Monday, January 13, 2014

How do I Identify Assets for CIP Version 5? (Part 3)

Before I start, I’ll say that you should definitely read the first two posts in this series (Part 1 and Part 2) before you read this one.  I won’t say this will be unintelligible if you don’t, but you will understand a lot more if you do.

Some Preliminaries
In this, the exciting conclusion to my series of posts on identifying assets in CIP-002-5 R1, I will present my own interpretation of the best methodology for accomplishing this task.  Before I do that, I’ll summarize the premises of this exercise, as described in the previous posts (but I’ll admit I’ve refined some of this, so it doesn’t match exactly with what I said before.  As Emerson said, “Consistency is the hobgoblin of little minds”):

  1. I contend that, because of the inconsistencies in the wording of CIP-002-5 R1 and the related Attachment 1, there can be no interpretation (i.e. no methodology for asset identification) that conforms to all of the words in that requirement. 
  2. I have talked with a number of people (entities and auditors) about this, and I can confirm there is a variety of interpretations out there.
  3. This is not a good situation, of course.  Entities need to conduct their CIP v5 asset identification, confident that the methodology they follow is the one that the auditor will refer to when they get their first CIP v5 audit.  And if the entity doesn’t follow the “correct” method to identify assets in CIP-002-5, they will be way off base in complying with the other v5 standards as well.
  4. I had hoped that either a) FERC would order NERC to fix the wording problems as they make the other revisions mandated in Order 791, or b) NERC would decide on their own that the wording needs to be fixed, and add this to the set of tasks to be accomplished by the new Standards Drafting Team.  However, neither of these events has come to pass.
  5. This leaves me with Plan B: NERC (working with the regions) needs to determine and publish a consistent interpretation of CIP-002-5 R1.  This won’t agree with every word in the requirement (and Attachment 1), since that is impossible.  But if NERC gives their blessing to one methodology, and the auditors audit based on it, we just may come out of this OK.  If an entity were to challenge this in court, of course, NERC’s interpretation won’t mean anything – only the words of the requirement will.  But short of that, it would mean a lot.
  6. Over the past couple of months, I have had extensive email discussions with six or seven people involved with CIP v5 compliance, including a regional CIP auditor, on this question.  In the course of these discussions, I have been able to identify two different methodologies – one mine, one the auditor’s – for CIP-002-5 R1 compliance.  They are both consistent, although neither conforms to all the wording in the requirement and Attachment 1.  I won’t say there aren’t other consistent methodologies that could be developed, and I would very much like to hear if someone has one.
  7. I not surprisingly feel my methodology is superior to the auditor’s, and I will outline my reasons for feeling that way in this post.  However, even if NERC were to choose the auditor’s interpretation, or another one, it would still be much better than the current every-man/woman-for-him/herself situation, in which ultimately each entity needs to decide how they’re going to comply with CIP-002-5 R1 (and each auditor, or at least region, needs to decide how they’re going to audit it).  There will be a lot of bad consequences, if nothing is done about this problem.

One benefit of my email discussions with the auditor was that I was able to clarify what really were the important differences between his position and mine, and which differences weren’t really differences at all.  Therefore, I’ve identified four stipulations that I believe should be made (by NERC), regardless of the methodology that is ultimately adopted.  I discussed three of these in Part 1, and now have decided there should be a fourth.  Refer to Part 1 for the full discussion of the first three.

  1. The term “Facility” should be re-interpreted to mean “a Facility containing one or more of the six types of assets listed in CIP-002-5 R1”.  That is, a Facility should be a “container” for one or more assets.  If you want to know why I’m suggesting this, see the fourth stipulation below.
  2. It should be made clear that the preferred approach to identifying Medium and High impact BES Cyber Systems is to combine the “top down” and “bottom up” approaches.  I discussed these approaches in mind-numbing detail in Part 1, as well as two previous posts referred to in the Part 1 discussion.
  3. It should be made clear whether what I’m calling “segregated cyber assets” in Part 1 are either Low impact or out of scope entirely for CIP version 5.  I think the wording of CIP-002-5 R1 slightly favors the idea that they should be Lows, but I’m willing to go with whatever NERC says.  However, they need to say something, rather than requiring all entities to make this decision for themselves.
  4. This is the stipulation I have added to the three I listed in Part 1:  I think NERC needs to make it clear that, with one exception, all of the BES Cyber Systems associated with a High or Medium impact asset should take that impact level.  The exception is in the case of Medium impact assets meeting Criteria 2.1 or 2.2.  Those two criteria state that BCS that don’t meet a certain threshold are explicitly not Medium impact, but they don’t say what they are.  If NERC decides they are Low impact, then this would be an exception to this stipulation; but it should be the only one.

Why do I say there should be just one level of BCS associated with a High or Medium asset?  Because there are a number of people who feel differently, saying it is somehow up to the entity to decide the impact level of the BCS at an asset.  In 90% of the cases, I think they’re saying this because of the lack of a clear term for a “container” of assets, as I have discussed in point 1 above.  If there isn’t such a term, then you can get confused by pointing to cases where one “asset” houses another – e.g. a transmission substation that contains an SPS system.  The SPS is itself one of the six asset types listed in R1, and of course the substation is as well.

So if the substation is Low impact but the SPS itself is Medium due to meeting Criterion 2.9, there will be two types of BES Cyber Systems at the one substation Facility: the Low BCS belonging to the substation asset and the Medium BCS that are part of the SPS.  If we make it clear that the substation Facility contains two assets – the Low impact substation and the Medium impact SPS – then we can have a rule that states that all of the BCS associated with an asset are one impact level (of course with the exception of Criteria 2.1 and 2.2.  And now, I state Alrich’s Law: There can be no statement made about anything having to do with NERC compliance that doesn’t have an exception.  I believe there are no exceptions to this law).

Why am I so concerned about this?  Because I know some entities seem tempted to believe they can classify BES Cyber Systems independent of the Attachment 1 criteria.  That is, they think they can say, “Even though this BCS is part of a Medium impact substation, it really doesn’t have that much impact, so I’ll call it a Low.”  I believe that is something that isn’t allowed in CIP v5, but I’ll admit the wording of Attachment 1 could well lead someone to believe this was possible.  I think there could be lots of problems if it isn’t made clear that, while there can be multiple levels of asset located at one Facility, there can be only one level of BCS associated with a particular asset (except for Criteria 2.1 and 2.2, of course).

And Now, Tom’s Methodology
With these stipulations out of the way, let’s look at my methodology for CIP-002-5 R1 compliance.  There is one big difference between my methodology and the auditor’s: In mine, you classify assets first, then identify the BES Cyber Systems associated with them.  In the auditor’s, you identify and classify BES Cyber Systems without ever actually classifying the assets.  

The main reason I prefer my methodology that it is essentially the one that entities are used to from complying with CIP versions 1-4 (yes, I know v4 never came into effect, but a lot of entities went fairly far down the road to v4 compliance).  In v1-4, you did two things.  First, you identified your Critical Assets (i.e. you classified your assets into two levels: critical and not critical).  Then, you identified the Critical Cyber Assets that were “essential to the operation of” those Critical Assets. 

I’m saying, let’s do the same thing for CIP v5.  Here are the entire details of my methodology:

  1. First, an entity needs to classify its assets (defined as the six types listed in R1) into High, Medium and Low impact, based on the Attachment 1 bright line criteria. 
  2. Second, the entity needs to identify BES Cyber Systems either at or associated with the High and Medium impact assets (and see the discussion in Part 2 about “at” and “associated with”).  As I've already mentioned, I recommend this be carried out by combining the top-down and bottom-up approaches.
  3. Finally, the entity needs to identify Low impact assets, without having to identify BES Cyber Assets or BES Cyber Systems at those assets.  And why isn’t doesn't the entity need to identify Low impact BCA or BCS?  Because CIP-003-5 R2, the single requirement in v5 that applies to Lows, says absolutely nothing about BES Cyber Systems.  The four policies in that requirement need to be applied at the asset level, not the cyber asset level.  So there is no reason to even discuss the term Low impact BES Cyber System.[i]

And there you go: I’ve just given you my entire methodology.  But that was the easy part; now I have to convince you that this is a good one.  This brings me to the second reason why I prefer my methodology: I have yet to talk to any NERC entity (and I have been talking with a lot lately, and will be talking with a lot more in the near future) that isn’t using a methodology like mine.  I won’t say there aren’t a few out there who are using something like the auditor’s methodology; and I certainly won’t deny that his methodology may be the runaway favorite in the auditor community.  But I will say that I’ve had in-depth discussions of CIP v5 methodology with over ten entities, and every one of them has started by saying something like, “Well, we are first looking at which of our assets are going to be High, Medium or Low.”  Nobody has said, “We’re starting to identify our BES Cyber Systems, so we can then classify each one using Attachment 1.” 

And when you think about it, how could it be otherwise?  After five years of focusing relentlessly on what assets would be in or out of scope for CIP, and only then looking at what cyber assets are essential to them, does NERC really think the whole industry is going to do a huge shift and think almost entirely in terms of BES Cyber Systems, regardless of where they might happen to be deployed?

Now, I’ll concede right now that the language of Attachment 1 almost requires an interpretation like the auditor’s.  It is quite straightforward in saying that it is all about classifying BES Cyber Systems.  It clearly is written assuming the entity has already gone through all of its cyber assets and identified its BCS – which itself is very interesting, given that nowhere in R1 does it tell you to first identify BCS.  It seems the entity has to figure out for themselves - by the fact that R1 and Attachment 1 just talk about how BCS are classified - that they have to have already identified them all before they even start into Attachment 1.  Even Section 3 of Attachment 1, which deals with Low impacts, is written entirely in terms of BCS, saying simply that Low BCS are those that aren't Medium or High impact.  The entity clearly has to start out Attachment 1 with a complete list of its BCS, at least if they’re going to follow the language literally.

I do want to point something else out: Most people are used to dealing with the Attachment 1 that was included in CIP-002-4 (again, even though v4 never came into effect, many entities spent a lot of time trying to comply with it).  The wording of the criteria in that Attachment 1 is in some cases exactly the same as in Attachment 1 in v5.  Yet the v4 version makes clear that it is for identification of Critical Assets (the "big iron"), not Critical Cyber Assets ("little iron").  When those people turn to Attachment 1 in v5, they will have to make a complete shift to using those criteria to identify BES Cyber Systems (little iron), not the "assets" (big iron).  I haven't talked to any entity that has actually made this shift. And frankly, I see no reason why they should have to, other than confusion in the wording of CIP-002-5.

When you move from Attachment 1 to CIP-002-5 R1 itself, the wording is much more nuanced, and seems to favor my methodology.  It starts out by requiring the Responsible Entity to “implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3”, followed by the list of six asset types in scope.  This is followed by R1.1 and R1.2, which instruct the user to identify High or Medium impact BCS "at" (in R1.1) or "associated with" (in R1.2) each asset, by going to Attachment 1.   This sounds like much more of an asset focus to me.

Now, I will concede that R1.1 and R1.2 aren’t strictly asking you to classify the assets themselves, but only the BCS located at them; so they don't clearly support my interpretation.  But when you get to R1.3, the instructions are much different.  There, you are instructed to identify each asset that “contains a low impact BES Cyber System” by again going to Attachment 1.  So R1.3 is explicitly asking you to identify assets, not BCS.

Of course, R1.3 doesn't call the asset in question a Low impact asset – that would be too much of a step away from maintaining the fiction that the whole purpose of CIP-002-5 R1 is to classify BCS.  But at the same time, it obviously can’t tell you to identify Low BCS (the way R1.1 and R1.2 did for High and Medium BCS), since it says in the next sentence that an inventory of Low BCS isn't required. 

Instead, R1.3 tells you to identify assets that “contain” low BCS, according to Section 3 of Attachment 1.  So let’s go there and see if we can figure out what’s going on.  There, we see that Low impact BCS are “BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the following assets”, followed by the same list of six asset types shown in R1.  What are we to conclude from this?  It seems clear that we have to start Attachment 1 with a complete list of BCS, then subtract out the High and Medium BCS to come up with our list of Lows.  We then use this list to identify the assets that contain Low BCS.  But how can we do this if a list of Low impact BCS isn’t required?

And this is where the auditor’s interpretation breaks down.  He says he will be comfortable if the entity simply asserts that an asset contains one or more Low BCS, without specifically identifying it.  However, I know he won’t necessarily just roll over if the entity asserts that an asset – that contains control systems – doesn’t contain any Low BCS.  He will ask the entity about systems like DCS (at a generating station), protective relays (at a substation), etc.  Has the entity really determined that none of these should be identified as BCS at/associated with the asset in question?  I certainly don’t begrudge the fact that the auditor has to dance around like this – essentially saying that, despite the literal meaning of the wording in Attachment 1, his auditing approach won’t require a pre-existing list of BCS.  It just goes back to what I was saying: there is no consistent methodology for CIP-002-5 R1 compliance (and the auditor's methodology is consistent) that won’t violate at least some of the wording of the requirement (including Attachment 1).

But let’s get back to what we were doing: trying to figure out how we comply with R1.3 and identify assets that contain Low impact BCS.  And let’s assume that we don’t have a pre-existing list of all BCS.  This means we have to do some sort of dance like the auditor is suggesting, where we look at each asset and try to take a good guess as to whether or not it contains a Low BCS.  Which assets do we do that dance for?  It has to be all of our assets.  Since, following the literal wording of CIP-002-5 R1 so far, we haven’t identified any assets that are High or Medium, we have to consider any asset - High, Medium or Low - as one that might potentially contain a Low BCS.  Indeed, it is quite possible that assets that we would identify – using my methodology – as High or Medium impact will also be “assets that contain a Low impact BCS”; this would happen if they contain what I'm calling "segregated cyber assets" above and in the previous post.  This means that those assets will have to comply with CIP-003-5 R2, along with all of the other v5 requirements that apply to Mediums.[ii]

As you can see, we have to do a lot of work – and probably go through a lot of hand-wringing and hair-pulling – to comply with the literal wording of R1.3 and identify assets containing Low BCS.  And why do we have to do that?  As I’ve already said, the one v5 requirement that applies to Lows says nothing about BCS; so there is absolutely no compliance need to identify Low BCS.  Wouldn’t it be a lot easier if we just dropped the fiction that, in order to identify Low impact assets, we need to identify Low BCS?  This is why my methodology simply requires that we identify Low impact assets, not the BCS that may or may not be in them.[iii]

Of course, to identify Low impact assets, we have to first identify High and Medium impact assets (since there are no criteria that tell you what a Low asset is).  So my methodology starts with identifying High and Medium impact assets using the criteria in Sections 1 and 2 of Attachment 1.[iv]  The Lows are all BES assets that aren’t High or Medium impact.[v]  The entity just has to identify BCS at or associated with the High and Medium impact assets, not with the Low impact assets.

I rest my case.  To summarize:

  1. I believe the auditor’s CIP-002-5 R1 methodology (which I’ll admit is closer to the actual wording of the requirement and especially Attachment 1) will impose a big, totally unneeded paperwork burden on owners of Low assets.  They will struggle to show they have identified every asset that contains a Low BCS, when what’s really required for compliance is simply identifying Low assets.[vi]
  2. As I said in Part 2, there is a possibility that an auditor, who interprets CIP-002-5 R1 according to my auditor friend’s methodology, will end up requiring an entity to have an inventory of cyber assets associated with at least some Low impact assets - if they want to be very hard-nosed about having the entity prove they don’t have BCS at those assets.  The literal wording of Attachment 1 would back the auditor up in making this demand.
  3. Probably most importantly, my unscientific polling shows that the overwhelming majority of entities subject to CIP v5 are following “my” methodology, simply because it follows very naturally from what they are used to doing for compliance with CIP versions 1-4.  Is it really worth it to force them to use my auditor friend’s approach, given that there is absolutely no compliance or security reason to focus on classifying High, Medium and Low impact BCS, rather than High, Medium and Low impact assets (and the BCS that support the High and Medium ones)?[vii]
  4. However, there is something worse than having NERC not adopt my methodology; it’s having them not adopt any methodology at all, even the auditor’s.  I see this as a great recipe for confusion, ill-will and disputed fines in the years ahead.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

[i] Of course, FERC did order more specific requirements for Lows, and we won’t know what those will be until the new SDT meets and draws them up.  However, I and most others think it’s highly unlikely the new SDT will develop requirements that apply to particular Low impact cyber assets – whether BES Cyber Systems or not.  And FERC said in Order 791 that they don’t expect NERC to develop this type of requirement.

[ii] You might point out that it really isn’t the end of the world if Medium and High impact assets also have to comply with CIP-003-5 R2, the one Low requirement, since anything that an entity has to do in that requirement is surely already included in the many requirements with which High and Medium impact assets have to comply.  But there will certainly be a paperwork burden involved in doing this, which is of course completely meaningless from the point of view of cyber security (remember that?  CIP was supposed to have something to do with cyber security, if I recall correctly); and there will be a compliance risk if the entity misses some step in the paperwork.  I’m sure it wasn’t the intent of the SDT to have Mediums and Highs also have to be Lows, but this is the direct effect of the current wording.

[iii] Now that I think of it, this question is similar to the famous Schrodinger’s Cat paradox in quantum physics.  There, the poor cat, enclosed in an opaque box with a poison that may or may not have been released, is literally dead and alive at the same time until the box is opened and an observation is made - then it is actually either dead or alive.  In our case, the Low impact BCS might or might not exist at a Low impact asset.  But, unlike in the case of the cat, it’s not a question we even need to be asking, since as I said Low impact BCS have no role whatsoever in CIP v5 – so no observation ever needs to be made to determine whether they're there or not.

[iv] We of course have to ignore the language in those two sections that says we’re really looking for BES Cyber Systems “used by and located at” the High criteria or “associated with” the Medium criteria.  We’re really looking at the criteria themselves, which specify assets, not BCS.  As I’ve said, in order to come up with any consistent methodology for CIP-002-5 R1 compliance, you have to decide which wording you’ll ignore.  This is some of the wording I choose to ignore.

[v] There is a complication in my methodology: It doesn’t allow for any BES assets to be other than High, Medium or Low impact.  The auditor’s methodology, since it follows the wording of R1.3 about identifying assets that contain Low impact BCS, leaves open the possibility – whether or not it was intended by the SDT – that some BES assets won’t be High, Medium or Low impact, but will be nothing at all.  I regard this as a small price to pay for the fact that my methodology will greatly simplify the paperwork burden by doing away with the concept of Low BCS altogether.  But if you feel strongly that there should be BES assets that aren’t High, Medium or Low impact, this won’t bother you, and you’ll be happy to deal with the additional paperwork generated by the auditor’s methodology.

However, one could make a case that BES assets that don’t have any process control systems shouldn’t even be Lows – after all, CIP is to protect control systems, right?   If NERC wanted to adopt my methodology, they could easily say that assets without control systems aren’t High, Medium or Low impact.  Or they could just say that Low assets without control systems only have to comply with CIP-003-5 R2.1 (cyber security awareness, which is important for all employees of any organization nowadays) and R2.2 (physical security controls), but not with R2.3 and R2.4, which specifically apply to facilities with control systems.

[vi] When I was first thinking about this post, I thought there might be another big difference between the two approaches: one might result in many more BCS being identified than the other.  However, I don’t believe this is the case now (although if someone thinks it would be, I’d like to know why - I could be wrong about this).  In theory, there shouldn’t be any difference in results between the two approaches.  In the auditor’s approach, the entity identifies BCS across the various assets, then classifies these using Attachment 1.  In my approach, the entity first classifies assets as High, Medium or Low impact, then identifies BCS at the Highs and Mediums.  Keep in mind that I’ve already stipulated that the “top-down” and “bottom up” approaches should both be applied in identifying BCS at High and Medium assets, so this is removed as a source of difference between the two approaches (a couple months ago, I thought this was the most important difference between my methodology and the auditor’s, but I came to realize the two approaches could – and should – coexist.  And the auditor agrees with me on this).

[vii] A person from FRCC told me recently that Scott Mix of NERC, when he addressed their CIP group in May, said definitely that the first step in compliance with CIP-002-5 R1 was to use Attachment 1 to classify the assets, then to identify High and Medium impact BCS.  And when questioned about this, he said that NERC should probably clarify this for the entities.  I certainly hope he hasn’t changed his tune since then.  If not, I may owe Scott some sort of royalties for just repeating in my posts what he had already said very eloquently in May.  

No comments:

Post a Comment