both
bring up valid points. This lack of clarity with the Lows is just one example
of exactly why, from an audit perspective, Version 5 is going to be even more
subjective than Version 3. Without a list (i.e inventory) what other mechanism
can an entity utilize to demonstrate that they've 1. accounted for the Lows and
2. Low, Medium, and High classifications are accurate? I think, once again, the
audit approach for Ver 5 wasn't effectively considered by the SDT throughout
the development of the standards.
Steve Parker, EnergySec
In version
5, many of the documentation requirements were removed, not because the SDT
felt documentation was not needed or required, rather, because they felt the
need for documentation was implicit in the need to provide evidence of
compliance. So, documentation is necessary to show compliance, but is not a
requirement in and of itself.
I think we're going to see a similar situation with asset inventories. It will be difficult to demonstrate compliance without also demonstrating a knowledge of the assets that are in-scope. This is likely to take the form of a discrete inventory list, although perhaps an entity may get away with simply describing the kinds of assets they have in some circumstances. For example, if they have a standard substation design, they might reference the standard firewall/router/IDS/log server/etc at each location without having the exact serial numbers or device names. I would not advocate that, but it is a plausible position.
What is more interesting to me is FERC's order to develop objective criteria by which the effectiveness of controls for low-impact assets can be assessed. That clearly shows that FERC believes audits should examine the IMPLEMENTATION of policies, something that has really not been audited yet with the current versions. That could greatly increase the scope of audits as well as the documentation and evidence burden for low-impact assets. It will be interesting to watch this play out.
Michael Toecker, Digital Bond
I'm coming
down on Steve's side, with the addition of technical requirements there is an
implicit requirement to have an inventory of your BES Cyber System and likely
the cyber assets that make up the BES cyber system. And honestly, this is just
a good practice anyway.
I had this conversation back when I worked for an entity, basically any technical requirements (firewalls, AV, etc) requires that an entity know what is being protected. An inventory was necessary before even starting the project. Otherwise, how would you assign cost for a project to secure it? I think the accountants would have a problem with buying 200 licenses of $vendorproduct without a clear knowledge of where it was going and what it was protecting. And, how could you demonstrate to an auditor that you were covering your assets without an inventory? I'm with Steve.
What makes the lack of a requirement beneficial (well, for an entity) is that minor inaccuracies, mistakes, good-faith omissions, etc might not be punishable by fines because the existence of a list is not a requirement. Considering all the time spent slaving over a spreadsheet from a plant 2000 miles away to make it as error free as possible rather than spending extra effort on actual cyber security, this is probably a good thing.
In conclusion as a LOW asset, maybe the federal government and NERC can't say you HAVE TO have a list. But if you want to do efficient CIP compliance, you'll have one, it will be accurate, and you'll be pulling it out in any future audit to demonstrate you know what you're doing.
I had this conversation back when I worked for an entity, basically any technical requirements (firewalls, AV, etc) requires that an entity know what is being protected. An inventory was necessary before even starting the project. Otherwise, how would you assign cost for a project to secure it? I think the accountants would have a problem with buying 200 licenses of $vendorproduct without a clear knowledge of where it was going and what it was protecting. And, how could you demonstrate to an auditor that you were covering your assets without an inventory? I'm with Steve.
What makes the lack of a requirement beneficial (well, for an entity) is that minor inaccuracies, mistakes, good-faith omissions, etc might not be punishable by fines because the existence of a list is not a requirement. Considering all the time spent slaving over a spreadsheet from a plant 2000 miles away to make it as error free as possible rather than spending extra effort on actual cyber security, this is probably a good thing.
In conclusion as a LOW asset, maybe the federal government and NERC can't say you HAVE TO have a list. But if you want to do efficient CIP compliance, you'll have one, it will be accurate, and you'll be pulling it out in any future audit to demonstrate you know what you're doing.
Me
Thanks Stacey, Chris and Steve. I agree this is a good
discussion. My $.02:
First, where were you guys when I needed you? I had a couple fairly heated arguments with the SDT in 2011, trying to dissuade them from putting that notice about an inventory of Lows not being required in the standards. To no avail, of course (you can read the details in footnote 2 of this post: http://insecurity.honeywellprocess.com/index.php/2012/07/latest-nerc-cip-man-field/ ).
However, in the SDT’s defense, they were between a rock and a hard place. The first draft of Version 5 was resoundingly rejected by the ballot body, in large part because it had one requirement for Lows (for changing vendor passwords) that couldn’t be audited without an inventory. They knew they wouldn’t get a positive vote on the third ballot (which was their last chance) with a clear requirement for an inventory in there.
They all agreed with me that:
First, where were you guys when I needed you? I had a couple fairly heated arguments with the SDT in 2011, trying to dissuade them from putting that notice about an inventory of Lows not being required in the standards. To no avail, of course (you can read the details in footnote 2 of this post: http://insecurity.honeywellprocess.com/index.php/2012/07/latest-nerc-cip-man-field/ ).
However, in the SDT’s defense, they were between a rock and a hard place. The first draft of Version 5 was resoundingly rejected by the ballot body, in large part because it had one requirement for Lows (for changing vendor passwords) that couldn’t be audited without an inventory. They knew they wouldn’t get a positive vote on the third ballot (which was their last chance) with a clear requirement for an inventory in there.
They all agreed with me that:
- It is good practice to have an inventory, and
- FERC might later order specific requirements that would require an inventory.
I believe
they were really saying to FERC, “Please save us from ourselves. We know an
inventory of Lows is a good idea, but you are going to have to order NERC to
include it – we are powerless to do this on our own.” Perhaps not the most
far-seeing stance they could have taken, but that is sometimes how things work
in democracies (see the current US Congress for more on the subject of extreme
near-sightedness).
So I think you guys are vastly underestimating the resistance there will be if the SDT comes up with requirements for Lows that require an inventory for auditing. It will be quite ugly. I suggest you all come to the new SDT meetings (as I plan to, at least a few of them) to argue your case. I will point out that a positive vote isn’t so important in this new case, since the NERC BoT will approve the new standards regardless of whether the membership does or not – they have to, since this is a FERC order.
Chris, the SDT did address auditing of the standards. In fact, they had one meeting in 2011 where they invited auditors from all the regions to discuss auditing V5.
Stacey, I agree with you totally that some of the wording in CIP-002-5 can be read as requiring a list. Other wording can be read as not requiring it (and I’m not talking just about the specific statement that an inventory isn’t required). This is one of a number of examples of what I’ve been calling the Wars of Religion in CIP-002-5. I think there are at least 5 other areas (like the BES Reliability Operating Services) where rational people could draw two completely opposite conclusions from the wording of CIP-002-5 (I hope to do a post soon to summarize all of them in one place, rather than being scattered through a bunch of posts).
I don’t believe there is any other way to fix these multiple problems in CIP-002-5, other than to rewrite that standard (although the first step would be for someone to figure out what the standard wants to be when it grows up. The reason it’s so ambiguous is there were differing views of the asset identification process on the SDT, and no adult able to force a consensus on one of these views). I was very disappointed when FERC didn’t require that in Order 791, but I’m hoping NERC will decide it needs to be done anyway. I simply don’t believe CIP-002-5 can be consistently followed or audited with the current wording; not a good recipe for success, for a standard with fines of $1 million a day.
Stacey and Steve, I definitely don’t think audits of CIP-003-5 R2 would require entities to have an inventory of Lows. And I also don’t think FERC really wants NERC to develop Low requirements that end up needing an inventory. Two of the three options they gave NERC really won’t require an inventory. I find it hard to believe the SDT won’t choose one of those options. But as I said, attend the new SDT meetings!
So I think you guys are vastly underestimating the resistance there will be if the SDT comes up with requirements for Lows that require an inventory for auditing. It will be quite ugly. I suggest you all come to the new SDT meetings (as I plan to, at least a few of them) to argue your case. I will point out that a positive vote isn’t so important in this new case, since the NERC BoT will approve the new standards regardless of whether the membership does or not – they have to, since this is a FERC order.
Chris, the SDT did address auditing of the standards. In fact, they had one meeting in 2011 where they invited auditors from all the regions to discuss auditing V5.
Stacey, I agree with you totally that some of the wording in CIP-002-5 can be read as requiring a list. Other wording can be read as not requiring it (and I’m not talking just about the specific statement that an inventory isn’t required). This is one of a number of examples of what I’ve been calling the Wars of Religion in CIP-002-5. I think there are at least 5 other areas (like the BES Reliability Operating Services) where rational people could draw two completely opposite conclusions from the wording of CIP-002-5 (I hope to do a post soon to summarize all of them in one place, rather than being scattered through a bunch of posts).
I don’t believe there is any other way to fix these multiple problems in CIP-002-5, other than to rewrite that standard (although the first step would be for someone to figure out what the standard wants to be when it grows up. The reason it’s so ambiguous is there were differing views of the asset identification process on the SDT, and no adult able to force a consensus on one of these views). I was very disappointed when FERC didn’t require that in Order 791, but I’m hoping NERC will decide it needs to be done anyway. I simply don’t believe CIP-002-5 can be consistently followed or audited with the current wording; not a good recipe for success, for a standard with fines of $1 million a day.
Stacey and Steve, I definitely don’t think audits of CIP-003-5 R2 would require entities to have an inventory of Lows. And I also don’t think FERC really wants NERC to develop Low requirements that end up needing an inventory. Two of the three options they gave NERC really won’t require an inventory. I find it hard to believe the SDT won’t choose one of those options. But as I said, attend the new SDT meetings!
Dennis Steffani, Silicon Valley Power
I have a
very simple question that goes beyond (or below) LOW evaluated assets; Is it
possible to evaluate your Bulk Electric Assets and come to the conclusion there
is NO impact, in essence entering a 4th possible rating outcome to which there
is no reference for keeping any information. Or is it that if you have Bulk
Electric System assets (greater than 100kV) if you are not HIGH or MEDIUM, then
you are by default LOW, ie: there is never a NO impact rating for BES assets?
Steve Parker
The latter.
Sort of. This is a bit of a trick question. The bright line criteria do not
contain the concept of "no impact", every applicable BES facility
will be either high, medium, or low. Where it gets tricky is in the definition
of BES Cyber Assets and Systems. The bright line criteria are used to determine
the impact rating of BES Cyber Systems, which by definition are groupings of
BES Cyber Assets, which by definition are capable of having an impact.
So, it is possible that some Cyber Assets may have no impact, but at that point they would not meet the definition of BES Cyber Asset, and therefore would never make it to the bright line criteria evaluation stage.
So, it is possible that some Cyber Assets may have no impact, but at that point they would not meet the definition of BES Cyber Asset, and therefore would never make it to the bright line criteria evaluation stage.
Me
Dennis, this
is one of the few things that I think is fairly straightforward in CIP-002-5:
1. If your entity has one or more NERC functional designations listed in Section 4.1 of CIP-002-5; and
2. If your entity has BES Facilities as described in Section 4.2 (and in practice this means if your entity has any Facilities that fall within the BES definition. Of course, since that's changing, I think you'll need to base this on your guess as to what the BES definition will be on April 1, 2016, but I may be wrong on this); then
3. Each of those Facilities will be at least a Low impact. So there isn't such a thing as a No Impact rating for BES Facilities.
Now, when you get to BES Cyber Assets, there are folks that believe there can be No Impact BCA's (and therefore BCS's) at BES Facilities - so the Facility could be Low, Medium or High, and the cyber asset could be no impact.
An example of this is Criterion 2.1 of Attachment 1, which says that BES Cyber Systems at a 1500MW+ generating station (which is Medium impact), that don't themselves control 1500MW, aren't Medium impact. So what are they? I believe they're Low impact, but I know perfectly rational people who, while perfectly sober, say these BCS aren't even Low - they're just out of scope.
That's the nice thing about CIP-002-5. You can make almost any interpretation you want and find a way to justify it with the wording of the standard [Irony Alert].
While I was writing this, Steve's comment appeared. I agree with him that the wording of Attachment 1 makes it sound like you're classifying BES Cyber Systems there. However, if you look at requirement parts R1.1, R1.2 and R1.3 - which direct the entity to Attachment 1 in the first place - they seem to make it clear that you are going there to classify BES assets (i.e. Facilities), not BES Cyber Systems. So it seems the BCS should really simply take the rating of the Facility - and in my opinion this is what the SDT intended.
Again, this is a question that rational people can disagree on, given the current wording of CIP-002-5. I strongly believe this standard needs to be rewritten, as it is going to lead to endless interpretation disputes - with no good answers available - if it isn't rewritten. That might be good for lawyers and consultants, but it won't be good for NERC entities and the poor auditors who have to try to make sense of this.
1. If your entity has one or more NERC functional designations listed in Section 4.1 of CIP-002-5; and
2. If your entity has BES Facilities as described in Section 4.2 (and in practice this means if your entity has any Facilities that fall within the BES definition. Of course, since that's changing, I think you'll need to base this on your guess as to what the BES definition will be on April 1, 2016, but I may be wrong on this); then
3. Each of those Facilities will be at least a Low impact. So there isn't such a thing as a No Impact rating for BES Facilities.
Now, when you get to BES Cyber Assets, there are folks that believe there can be No Impact BCA's (and therefore BCS's) at BES Facilities - so the Facility could be Low, Medium or High, and the cyber asset could be no impact.
An example of this is Criterion 2.1 of Attachment 1, which says that BES Cyber Systems at a 1500MW+ generating station (which is Medium impact), that don't themselves control 1500MW, aren't Medium impact. So what are they? I believe they're Low impact, but I know perfectly rational people who, while perfectly sober, say these BCS aren't even Low - they're just out of scope.
That's the nice thing about CIP-002-5. You can make almost any interpretation you want and find a way to justify it with the wording of the standard [Irony Alert].
While I was writing this, Steve's comment appeared. I agree with him that the wording of Attachment 1 makes it sound like you're classifying BES Cyber Systems there. However, if you look at requirement parts R1.1, R1.2 and R1.3 - which direct the entity to Attachment 1 in the first place - they seem to make it clear that you are going there to classify BES assets (i.e. Facilities), not BES Cyber Systems. So it seems the BCS should really simply take the rating of the Facility - and in my opinion this is what the SDT intended.
Again, this is a question that rational people can disagree on, given the current wording of CIP-002-5. I strongly believe this standard needs to be rewritten, as it is going to lead to endless interpretation disputes - with no good answers available - if it isn't rewritten. That might be good for lawyers and consultants, but it won't be good for NERC entities and the poor auditors who have to try to make sense of this.
Steve
Tom - I
think we agree. The facility gets the rating, then the BES Cyber Systems that
are associated with the facility take that impact rating. The wording is
confusing.
My other point was that there is also a filter for cyber assets within the definitions. So, though it is improbable that a BES facility would have no BES Cyber Assets (or more specifically, that all Cyber Assets would fail the definition of BES Cyber Asset), it is possible, and that would be the only scenario in which "no-impact" made sense.
My other point was that there is also a filter for cyber assets within the definitions. So, though it is improbable that a BES facility would have no BES Cyber Assets (or more specifically, that all Cyber Assets would fail the definition of BES Cyber Asset), it is possible, and that would be the only scenario in which "no-impact" made sense.
Me
Thanks,
Steve. Even though we agree on this point, there are others who don't,
including at least one influential auditor. They believe there can be multiple
levels of BCS at a single facility. For instance, a Low facility could have
Medium impact BCS, and a Medium facility could have Lows (there is only one
case where I'll concede this is possible, which is for cyber assets that aren't
networked with a BCS controlling more than 1500MW in an Appendix 2.1 plant.
Those cyber assets would be Lows, even though the BCS in question would be
Mediums).
But there really isn't any way to settle this issue (and about 4 or 5 others), given the sloppy wording of CIP-002-5. At the NERC CIPC meeting tomorrow, I'm hoping to get NERC staff members to agree that the new SDT - addressing the Order 791 directives - should also rewrite CIP-002-5 so the wording is consistent and understandable. I see nothing but trouble if that doesn't happen.
Regarding your other point about no-impact, the facility would still be a Low impact, regardless of whether or not it had BCS. And given the current wording of CIP V5, it doesn't matter whether or not a Low facility has any BCS; it still has to implement four policies applying to the entire facility (in fact, I think "Low impact BCS" is kind of an oxymoron, like "Jewish Pope"). As you know, that could change when the SDT addresses FERC's directives for Lows.
But there really isn't any way to settle this issue (and about 4 or 5 others), given the sloppy wording of CIP-002-5. At the NERC CIPC meeting tomorrow, I'm hoping to get NERC staff members to agree that the new SDT - addressing the Order 791 directives - should also rewrite CIP-002-5 so the wording is consistent and understandable. I see nothing but trouble if that doesn't happen.
Regarding your other point about no-impact, the facility would still be a Low impact, regardless of whether or not it had BCS. And given the current wording of CIP V5, it doesn't matter whether or not a Low facility has any BCS; it still has to implement four policies applying to the entire facility (in fact, I think "Low impact BCS" is kind of an oxymoron, like "Jewish Pope"). As you know, that could change when the SDT addresses FERC's directives for Lows.
Matt Davis, Ernst & Young
Let's put
CIP aside for a moment. What boggles my mind if that entities are basically
stating that they don't have intentory of assets that were implemented for some
reason. That seems problematic for just regular business operations like
O&M. I guess that means they can't/don't have insurance for those assets.
If the asset fails, their may not know and may have a tough time fixing it. I
could keep going, but it just seems to smack of bad business practices. As a
COO, I would think there is some enterprise risk here that I wouldn't like at
all. The industry needs to want inventory rather than us argue about the need
for it during an audit.
Kevin Perry, SPP
As a
friendly, benevolent auditor, I would love to see a complete list, inventory,
what have you, of every BES Cyber Asset, including the Lows. After all, how
does an entity demonstrate that all of the high and medium BES Cyber
Assets/Systems have been properly classified as such if there is no visibilty
of what is left after the nominated Highs and Mediums are identified. But...the
standards say that no list of Low impact systems is required and FERC approved
the standard.
So, what do I anticipate with respect to auditing Low impact systems? I anticipate that the auditor will have to take a Facility-wide view of the application of controls. The Registered Entity will have a "bunch of stuff" at their Facility that need to be protected per the four policies, the four policies will be broadly defined to encompass the Facility overall, and in doing so will cover the "bunch of stuff." The entity is welcome to be more granular if they want, with multiple sets of system-specific policies, but that is not required. I expect that after NERC and the to-be-stood-up SDT get done, the four policies will only require basic Security-101 protections that can be broadly applied at the Facility level.
So, what do I anticipate with respect to auditing Low impact systems? I anticipate that the auditor will have to take a Facility-wide view of the application of controls. The Registered Entity will have a "bunch of stuff" at their Facility that need to be protected per the four policies, the four policies will be broadly defined to encompass the Facility overall, and in doing so will cover the "bunch of stuff." The entity is welcome to be more granular if they want, with multiple sets of system-specific policies, but that is not required. I expect that after NERC and the to-be-stood-up SDT get done, the four policies will only require basic Security-101 protections that can be broadly applied at the Facility level.
Stacy
And how do
you audit the "bunch of stuff" that is being protected per these
SEC101 policies? I propose that you sample a set of low impact devices within
that facility using a....wait for it....list of low impact devices the utility provides.
I really think the excuses I've heard for not managing a list of low impact BES Cyber Assets amount to just not wanting to do it. Like Matt said...if I were the COO and you couldn't "account" for these cyber assets we then I think we'd have a serious business problem.
I really think the excuses I've heard for not managing a list of low impact BES Cyber Assets amount to just not wanting to do it. Like Matt said...if I were the COO and you couldn't "account" for these cyber assets we then I think we'd have a serious business problem.
Kevin
The auditor
is prohibited from demanding a list of Low impacting BES Cyber Assets - the
entity will rightfully protest that they are not required to maintain a list.
But the audit team can certainly ask if there is a list available - no harm, no
foul if one is not forthcoming. The audit team can and likely will inquire as to
how the entity derived its list of High and Medium impacting BES Cyber Assets.
The audit team can have a discussion about the types of systems found at the
Facility (Generating plants will be the most challenging) and the audit team
can certainly don their PPE and tour the Facility, asking about Cyber Assets
they see. The auditor may also ask for physical security plans and processes,
along with evidence of performance to compare againt the required policy
document. The auditor may ask for communication network diagrams to aid in the
evaluation of the electronic security policy. Audtiing of Low impacting BES
Cyber Assets can be done without having to start with a list to sample from
(and how do you know the list is complete without validating it somehow...).
I agree that there are many business reasons for maintaining an inventory of Cyber Assets, including asset management, risk management, cost management, fill in the blanks. If an entity has no idea what Cyber Assets are deployed at a Facility, they have much more aggregious issues than cyber security from a reliability perspective. But, the CIP standards themselves do not require the maintenance of a list. It serves no purpose to continue to argue the perceived deficiency in the CIP standard - either accept reality or attempt to change reality through the standards development process. In the mean time, the auditors will be identifying approaches for auditing and the entities need to be identifying ways to demonstrate compliance -- and that could include maintaining a list of Low impacting BES Cyber Assets - for business reasons of course...
I agree that there are many business reasons for maintaining an inventory of Cyber Assets, including asset management, risk management, cost management, fill in the blanks. If an entity has no idea what Cyber Assets are deployed at a Facility, they have much more aggregious issues than cyber security from a reliability perspective. But, the CIP standards themselves do not require the maintenance of a list. It serves no purpose to continue to argue the perceived deficiency in the CIP standard - either accept reality or attempt to change reality through the standards development process. In the mean time, the auditors will be identifying approaches for auditing and the entities need to be identifying ways to demonstrate compliance -- and that could include maintaining a list of Low impacting BES Cyber Assets - for business reasons of course...
Stacy
@Kevin. Of
course, you make a good point. The auditors can't find non-compliance because a
list doesn't exist. That said, there are a lot of things that the auditors
request that are not required (e.g., spreadsheets like RFC's infamous
Attachment C-CIP.xls, etc).
The difference here is, obviously, that there is a statement in an approved standard that says "a discrete list of low impact BES Cyber Systems is not required". Plenty of different ways to go about getting to the facts as you mentioned. But I dare say...it seems like we are playing games rather than just doing the right thing again <- not directed at anyone in particular.
@Responsible Entity. Creating a list (inventory) of your Low Impact BES Cyber Systems/Assets is good business IMO. Why not do it and save yourself from auditor work arounds to get to the same results (or as close as they need to "see" compliance"). The exercise may yield other unrelated facts that could save you from potential PVs in other CIP requirements ;-) I can't tell you how many times I was told that we don't have any of those widgets in our plant only to find one or two within a couple minutes into a physical inspection of the facility. Also...I'm not convinced that this "no list" statement for low impact BES Cyber Systems will survive the test of time. Getting ahead of the game can have its benefits as well.
The difference here is, obviously, that there is a statement in an approved standard that says "a discrete list of low impact BES Cyber Systems is not required". Plenty of different ways to go about getting to the facts as you mentioned. But I dare say...it seems like we are playing games rather than just doing the right thing again <- not directed at anyone in particular.
@Responsible Entity. Creating a list (inventory) of your Low Impact BES Cyber Systems/Assets is good business IMO. Why not do it and save yourself from auditor work arounds to get to the same results (or as close as they need to "see" compliance"). The exercise may yield other unrelated facts that could save you from potential PVs in other CIP requirements ;-) I can't tell you how many times I was told that we don't have any of those widgets in our plant only to find one or two within a couple minutes into a physical inspection of the facility. Also...I'm not convinced that this "no list" statement for low impact BES Cyber Systems will survive the test of time. Getting ahead of the game can have its benefits as well.
Dennis
So Stacy let
me take your premise one step further before your done with lists, I am
assuming then that you would recommend a complete list of Cyber Assets/Systems
(what good business does not have this?) even if they are a NO impact
Asset/System so you can be ready to explain the NO impact? I think the
alternative sounds like if on physical inspection an auditor sees a Cyber Asset
in a particular facility and would like to know how that determination was
made, that evaluation (which needed to be performed by the Entity at some
point) would be handy to have around. Even though it may not be evidentiary, is
there a need to prove/demonstrate NO impact?
Of course I am still not completely clear on the possible NO impact scenario. In the Background Section 6, the standard states "The scope of the CIP Cyber Security Standards is restricted to BES Cyber Systems that would impact the reliable operation of the BES." Doesn't this imply then that some would not? Is it then possible, for example, that a TO/TOP Control Center SCADA System be considered a NO impact? And if so, what mechanism exists in the V5 Standard to properly apply and demonstrate that?
Of course I am still not completely clear on the possible NO impact scenario. In the Background Section 6, the standard states "The scope of the CIP Cyber Security Standards is restricted to BES Cyber Systems that would impact the reliable operation of the BES." Doesn't this imply then that some would not? Is it then possible, for example, that a TO/TOP Control Center SCADA System be considered a NO impact? And if so, what mechanism exists in the V5 Standard to properly apply and demonstrate that?
Me
Dennis,
there is definitely no "No Impact" category for Facilities in CIP
Version 5. This is because all BES facilities are in scope (per Section 4.2),
and those that aren't High or Medium impact are Low impact (by Attachment 1). I
agree it's more problematic whether or not there are No Impact BES Cyber
Systems; the sentence you quote certainly implies that (and the wording of
Attachment 1 actually implies it as well, although R1.1-1.3 contradict it).
This is - as I've said many times before - a huge problem with CIP-002-5: the wording is imprecise and self-contradictory, so that reasonable people can have completely divergent views on each of a number of questions, including this one. I don't see this changing, either.
This is - as I've said many times before - a huge problem with CIP-002-5: the wording is imprecise and self-contradictory, so that reasonable people can have completely divergent views on each of a number of questions, including this one. I don't see this changing, either.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
No comments:
Post a Comment