Before I start, I’ll say that you should
definitely read the first two posts in this series (Part
1 and Part
2) before you read this one. I won’t
say this will be unintelligible if you don’t, but you will understand a lot
more if you do.
Some Preliminaries
In this, the
exciting conclusion to my series of posts on identifying assets in CIP-002-5
R1, I will present my own interpretation of the best methodology for
accomplishing this task. Before I do
that, I’ll summarize the premises of this exercise, as described in the
previous posts (but I’ll admit I’ve refined some of this, so it doesn’t match
exactly with what I said before. As
Emerson said, “Consistency is the hobgoblin of little minds”):
- I contend that, because of the inconsistencies in the wording of CIP-002-5 R1 and the related Attachment 1, there can be no interpretation (i.e. no methodology for asset identification) that conforms to all of the words in that requirement.
- I have talked with a number of people (entities and auditors) about this, and I can confirm there is a variety of interpretations out there.
- This is not a good situation, of course. Entities need to conduct their CIP v5 asset identification, confident that the methodology they follow is the one that the auditor will refer to when they get their first CIP v5 audit. And if the entity doesn’t follow the “correct” method to identify assets in CIP-002-5, they will be way off base in complying with the other v5 standards as well.
- I had hoped that either a) FERC would order NERC to fix the wording problems as they make the other revisions mandated in Order 791, or b) NERC would decide on their own that the wording needs to be fixed, and add this to the set of tasks to be accomplished by the new Standards Drafting Team. However, neither of these events has come to pass.
- This leaves me with Plan B: NERC (working with the regions) needs to determine and publish a consistent interpretation of CIP-002-5 R1. This won’t agree with every word in the requirement (and Attachment 1), since that is impossible. But if NERC gives their blessing to one methodology, and the auditors audit based on it, we just may come out of this OK. If an entity were to challenge this in court, of course, NERC’s interpretation won’t mean anything – only the words of the requirement will. But short of that, it would mean a lot.
- Over the past couple of months, I have had extensive email discussions with six or seven people involved with CIP v5 compliance, including a regional CIP auditor, on this question. In the course of these discussions, I have been able to identify two different methodologies – one mine, one the auditor’s – for CIP-002-5 R1 compliance. They are both consistent, although neither conforms to all the wording in the requirement and Attachment 1. I won’t say there aren’t other consistent methodologies that could be developed, and I would very much like to hear if someone has one.
- I not surprisingly feel my methodology is superior to the auditor’s, and I will outline my reasons for feeling that way in this post. However, even if NERC were to choose the auditor’s interpretation, or another one, it would still be much better than the current every-man/woman-for-him/herself situation, in which ultimately each entity needs to decide how they’re going to comply with CIP-002-5 R1 (and each auditor, or at least region, needs to decide how they’re going to audit it). There will be a lot of bad consequences, if nothing is done about this problem.
One benefit
of my email discussions with the auditor was that I was able to clarify what really were the important differences
between his position and mine, and which differences weren’t really differences
at all. Therefore, I’ve identified four
stipulations that I believe should be made (by NERC), regardless of the methodology that is ultimately adopted. I discussed three of these in Part 1, and now
have decided there should be a fourth.
Refer to Part 1 for the full discussion of the first three.
- The term “Facility” should be re-interpreted to mean “a Facility containing one or more of the six types of assets listed in CIP-002-5 R1”. That is, a Facility should be a “container” for one or more assets. If you want to know why I’m suggesting this, see the fourth stipulation below.
- It should be made clear that the preferred approach to identifying Medium and High impact BES Cyber Systems is to combine the “top down” and “bottom up” approaches. I discussed these approaches in mind-numbing detail in Part 1, as well as two previous posts referred to in the Part 1 discussion.
- It should be made clear whether what I’m calling “segregated cyber assets” in Part 1 are either Low impact or out of scope entirely for CIP version 5. I think the wording of CIP-002-5 R1 slightly favors the idea that they should be Lows, but I’m willing to go with whatever NERC says. However, they need to say something, rather than requiring all entities to make this decision for themselves.
- This is the stipulation I have added to the three I listed in Part 1: I think NERC needs to make it clear that, with one exception, all of the BES Cyber Systems associated with a High or Medium impact asset should take that impact level. The exception is in the case of Medium impact assets meeting Criteria 2.1 or 2.2. Those two criteria state that BCS that don’t meet a certain threshold are explicitly not Medium impact, but they don’t say what they are. If NERC decides they are Low impact, then this would be an exception to this stipulation; but it should be the only one.
Why do I say there should be just one level of BCS associated with a High or Medium asset? Because there are a number of people who feel
differently, saying it is somehow up to the entity to decide the impact
level of the BCS at an asset. In 90% of
the cases, I think they’re saying this because of the lack of a clear term for
a “container” of assets, as I have discussed in point 1 above. If there isn’t such a term, then you can get
confused by pointing to cases where one “asset” houses another – e.g. a transmission
substation that contains an SPS system.
The SPS is itself one of the six asset types listed in R1, and of course
the substation is as well.
So if the substation is Low impact but
the SPS itself is Medium due to meeting Criterion 2.9, there will be two types
of BES Cyber Systems at the one substation Facility: the Low BCS belonging to
the substation asset and the Medium BCS that are part of the SPS. If we make it clear that the substation Facility
contains two assets – the Low impact substation and the Medium impact SPS –
then we can have a rule that states that all of the BCS associated with an asset are one impact level (of course
with the exception of Criteria 2.1 and 2.2.
And now, I state Alrich’s Law: There can be no statement made about
anything having to do with NERC compliance that doesn’t have an exception. I believe there are no exceptions to this
law).
Why am I so concerned about this? Because I know some entities seem tempted to
believe they can classify BES Cyber Systems independent of the Attachment 1
criteria. That is, they think they can say,
“Even though this BCS is part of a Medium impact substation, it really doesn’t
have that much impact, so I’ll call it a Low.”
I believe that is something that isn’t allowed in CIP v5, but I’ll admit
the wording of Attachment 1 could well lead someone to believe this was
possible. I think there could be lots of
problems if it isn’t made clear that, while there can be multiple levels of
asset located at one Facility, there can be only one level of BCS associated
with a particular asset (except for Criteria 2.1 and 2.2, of course).
And Now, Tom’s Methodology
With these
stipulations out of the way, let’s look at my methodology for CIP-002-5 R1
compliance. There is one big difference
between my methodology and the auditor’s: In mine, you classify assets first,
then identify the BES Cyber Systems associated with them. In the auditor’s, you identify and classify
BES Cyber Systems without ever actually classifying the assets.
The main reason I prefer my methodology that it is essentially the one that entities are used to from complying
with CIP versions 1-4 (yes, I know v4 never came into effect, but a lot of
entities went fairly far down the road to v4 compliance). In v1-4, you did two things. First, you identified your Critical Assets
(i.e. you classified your assets into two levels: critical and not critical). Then, you identified the Critical Cyber
Assets that were “essential to the operation of” those Critical Assets.
I’m saying,
let’s do the same thing for CIP v5. Here
are the entire details of my methodology:
- First, an entity needs to classify its assets (defined as the six types listed in R1) into High, Medium and Low impact, based on the Attachment 1 bright line criteria.
- Second, the entity needs to identify BES Cyber Systems either at or associated with the High and Medium impact assets (and see the discussion in Part 2 about “at” and “associated with”). As I've already mentioned, I recommend this be carried out by combining the top-down and bottom-up approaches.
- Finally, the entity needs to identify Low impact assets, without having to identify BES Cyber Assets or BES Cyber Systems at those assets. And why isn’t doesn't the entity need to identify Low impact BCA or BCS? Because CIP-003-5 R2, the single requirement in v5 that applies to Lows, says absolutely nothing about BES Cyber Systems. The four policies in that requirement need to be applied at the asset level, not the cyber asset level. So there is no reason to even discuss the term Low impact BES Cyber System.[i]
And there
you go: I’ve just given you my entire methodology. But that was the easy part; now I have to
convince you that this is a good one.
This brings me to the second reason why I prefer my methodology: I have
yet to talk to any NERC entity (and I have been talking with a lot lately, and
will be talking with a lot more in the near future) that isn’t using a methodology like mine. I won’t say there aren’t a few out there who
are using something like the auditor’s methodology; and I certainly won’t deny
that his methodology may be the runaway favorite in the auditor community. But I will say that I’ve had in-depth
discussions of CIP v5 methodology with over ten entities, and every one of them
has started by saying something like, “Well, we are first looking at which of
our assets are going to be High, Medium or Low.” Nobody has said, “We’re starting to identify
our BES Cyber Systems, so we can then classify each one using Attachment 1.”
And when you
think about it, how could it be otherwise?
After five years of focusing relentlessly on what assets would be in or
out of scope for CIP, and only then looking at what cyber assets are essential
to them, does NERC really think the whole industry is going to do a huge shift
and think almost entirely in terms of BES Cyber Systems, regardless of where
they might happen to be deployed?
Now, I’ll
concede right now that the language of Attachment 1 almost requires an
interpretation like the auditor’s. It is
quite straightforward in saying that it is all about classifying BES Cyber Systems.
It clearly is written assuming the entity has already gone through all of
its cyber assets and identified its BCS – which itself is very interesting,
given that nowhere in R1 does it tell you to first identify BCS. It seems the entity has to figure out for
themselves - by the fact that R1 and Attachment 1 just talk about how BCS are
classified - that they have to have already identified them all before they
even start into Attachment 1. Even
Section 3 of Attachment 1, which deals with Low impacts, is written entirely in
terms of BCS, saying simply that Low BCS are those that aren't Medium or High impact. The entity clearly has to start out
Attachment 1 with a complete list of its BCS, at least if they’re going to
follow the language literally.
I do want to point something else out: Most people are used to dealing with the Attachment 1 that was included in CIP-002-4 (again, even though v4 never came into effect, many entities spent a lot of time trying to comply with it). The wording of the criteria in that Attachment 1 is in some cases exactly the same as in Attachment 1 in v5. Yet the v4 version makes clear that it is for identification of Critical Assets (the "big iron"), not Critical Cyber Assets ("little iron"). When those people turn to Attachment 1 in v5, they will have to make a complete shift to using those criteria to identify BES Cyber Systems (little iron), not the "assets" (big iron). I haven't talked to any entity that has actually made this shift. And frankly, I see no reason why they should have to, other than confusion in the wording of CIP-002-5.
I do want to point something else out: Most people are used to dealing with the Attachment 1 that was included in CIP-002-4 (again, even though v4 never came into effect, many entities spent a lot of time trying to comply with it). The wording of the criteria in that Attachment 1 is in some cases exactly the same as in Attachment 1 in v5. Yet the v4 version makes clear that it is for identification of Critical Assets (the "big iron"), not Critical Cyber Assets ("little iron"). When those people turn to Attachment 1 in v5, they will have to make a complete shift to using those criteria to identify BES Cyber Systems (little iron), not the "assets" (big iron). I haven't talked to any entity that has actually made this shift. And frankly, I see no reason why they should have to, other than confusion in the wording of CIP-002-5.
When you move from Attachment 1 to CIP-002-5 R1 itself, the wording is much more nuanced, and seems to favor my methodology. It starts out by requiring the Responsible Entity to “implement a
process that considers each of the following assets for purposes of parts 1.1
through 1.3”, followed by the list of six asset types in scope. This is followed by R1.1 and R1.2, which instruct
the user to identify High or Medium impact BCS "at" (in R1.1) or "associated with" (in R1.2) each asset, by going to
Attachment 1. This sounds like much more of an asset focus
to me.
Now, I will
concede that R1.1 and R1.2 aren’t strictly asking you to classify the assets themselves,
but only the BCS located at them; so they don't clearly support my interpretation. But when
you get to R1.3, the instructions are much different. There, you are instructed to identify each asset that “contains a low impact BES
Cyber System” by again going to Attachment 1.
So R1.3 is explicitly asking you to identify assets, not BCS.
Of course, R1.3
doesn't call the asset in question a Low impact asset – that would be too much
of a step away from maintaining the fiction that the whole purpose of CIP-002-5
R1 is to classify BCS. But at the same
time, it obviously can’t tell you to identify Low BCS (the way R1.1 and R1.2
did for High and Medium BCS), since it says in the next sentence that an
inventory of Low BCS isn't required.
Instead,
R1.3 tells you to identify assets that “contain” low BCS, according to Section
3 of Attachment 1. So let’s go there and
see if we can figure out what’s going on.
There, we see that Low impact BCS are “BES Cyber Systems not included in
Sections 1 or 2 above that are associated with any of the following assets”,
followed by the same list of six asset types shown in R1. What are we to conclude from this? It seems clear that we have to start
Attachment 1 with a complete list of BCS, then subtract out the High and Medium
BCS to come up with our list of Lows. We
then use this list to identify the assets that contain Low BCS. But how can we do this if a list of Low
impact BCS isn’t required?
And this is
where the auditor’s interpretation breaks down.
He says he will be comfortable if the entity simply asserts that an
asset contains one or more Low BCS, without specifically identifying it. However, I know he won’t necessarily just roll over
if the entity asserts that an asset – that contains control systems – doesn’t
contain any Low BCS. He will ask the
entity about systems like DCS (at a generating station), protective relays (at
a substation), etc. Has the entity
really determined that none of these should be identified as BCS at/associated with the asset
in question? I certainly don’t begrudge
the fact that the auditor has to dance around like this – essentially saying
that, despite the literal meaning of the wording in Attachment 1, his auditing
approach won’t require a pre-existing list of BCS. It just goes back to what I was saying: there
is no consistent methodology for CIP-002-5 R1 compliance (and the auditor's methodology is consistent) that won’t violate at
least some of the wording of the requirement (including Attachment 1).
But let’s
get back to what we were doing: trying to figure out how we comply with R1.3
and identify assets that contain Low impact BCS. And let’s assume that we don’t have a
pre-existing list of all BCS. This means
we have to do some sort of dance like the auditor is suggesting, where we look
at each asset and try to take a good guess as to whether or not it contains a
Low BCS. Which assets do we do that
dance for? It has to be all of our
assets. Since, following the literal
wording of CIP-002-5 R1 so far, we haven’t identified any assets that are High
or Medium, we have to consider any
asset - High, Medium or Low - as one that might potentially contain a Low BCS. Indeed, it is quite possible that assets that
we would identify – using my methodology – as High or Medium impact will also
be “assets that contain a Low impact BCS”; this would happen if they contain what I'm calling "segregated cyber assets" above and in the previous post. This means that those assets will have to comply with CIP-003-5 R2,
along with all of the other v5 requirements that apply to Mediums.[ii]
As you can
see, we have to do a lot of work – and probably go through a lot of
hand-wringing and hair-pulling – to comply with the literal wording of R1.3 and identify assets
containing Low BCS. And why do we have
to do that? As I’ve already said, the
one v5 requirement that applies to Lows says nothing about BCS; so there is
absolutely no compliance need to identify Low BCS. Wouldn’t it be a lot easier if we just
dropped the fiction that, in order to identify Low impact assets, we need to
identify Low BCS? This is why my
methodology simply requires that we identify Low impact assets, not the BCS
that may or may not be in them.[iii]
Of course,
to identify Low impact assets, we have to first identify High and Medium impact
assets (since there are no criteria that tell you what a Low asset is). So my methodology starts with identifying
High and Medium impact assets using the criteria in Sections 1 and 2 of
Attachment 1.[iv] The Lows are all BES assets that aren’t
High or Medium impact.[v] The entity just has to identify BCS at or
associated with the High and Medium impact assets, not with the Low impact
assets.
I rest my
case. To summarize:
- I believe the auditor’s CIP-002-5 R1 methodology (which I’ll admit is closer to the actual wording of the requirement and especially Attachment 1) will impose a big, totally unneeded paperwork burden on owners of Low assets. They will struggle to show they have identified every asset that contains a Low BCS, when what’s really required for compliance is simply identifying Low assets.[vi]
- As I said in Part 2, there is a possibility that an auditor, who interprets CIP-002-5 R1 according to my auditor friend’s methodology, will end up requiring an entity to have an inventory of cyber assets associated with at least some Low impact assets - if they want to be very hard-nosed about having the entity prove they don’t have BCS at those assets. The literal wording of Attachment 1 would back the auditor up in making this demand.
- Probably most importantly, my unscientific polling shows that the overwhelming majority of entities subject to CIP v5 are following “my” methodology, simply because it follows very naturally from what they are used to doing for compliance with CIP versions 1-4. Is it really worth it to force them to use my auditor friend’s approach, given that there is absolutely no compliance or security reason to focus on classifying High, Medium and Low impact BCS, rather than High, Medium and Low impact assets (and the BCS that support the High and Medium ones)?[vii]
- However, there is something worse than having NERC not adopt my methodology; it’s having them not adopt any methodology at all, even the auditor’s. I see this as a great recipe for confusion, ill-will and disputed fines in the years ahead.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i]
Of course, FERC did order more specific requirements for Lows, and we won’t
know what those will be until the new SDT meets and draws them up. However, I and most others think it’s highly
unlikely the new SDT will develop requirements that apply to particular Low
impact cyber assets – whether BES Cyber Systems or not. And FERC said
in Order 791 that they don’t expect NERC to develop this type of requirement.
[ii]
You might point out that it really isn’t the end of the world if Medium and
High impact assets also have to comply with CIP-003-5 R2, the one Low
requirement, since anything that an entity has to do in that requirement is
surely already included in the many requirements with which High and Medium
impact assets have to comply. But there
will certainly be a paperwork burden involved in doing this, which is of course
completely meaningless from the point of view of cyber security (remember
that? CIP was supposed to have something
to do with cyber security, if I recall correctly); and there will be a compliance risk if
the entity misses some step in the paperwork.
I’m sure it wasn’t the intent of the SDT to have Mediums and Highs also
have to be Lows, but this is the direct effect of the current wording.
[iii]
Now that I think of it, this question is similar to the famous Schrodinger’s
Cat paradox in quantum physics. There,
the poor cat, enclosed in an opaque box with a poison that may or may not have
been released, is literally dead and alive at the same time until the box is
opened and an observation is made - then it is actually either dead or alive. In
our case, the Low impact BCS might or might not exist at a Low impact
asset. But, unlike in the case of the cat,
it’s not a question we even need to be asking, since as I said Low impact BCS
have no role whatsoever in CIP v5 – so no observation ever needs to be made to determine whether they're there or not.
[iv]
We of course have to ignore the language in those two sections that says we’re
really looking for BES Cyber Systems “used by and located at” the High criteria
or “associated with” the Medium criteria.
We’re really looking at the criteria themselves, which specify assets,
not BCS. As I’ve said, in order to come
up with any consistent methodology for CIP-002-5 R1 compliance, you have to
decide which wording you’ll ignore. This
is some of the wording I choose to ignore.
[v]
There is a complication in my methodology: It doesn’t allow for any BES assets
to be other than High, Medium or Low impact.
The auditor’s methodology, since it follows the wording of R1.3 about
identifying assets that contain Low impact BCS, leaves open the possibility –
whether or not it was intended by the SDT – that some BES assets won’t be High,
Medium or Low impact, but will be nothing at all. I regard this as a
small price to pay for the fact that my methodology will greatly simplify the
paperwork burden by doing away with the concept of Low BCS altogether. But if you feel strongly that there should be
BES assets that aren’t High, Medium or Low impact, this won’t bother you, and
you’ll be happy to deal with the additional paperwork generated by the auditor’s
methodology.
However, one could make a case that BES assets that
don’t have any process control systems shouldn’t even be Lows – after all, CIP
is to protect control systems, right? If
NERC wanted to adopt my methodology, they could easily say that assets without
control systems aren’t High, Medium or Low impact. Or they could just say that Low assets
without control systems only have to comply with CIP-003-5 R2.1 (cyber security
awareness, which is important for all employees of any organization nowadays) and R2.2 (physical security controls),
but not with R2.3 and R2.4, which specifically apply to facilities with control
systems.
[vi]
When I was first thinking about this post, I thought there might be another big
difference between the two approaches: one might result in many more BCS being
identified than the other. However, I
don’t believe this is the case now (although if someone thinks it would be, I’d
like to know why - I could be wrong about this). In theory, there
shouldn’t be any difference in results between the two approaches. In the auditor’s approach, the entity
identifies BCS across the various assets, then classifies these using Attachment
1. In my approach, the entity first
classifies assets as High, Medium or Low impact, then identifies BCS at the
Highs and Mediums. Keep in mind that
I’ve already stipulated that the “top-down” and “bottom up” approaches should both
be applied in identifying BCS at High and Medium assets, so this is removed as
a source of difference between the two approaches (a couple months ago, I
thought this was the most important difference between my methodology and the
auditor’s, but I came to realize the two approaches could – and should –
coexist. And the auditor agrees with me
on this).
[vii]
A person from FRCC told me recently that Scott Mix of NERC, when he addressed
their CIP group in May, said definitely that the first step in compliance with
CIP-002-5 R1 was to use Attachment 1 to classify the assets, then to identify
High and Medium impact BCS. And when
questioned about this, he said that NERC should probably clarify this for the
entities. I certainly hope he hasn’t
changed his tune since then. If not, I
may owe Scott some sort of royalties for just repeating in my posts what he had
already said very eloquently in May.
No comments:
Post a Comment