In my previous post on the importance of the words “at” and “associated with” in CIP-002-5 R1, I discussed a question that was asked at the recent WECC workshop on CIP Version 5. The question was whether an EMS workstation that was located remotely from a High or Medium impact control center would take the classification of the control center itself.
My answer to that question was essentially that, if the control center was High impact, the workstation would have to be treated as a remote user (and would have to come in through a VPN to an Intermediate System with two-factor authentication, per CIP-005 R2); if the control center was Medium impact, the remote workstation would be a Medium BCS. This is because of the different ways that High and Medium impact BES Cyber Systems are treated in CIP-002-5 R1 and Attachment 1.
However, the CIP compliance manager for the generation arm of a large IOU – who has contributed to previous posts – emailed me to point out that I wasn’t taking into account the NERC definition of a Control Center, namely “One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.”
This definition makes it clear that any location where operating personnel perform the above functions is a Control Center. So a remote EMS workstation performing the above functions per the definition would be a Control Center cyber asset. Moreover, the entity owning it would have to declare some sort of Control Center facility around it.[i] If the Control Center with which this workstation is associated is either High or Medium impact, then the workstation itself will be a High or Medium BCS, and the Control Center facility that “houses” it will also be High or Medium impact.
This means that, if the primary Control Center is a High impact, all of the v5 requirements that apply to High BCS will apply to the remote workstation and the separate Control Center facility that is created to contain it. As a High BCS, the workstation will be subject to all the CIP v5 requirements that apply to Highs, including having two types of physical access control, log review at least every 15 days, testing of BCS configuration changes and monitoring for changes, active vulnerability assessments, etc. And similarly for the case of a remote EMS workstation that is a Medium impact BCS – it will have to comply with all the v5 requirements that apply to Mediums.
This means that, while I was technically correct in pointing out – at the WECC meeting and in the previous blog post – that the words “associated with” in Section 1 of Attachment 1 would preclude the hypothetical remote workstation for a High control center from being a High BCS in itself, I missed the larger point that there can never be a remote workstation for a Control Center in the first place. If the workstation performs one of the functions shown in the NERC Control Center definition, the entity needs to declare a Control Center facility around it.[ii]
Let’s consider some of the implications of this:
- For Control Centers, what I wrote in my previous post is now “inoperative”.[iii] The “at” / “associated with” distinction doesn’t apply here, since every BCS that’s associated with a Control Center is ipso facto “at” a Control Center. The entity will need to declare that the “remote” EMS user is part of a separate Control Center facility. If it’s located within – say – an office building which isn’t a BES asset (e.g. the company headquarters), there will have to be physical and electronic controls protecting it, per the requirements of CIP version 5.
- For generating stations, transmission substations and the other assets in the list of six types in CIP-002-5 R1, the “at” / “associated with” distinction still does apply, since the definitions of those assets don’t implicitly require that all workstations associated with them be contained in a separate facility of the same type. However, these will all be Medium impact assets, since the only High impact assets are Control Centers. Since “associated with” (not “at”) is used in Section 2 of Attachment 1 (which introduces the Medium impact criteria), this means that any BCS “associated with” a Medium impact asset has to itself be protected as a Medium BCS[iv]. However, per R1.2, if the cyber asset in question isn’t located at one of the six asset types listed in R1, then it isn’t a Medium BCS. Instead, it should be treated as a remote interactive user.[v]
- What if the “remote” Medium BCS is located at a Low asset like a generating station of less than 1500MW? These assets will possibly have to have some sort of physical and logical access controls, once the new SDT has complied with FERC’s directive (in Order 791) to develop more specific controls for Low impact assets. Might these be deemed adequate to protect this Medium BCS? The answer to this is clearly no, except in the very remote possibility that the controls for Lows end up being identical to those for Mediums. All of the Medium impact requirements – physical and logical access control, PRA’s for users having physical or logical access, etc. – will apply to this workstation.
- If there are any non-BES Cyber Assets networked with this “remote” Medium BCS, they will have to be treated as Medium impact Protected Cyber Assets, meaning that almost all of the requirements for Medium impact BCS will apply to them. This is true, whether the “remote” Medium BCS is physically located at a High, Medium or Low impact asset, or whether it’s not located at any BES asset at all (although it will probably be a moot point if it’s located at a High or Medium asset, since the appropriate protections will presumably already be applied due to that status).
- This also means that, if the “remote” Medium BCS is located at a non-BES asset like
a corporate HQ and is networked with other cyber assets, all of those cyber assets will have
to be enclosed in an ESP and a PSP (this effectively means the entity has
declared a Medium asset containing all the cyber assets on the network
containing the “remote” Medium BCS).
All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
[i] This “requirement” to declare a mini-Control Center around the remote workstation isn’t explicit in CIP v5, of course. However, by the time you do all the things you have to do to a High impact BES Cyber System – enclose it in an ESP, enclose the ESP in a PSP, and apply all the appropriate High impact controls to these – you effectively have a new Control Center facility, even if it only contains this one workstation.
[ii] Of course, not only was I wrong, but Dr. Joe Baugh, who answered the question at WECC, was as well. He said the remote EMS workstation would have to be treated as an instance of interactive remote access; he should instead have said that there can be no such thing as a “remote EMS workstation”. I don’t blame him for this, of course, since I didn’t realize it either, until my friend emailed me yesterday.
[iii] Those of you of a certain age will probably remember this was the immortal word used by Richard Nixon’s press secretary Ron Ziegler to describe all of the previous statements he had made about Watergate, once the “smoking gun” had been found and there was no longer the shadow of a doubt as to Nixon’s guilt. Those of us with a more traditional view of language would have preferred he use the more accurate term “lies”, but I guess that’s just a matter of taste. Of course, I wasn’t deliberately lying in my previous post – I simply wasn’t smart enough to know I wasn’t telling the truth.
[iv] The CIP compliance manager pointed out to me that there are exceptions to this statement, in the case of assets that fall under criteria 2.1 or 2.2 in Attachment 1. That is, BES Cyber Systems that are excluded from being Medium impact by the wording in these two criteria are either Low impact or nothing at all. I have written about this issue previously in this post, under the heading “Segregated Cyber Assets”.
[v] If you don’t understand why this is the case, please refer to the previous post. My goodness, I can’t do everything for you!