Be Careful Who You Associate With

Feb. 18: It turns out I was missing an important point when I wrote this post last week.  It isn't wrong per se, but it isn't the whole story.  See this new post - which you'll be glad to know is mercifully short compared to most of my posts.

Perhaps I find pleasure in strange activities, but I admit I found it quite pleasurable to attend WECC’s CIP Version 5 Workshop in Salt Lake City recently.  The main reason for this was that the WECC CIP auditors and enforcement people who spoke had done an excellent job of really thinking about all the standards and providing useful information.  Of course, the fact that there are so many of them (there were at least nine speakers) allowed each one to treat his or her topic quite thoroughly.

If you missed the workshop, don’t despair.  You can download the entire “presentation package” here.  However, before you click on it, keep in mind that the package is 33 megabytes (fortunately, Geoff Warnock of Gainesville Regional Utilities has come to the rescue and divided the file up into the presentations on each of the standards.  If you would like me to send them to you - in a few emails, depending on how much you can receive at one time - contact me at tom.alrich@honeywell.com.I do wish to make the suggestion to WECC that it might be a good idea to start breaking those packages up into at least two or three parts.  Herein ends my criticism of WECC (for this post, anyway).

I found a lot of the points that were made to be very interesting, and I hope to do a post soon that will address a number of these.  However, this post will focus on a question that was asked during the CIP-002-5 presentation and the discussion that followed.  The presenter for CIP-002-5 was Dr. Joe Baugh, a kind of rock star[i] among CIP auditors, who I wrote about for the first time almost two years ago (he was just Joe at the time, not Dr. Joe).

Before I get to this discussion, I do want to say that Joe provided a very good description, and flow chart, of two alternative methodologies for achieving compliance with CIP-002-5 R1.  And guess what?  They correspond fairly closely to the two methodologies I outlined in a recent series of three posts (the first is here) – one mine and one that of a friend who happens to be an auditor (not in WECC).  Joe referred to these as the “top down” and “bottom up” approaches.  The former corresponds roughly to my methodology, the latter to the auditor’s.[ii]

Even better, he recommended the top-down approach (i.e. mine) as the better one to pursue.[iii]Should I be surprised that Dr. Joe came to the same conclusion as to the best methodology for CIP-002-5 R1 compliance as I did?  Not at all; I know him to be a very intelligent person – this only confirms that.

Now to the discussion I found so interesting.  An attendee asked whether an EMS workstation that was located remotely from a High or Medium impact control center would itself take the classification of the control center itself.  Dr. Joe said it would, and further stated that there might have to be a special asset defined to house that remote workstation (he didn’t go into detail, but I presume that asset would be a type of High or Medium control center).  Of course, this would have to be done because in his preferred methodology (and mine), assets (i.e. the “big iron”) are classified first, then BES Cyber Systems are identified at the High and Medium assets.  So you can’t have a High or Medium impact BCS without a corresponding High or Medium asset.

However, in this case Dr. Joe gave an answer that, while not wrong, was incomplete; it was incomplete on two counts.  Always being eager to help, I pointed out one of those counts; it was only later that I realized there were two.  You might say I missed my chance to point both out at the meeting, but this is the great advantage of having a blog: you can always have the last word.  So this post will be devoted to describing what Dr. Joe missed; indeed, he missed two entire steps (or at least sub-steps) in the process of BCS identification.[iv]  And I now realize that NERC entities (and auditors!) could make a lot of classification mistakes if they don’t understand these steps.

The issue revolves around the wording of CIP-002-5 R1.1 and 1.2.  These two parts – and R1.3 - constitute what could be called the “payload” of R1, since when you come down to it, everything that R1 explicitly tells you to do is contained in these three parts.  Here is the wording of R1.1 and R1.2[v], along with the first phrase of each of the sections in Attachment 1 that each part refers to:

High Impact

1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;

Refers to Section 1: Each BES Cyber System used by and located at any of the following:

Medium Impact

1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset;

Refers to Section 2: Each BES Cyber System, not included in Section 1 above, associated with any of the following:

Let’s just consider the High and Medium impacts now.  Note that for Highs, R1.1 says you must identify “high impact BES Cyber Systems…at each asset”, and Section 1 says these systems must be “used by and located at…” assets that meet the criteria in Section 1.  Offhand, this seems to be quite consistent – both use the word “at” (note the italicizations are mine).  A High impact BES Cyber System must be physically located at the High impact asset that uses it.  So if the questioner at the WECC meeting was asking about a remote workstation for a High impact control center, there isn’t any question that it wouldn’t be a High BCS, since it isn’t located at the control center itself.

Let’s now look at the Mediums.  R1.2 says you need to identify “medium impact BES Cyber Systems…at each asset”.  However, Section 2 says simply “associated with any of the following”.  Going back to the WECC workshop question, and assuming we’re now talking about a remote workstation for a Medium impact control center, it seems like R1.2 would say the remote workstation isn’t a Medium BCS, since it’s not “at” the control center.  But Section 2 seems to say it is a Medium BCS, since it is “associated with” the control center.  Is this a contradiction?

When I first noticed this difference between how High and Medium impact BCS are treated, I assumed it was simply a mistake – that the SDT hadn’t noticed the discrepancy for Mediums.  However, late last year I discussed this with an Interested Party who has studied CIP-002-5 R1 very closely.  He pointed out to me that a proper reading reveals there is no discrepancy.  I have come to agree with him, although the language could certainly have been made a lot more explicit.[vi]

The Interested Party explained to me that R1.1 - R1.2 and Sections 1-2 of Attachment 1 are actually doing two different things.  R1.1 – R1.2 are telling you the universe of systems that need to be considered as High or Medium BCS; that universe consists of systems located at “each asset”, meaning assets corresponding to the six types that are listed right above this – control centers, transmission substations, etc.  Note that neither R1.1 nor R1.2 is saying that High or Medium BCS must be located at either a High or Medium asset, only that they must be located at one of the six types of assets, regardless of its classification as High, Medium or Low impact.

Going back to the WECC question, if the remote workstation is located in somebody’s home or in the company headquarters (probably not good security practice, of course), it will definitely not be a BES Cyber System at all – it will presumably have to be treated as a remote access user, and have to go through an Intermediate System (with a VPN to that IS) like other remote users.  If it is located in one of the six asset types, then it could be a BCS; but we now need to go to Attachment 1 to decide for sure whether or not this is the case.

It is in Attachment 1 that the difference comes out between High and Medium impact BES Cyber Systems.  Since Section 1 uses the words “used by and located at”, it is clear that a High BCS can only be physically located at the High impact control center that uses it.  If it is located anywhere else, it probably won’t be a High BCS[vii].

However, since Section 2 says “associated with”, it is very possible that an EMS workstation located remotely from a Medium impact control center could be a Medium BCS.  But since R1.2 restricts Medium BCS to systems located “at” one of the six asset types, it would need to be located at another control center, a generating station, etc.  As was just said, it couldn’t be in somebody’s home or in the corporate headquarters.

You may find this surprising, and I think Joe Baugh would have as well.  In fact, there was a follow-on to the first question, in which a different person asked if the user of the remote workstation could be classified as an interactive remote user, so that the workstation they were using wouldn’t be a BCS.  Joe said this was fine as long as the workstation wasn’t “controlling” the EMS or SCADA system in the control center.  He said that if the “full suite of EMS applications” were installed on the workstation, then it would have to be a BES Cyber System.[viii]

  

However, I think Joe’s answer needs to be qualified to say that:

a)      For a High impact control center, the only way the remote workstation could itself be High impact would be if it were located at another High control center.  Joe briefly alluded to the idea that the entity might have to declare the location of the workstation to be an asset in itself.  For this to apply in the case of a High, the new “asset” would have to itself be a High control center; and this might be a pretty burdensome thing to do (you’d have to have a PSP with two types of physical access control, as well as comply with all of the other requirements for Highs); I see no alternative to simply declaring the workstation (or rather its user) as a remote user and applying the protections (VPN, Intermediate System) required for remote users.[ix]

b)      For a Medium impact control center, the remote workstation would have to be located at one of the six asset types (per R1.2), but it could still be a Medium BCS, since it’s associated with the Medium control center.  Again, if it were not located at one of the six asset types, it would be a remote user.

So here is the answer to the original question whether a remote EMS workstation takes the classification of the control center with which it is associated:

1. If the control center is High impact, the workstation will have to be treated as a remote user, unless it is declared to be part of a separate High impact control center.
2. If the control center is Medium impact and the remote workstation is located at one of the six asset types, it will be a Medium BCS (of course, cyber assets networked to it will have to be treated as Medium impact Protected Cyber Assets).
3. If the control center is Medium and the remote workstation isn’t located at one of the six asset types, it will have to be treated as a remote user.

  

Revised CIP-002-5 R1 Methodology

Let’s generalize this from just an answer to one question to a correction to the CIP-002-5 R1 compliance methodology itself.  We’ll start with Dr. Joe’s “top-down” methodology shown on slide 45 of the WECC presentation packet.  The first step (in blue) is to classify your assets as High, Medium and Low impact using the criteria in Attachment 1.  The next step after that (in green) reads:

Use the inventory of BES Cyber

Assets at the High (R1.1) or

Medium (R1.2) Facility to identify

and list BES Cyber Systems

(BCS) at each such facility

This step should be replaced with the following two sub-steps:

1. For High impact assets, identify BES Cyber Systems that are “used by and located at” the asset.
2. For Medium impact assets, identify BES Cyber Systems that are “associated with” the asset.  These must exist at one of the six types of assets shown in CIP-002-5 R1, including the Medium impact asset itself.

 I think this clarification may save entities from mistakenly identifying High or Medium impact BCS where they don’t exist.  And since I realize some entities will have already done a preliminary identification and classification of High and Medium impact BCS, they may want to go back through the list to see if any BCS they've already identified could be removed from the list.

Postscript
I've just documented a complex wrinkle in the process for identifying BES Cyber Systems in CIP v5; one that probably limits the number of BES Cyber Systems below what some auditors may think will be the case. The bigger question is whether this is really what the SDT intended.  I believe the answer to that is it was an unintended byproduct of well-intentioned provisions they included in v5.

In particular, the provision that High BCS are limited to those "used by and located at" a High impact asset was almost certainly not put there with this consequence in mind.  I think it was put in because the SDT wanted to remove the possibility that every RTU, etc. controlled by a High or Medium impact control center would by that very reason be High or Medium.  This wording prevents that from happening, but also of course prevents a remote workstation from becoming a High impact BCS and forces it to become a remote interactive user.

I'm not sure anyone made a mistake here; it's more a function of the complexity of the requirement.  But NERC entities need to be aware that "there be dragons" lurking in CIP-005-2 R1.  Since I've already written maybe 15 posts on just that requirement, I should know.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

---

[i] I do wish to point out now that the frequent rumors that Dr. Joe will be named Sexiest Man Alive for 2014 are without foundation.  However much he may deserve the title, he’s far too modest to accept it.

[ii] Note that I wrote in this post about two methodologies for identifying BES Cyber Systems, which I also labeled “top down” and “bottom up”.  These aren’t the same thing as what we’re talking about here.  In that post, “top down” meant basing your identification of BES Cyber Systems on an analysis based on the BES Reliability Operating Services (described in detail in the Guidance and Technical Basis section published with CIP-002-5), while “bottom up” meant basing the identification solely on cyber assets that complied with the definition of BES Cyber Asset.  I suggested in that post that the best approach would be to combine these two approaches, coming at your identification of BCS from both directions so as not to miss any.  Joe said the same thing in his presentation.

[iii] He actually said either one would be acceptable from an audit point of view.  But he pointed out that the bottom-up approach (corresponding to what I call the auditor’s approach) would require much more work on the part of the entity, since it involves - in some way - prior identification of all BES Cyber Systems at all assets owned by the entity, whether they are ultimately classified as High, Medium or Low impact.  And that added work – i.e. identifying BCS at Low impact assets - would essentially be a waste of time.  He pointed out dryly that it isn’t likely too many NERC compliance departments, rushing to become compliant with CIP Version 5 by April 1 2016, have lots of extra time on their hands.

[iv] I will admit that I glossed over these steps as well in the post where I outlined my methodology, although I had discussed the concept earlier in the previous post (in part D of “The Auditor’s Methodology”). 

[v] Note I’m not dealing with R1.3 here.  This is because, in my CIP-002-5 R1 compliance methodology and WECC’s, there is no need to identify Low impact BES Cyber Systems, so the considerations of “at” and “associated with” don’t apply at all.

[vi] Please note that for once I’m not saying the problem is caused by inconsistent wording in CIP-002-5 R1 – there are certainly other problems where that is the case!  However, since I missed this point in my first 100 or so readings of the requirement, I definitely think the wording could be much more explicit.   This does bring up another criticism I have made about CIP-002-5 R1: it tries to compress way too much into way too few words. Much of the requirement is not stated explicitly but is just implicit in the meanings of the words.  This is wonderful if you’re writing haiku, but not so great if you’re writing requirements with potentially huge fines for non-compliance.

[vii] Except in the scenario that it is located at another High control center and is “used by” that control center as well as the one in question.  I don’t know how likely this is, though.

[viii] I wish to thank Scott Kardos of Chelan Public Utility District in Washington.  He asked the follow-on question, and clarified my memory of Joe’s response to the question.

[ix] Of course, if the goal is really to prohibit people from setting up remote EMS workstations outside of regular BES assets, this might be accomplished by some sort of directive from NERC or the regions.  It would say there can be no remote EMS workstations for High or Medium impact control centers that are not themselves part of a High or Medium impact asset.  But like a lot of other things, this assumes the agency issuing the directive has adopted my (and WECC’s) methodology for complying with CIP-002-5 R1; only if that is the case do the terms “High impact asset” and “Medium impact asset” even make sense.