In my
previous post
on the importance of the words “at” and “associated with” in CIP-002-5 R1, I
discussed a question that was asked at the recent WECC workshop on CIP Version
5. The question was whether an EMS
workstation that was located remotely from a High or Medium impact control
center would take the classification of the control center itself.
My answer to
that question was essentially that, if the control center was High impact, the
workstation would have to be treated as a remote user (and would have to come
in through a VPN to an Intermediate System with two-factor authentication, per CIP-005
R2); if the control center was Medium impact, the remote workstation would be a
Medium BCS. This is because of the
different ways that High and Medium impact BES Cyber Systems are treated in
CIP-002-5 R1 and Attachment 1.
However, the
CIP compliance manager for the generation arm of a large IOU – who has
contributed to previous posts – emailed me to point out that I wasn’t taking
into account the NERC definition of a Control Center, namely “One or more
facilities hosting operating personnel that monitor and control the Bulk
Electric System (BES) in real-time to perform the reliability tasks, including
their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing
Authority, 3) a Transmission Operator for transmission Facilities at two or
more locations, or 4) a Generator Operator for generation Facilities at two or
more locations.”
This
definition makes it clear that any location where operating personnel perform
the above functions is a Control Center. So a remote EMS workstation performing the
above functions per the definition would be a Control Center cyber asset. Moreover, the entity owning it would have to
declare some sort of Control Center facility around it.[i] If the Control Center with which this
workstation is associated is either High or Medium impact, then the workstation
itself will be a High or Medium BCS, and the Control Center facility that
“houses” it will also be High or Medium impact.
This means
that, if the primary Control Center is a High impact, all of the v5
requirements that apply to High BCS will apply to the remote workstation and the
separate Control Center facility that is created to contain it. As a High BCS, the workstation will be
subject to all the CIP v5 requirements that apply to Highs, including having
two types of physical access control, log review at least every 15 days,
testing of BCS configuration changes and monitoring for changes, active
vulnerability assessments, etc. And
similarly for the case of a remote EMS workstation that is a Medium impact BCS –
it will have to comply with all the v5 requirements that apply to Mediums.
This means
that, while I was technically correct in pointing out – at the WECC meeting and
in the previous blog post – that the words “associated with” in Section 1 of
Attachment 1 would preclude the hypothetical remote workstation for a High
control center from being a High BCS in itself, I missed the larger point that
there can never be a remote
workstation for a Control Center in the first place. If the workstation performs one of the
functions shown in the NERC Control Center definition, the entity needs to
declare a Control Center facility around it.[ii]
Let’s
consider some of the implications of this:
- For Control Centers, what I wrote in my previous post is
now “inoperative”.[iii] The “at” / “associated with” distinction
doesn’t apply here, since every BCS that’s associated with a Control Center
is ipso facto “at” a Control Center. The entity will need to declare that the
“remote” EMS user is part of a separate Control Center facility. If it’s located within – say – an office
building which isn’t a BES asset (e.g. the company headquarters), there
will have to be physical and electronic controls protecting it, per the
requirements of CIP version 5.
- For generating stations, transmission substations and the
other assets in the list of six types in CIP-002-5 R1, the “at” /
“associated with” distinction still does apply, since the definitions of
those assets don’t implicitly require that all workstations associated
with them be contained in a separate facility of the same type. However, these will all be Medium impact
assets, since the only High impact assets are Control Centers. Since “associated with” (not “at”) is
used in Section 2 of Attachment 1 (which introduces the Medium impact
criteria), this means that any BCS “associated with” a Medium impact asset
has to itself be protected as a Medium BCS[iv]. However, per R1.2, if the cyber asset in
question isn’t located at one of the six asset types listed in R1, then it
isn’t a Medium BCS. Instead, it
should be treated as a remote interactive user.[v]
- What if the “remote” Medium BCS is located at a Low asset
like a generating station of less than 1500MW? These assets will possibly have to have
some sort of physical and logical access controls, once the new SDT has
complied with FERC’s directive (in Order
791) to develop more specific controls for Low impact assets. Might these be deemed adequate to protect
this Medium BCS? The answer to
this is clearly no, except in the very
remote possibility that the controls for Lows end up being identical to
those for Mediums. All of the
Medium impact requirements – physical and logical access control, PRA’s for
users having physical or logical access, etc. – will apply to this
workstation.
- If there are any non-BES Cyber Assets networked with this
“remote” Medium BCS, they will have to be treated as Medium impact
Protected Cyber Assets, meaning that almost all of the requirements for
Medium impact BCS will apply to them.
This is true, whether the
“remote” Medium BCS is physically located at a High, Medium or Low impact
asset, or whether it’s not located at any BES asset at all (although it
will probably be a moot point if it’s located at a High or Medium asset,
since the appropriate protections will presumably already be applied due
to that status).
- This also means that, if the “remote” Medium BCS is located at a non-BES asset like
a corporate HQ and is networked with other cyber assets, all of those cyber assets will have
to be enclosed in an ESP and a PSP (this effectively means the entity has
declared a Medium asset containing all the cyber assets on the network
containing the “remote” Medium BCS).
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i]
This “requirement” to declare a mini-Control Center around the remote
workstation isn’t explicit in CIP v5, of course. However, by the time you do all the things
you have to do to a High impact BES Cyber System – enclose it in an ESP,
enclose the ESP in a PSP, and apply all the appropriate High impact controls to
these – you effectively have a new Control Center facility, even if it only
contains this one workstation.
[ii]
Of course, not only was I wrong, but Dr. Joe Baugh, who answered the question
at WECC, was as well. He said the remote
EMS workstation would have to be treated as an instance of interactive remote
access; he should instead have said that there can be no such thing as a
“remote EMS workstation”. I don’t blame
him for this, of course, since I didn’t realize it either, until my friend
emailed me yesterday.
[iii]
Those of you of a certain age will probably remember this was the immortal word
used by Richard Nixon’s press secretary Ron Ziegler to describe all of the
previous statements he had made about Watergate, once the “smoking gun” had
been found and there was no longer the shadow of a doubt as to Nixon’s guilt. Those of us with a more traditional view of
language would have preferred he use the more accurate term “lies”, but I guess
that’s just a matter of taste. Of
course, I wasn’t deliberately lying in my previous post – I simply wasn’t smart
enough to know I wasn’t telling the truth.
[iv]
The CIP compliance manager pointed out to me that there are exceptions to this
statement, in the case of assets that fall under criteria 2.1 or 2.2 in
Attachment 1. That is, BES Cyber Systems
that are excluded from being Medium impact by the wording in these two criteria
are either Low impact or nothing at all.
I have written about this issue previously in this
post, under the heading “Segregated Cyber Assets”.
[v]
If you don’t understand why this is the case, please refer to the previous
post. My goodness, I can’t do everything for you!
What about workstations the have the functionality and capability (ie normal EMS workstation) but are just used for Nice to have situational awareness and procedurally are listed as will never be used to perform a reliability task?
ReplyDeleteTackle, this is something you need to take up with your Regional Entity. But my guess is the fact that the workstation could be used for control means it needs to be protected in the same way as one that is actually used for control, since it could be compromised. Even if it were only capable of being used for situational awareness, if operational decisions were made based on the information provided, it would also very likely need to be protected as any other EMS workstation would.
ReplyDeleteI just reread this post and still like what I wrote originally. However, I did make a pretty egregious error when I said "This means that, while I was technically correct in pointing out – at the WECC meeting and in the previous blog post – that the words “associated with” in Section 1 of Attachment 1..."
ReplyDeleteAtt. 1 Sect. 1 doesn't say "associated with". It says "used by and located at". Of course, that makes a huge difference in general.