Saturday, April 12, 2014

Identifying BES Cyber Systems at Substations


I must admit I thought I had the whole CIP version 5 asset identification thing figured out in early January when I wrote three posts on the subject.  My conclusion at the time was that, while some of the details were complicated (and some of the wording of Attachment 1 had to simply be ignored[i]), the process was at heart fairly simple[ii]:

1.       Identify all of your assets that correspond to one of the six types listed in CIP-002-5 R1 (control centers, substations, etc).
2.       Using the criteria in Attachment 1, classify those assets as High, Medium or Low impact. 
3.       At High and Medium assets, identify BES Cyber Systems.  This is done using either of two approaches, “top-down” or “bottom-up”; these are described in two old posts, here and here (and I need to revisit these in a future post, since my perspective was different when I wrote those posts).  Both WECC and SPP (and perhaps other regions) recommend you use both approaches, since it is very possible that using just one will cause you to miss BCS you would identify using the other.
      (At this point, I need to point out that I have been informed there were two errors in the above paragraph, for which I apologize.  SPP didn't recommend you use both top-down and bottom-up approaches; they think they're both good but don't need to be used together.  I believe Joe Baugh at WECC did recommend you use both, as do I - they are good checks on each other.  Second, I'm informed SPP (and probably WECC also) doesn't have an "official" position on this or any other interpretation of CIP v5.  I was reporting the content of a webinar presented by Kevin Perry, the chief CIP auditor - but it wasn't SPP's official position.  Of course, as I discussed in this post, I wish the regions would take an official position on v5 interpretation, since I don't see anyone else who can)
4.       Classify these BCS according to the classification of the asset itself; a BCS at a High asset will be a High, while one associated with a Medium asset/Facility will be a Medium[iii].  The one exception to this rule is for BCS associated with assets that meet criterion 2.1 (for 1500MW+ plants), where BCS that don’t affect more than 1500MW aren’t Medium impact, but Low[iv] (the same consideration applies for reactive resources in criterion 2.2, although there we’re talking about affecting 1000 MVAR).[v]
5.       For Low impact assets, just list them (i.e. Generating Station X, Substation Y, etc).  In general, Low impact assets are BES assets that aren’t High or Medium impact.  Keep in mind, though, that since R1.3 “defines” a Low impact asset as an “asset that contains a low impact BES Cyber System”, you may very well have Medium or High impact assets that are also listed on the Low list (for example, the Criterion 2.1 plant we just discussed would have both Low and Medium impact BCS.  As would the Medium substation discussed in footnote v, in which there is a Low impact SPS and therefore a Low BCS, along with the Medium BCS.  Even though these BCS are associated with the Low SPS asset, they are contained by the Medium substation).[vi]

(At this point, you may think I’m crazy to describe the above process – with five steps and six lengthy footnotes – as “simple”.  And I would be crazy if I were comparing this to the CIP v1-3 process, which was basically two steps -  first, identify your Critical Assets, then identify your Critical Cyber Assets, defined as those cyber assets “essential to the operation of” the Critical Asset[vii].  However, the above general v5 process is the paragon of simplicity compared to the process that takes account of substations.  That process includes all of the above steps plus a few more, and requires that you parse the language of Attachment 1 as a Biblical scholar would parse the Sermon on the Mount.  For more on this depressing assertion, just read on.  You may want to start looking for a new career, say at McDonald’s).

The above process is essentially what auditors from WECC and SPP have presented  in webinars and workshops those regions have done, although these aren't official positions of those regions.  I don’t know of any other region where an auditor has actually outlined how they see this process working, although I know that a presentation by one of the registered entities at RFC’s compliance meeting in March in Cleveland outlined a similar position.  My guess is the other regions will follow suit as well.

So are we all done?  Has the asset identification problem been solved?  As I said, I thought it had after I wrote my posts in early January.  However, I soon started hearing from some transmission entities (mainly in the Northeast, where it seems the cold weather and snow were keeping these people indoors and forcing them to concentrate on deeply engaging topics like CIP-002-5 R1) that there was a lot more to the story, especially when it comes to substations.

I’ll admit that, when I first heard what these entities were advocating, I was skeptical.  But after talking with a number of these people, and looking quite closely at criteria 2.4 to 2.8 in Attachment 1, I have come to the conclusion that the approach they are advocating for BCS identification in substations is the correct one.

This approach relies on the fact that criteria 2.4 to 2.8 use the word “Facilities”.[viii]  At this point, I must also admit that I have long considered the fact that this word appears in those criteria as simply sloppy wording by the Standards Drafting Team.  However, it seems that – unbeknownst to many of us – there has been a kind of parallel universe of transmission entities that are very comfortable with discussing Facilities in the context of a substation.

As an example, let’s look at Criterion 2.4:

Transmission Facilities operated at 500 kV or higher. For the purpose of this criterion, the collector bus for a generation plant is not considered a Transmission Facility, but is part of the generation interconnection Facility.

I had interpreted this criterion to mean that the substation itself was a Medium impact Facility (which I was assuming was being used synonymously with ‘asset’).  Therefore, all of the BCS associated with it would also be Medium.

How do my Transmission friends interpret this?  They point to the NERC definition of Facility:

A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)

So the Facility in Criterion 2.4 (and in 2.5 – 2.8) is an individual line that is connected to the substation, not the substation itself.  This means that the 500kV line is Medium impact in 2.4, and the BCS associated with that line, such as relays, are also Mediums.  But how about another line, say a 230kV one?  The BCS associated with that line are Low impact, not Medium.[ix] 

What about the substation itself?  Is it Medium or Low?  Here I have to confess that I have been glossing over a dispute I’ve been having with a couple Interested Parties over CIP-002-5 in general. They contend that there is no such thing as a classification for an asset, and they point out that the wording of Attachment 1 is all about classification of BES Cyber Systems – i.e. the criteria are for BCS, not assets.  Therefore, the question whether the substation is Medium or Low impact is like the question whether hunger is red or blue.

I contend that a lot of the wording in CIP-002-5 R1 and Attachment 1 actually supports the position that the assets are being classified; then the BCS take their classification from the assets.  More importantly, I point out – usually while sporting a very smug look on my face – that I have yet to talk to a single entity that isn’t in fact first using Attachment 1 to classify its assets, then identifying BCS at or associated with the High and Medium assets.  This is what makes the most sense, and it also follows generally the approach of CIP v1-3: first identify the “big iron” (Critical Assets in v1-3, High/Medium/Low assets in v5), then the “little iron” at or associated with the big iron (CCAs in v1-3, High and Medium BES Cyber Systems in v5)[x].

As I said earlier, I plan on doing a whole post on this argument, so I won’t now go into the mind-numbing details of why I think I’m right.  The good part is that I believe it really doesn’t matter.  I believe that, whether you describe what you’re doing as classifying BCS (as the Interested Parties do), or if you describe it as first classifying assets (as I do) then identifying and classifying BCS, you should come out with the same result (assuming you follow the full set of steps above, and especially use both the “top-down” and “bottom-up” approaches to BCS identification).

However, since I’m writing this post and I happen to believe in my way of wording the methodology (which corresponds fairly closely to WECC’s methodology as far as I can see), I hereby assert that the substation, as well as the 500kV line, is Medium impact in criterion 2.4.  But this does require that you suspend the rule I enunciated earlier, that the BCS at or associated with an asset will take the impact rating of the asset itself (except for plants that meet criterion 2.1, of course).  How do I now rewrite this rule to accomodate substations?  I say, “In a Medium impact substation, the BCS take the impact rating of the Facility[xi] with which they are associated.” 

Now let’s go back and rewrite the rules for the more general case.  This can now be called, “Alrich’s General Rule of BCS Identification”.[xii]  I expect it to be inscribed on stone tablets and posted outside NERC’s offices in Atlanta:

1.       Identify all of your assets that correspond to one of the six types listed in CIP-002-5 R1 (control centers, substations, etc).
2.       Using the criteria in Attachment 1, classify those assets as High, Medium or Low impact, with the following exceptions:
a.       Single units or groups of units at a generating station, that meet criterion 2.3, are Medium impact, while the remaining units are Low impact.
b.      Substations containing one or more Facilities that meet criteria 2.4 through 2.8 are themselves Medium impact.[xiii]
3.       For High and Medium assets or Medium Facilities, identify BES Cyber Systems by combining the “top-down” and “bottom-up” approaches. 
4.       Classify these BCS according to the classification of the asset or Facility itself, with the exception of BCS associated with a generating station that meets criterion 2.1.  In that case, classify BCS according to the rule included in that criterion.
5.       List the Low impact assets.

Are we done now?  When I started this post, I thought we would be.  However, as one of my footnotes mentions, I now realize that not only are criteria 2.4 – 2.8 the exception to the general rule, but at least one of those criteria – 2.5 – is an exception to the other criteria.  So we’re not done yet.  However, since I’ve been accused by some scurrilous individuals of writing excessively long blog posts, and since I’m getting tired anyway, I’ll stop here.  The follow-up post to this one[xiv] will bring this discussion to its exciting conclusion by considering how criteria 2.5 through 2.8 will impact my General Rule.

Before we go, I want to ask you a question: Did you ever realize how complicated the asset identification process in CIP version 5 would be?  Until today, I didn’t either.  Sleep well!

June 6: I have today taken the "Part I" out of the original title to this post, since there will clearly not be a Part II.  When I broke off this post, I thought I'd just have to take account of the anomaly I'd just identified (which was Criterion 2.5, the subject of this post from two days ago), then I'd be able to produce a complete methodology for compliance with CIP-002-5 R1 in substations.  

But over the ensuing weeks it became clear to me that v5 asset identification is even more complicated than I'd realized - in fact, I'll now say that, without clarification from NERC, there is simply no set of steps that can be written down that will comprehensively describe the process.  For more information on why I say that, see this ridiculously long post.

On the other hand, you haven't wasted your time reading this post.  There's nothing I see in here that is wrong - it just isn't the comprehensive picture I at first thought it might be.  But a little clarity is probably better than none at all.


All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.



[i] I was of course not advocating that one should get in the habit of ignoring the language of the CIP standards!  However, I made the case then – and still do – that it isn’t possible to come up with any consistent interpretation of CIP-002-5 R1 without ignoring at least some of the language; the requirement is inconsistently worded, period.  So in January I was outlining the approach that I thought people would in fact take, and I can confirm that since then I have not talked with a single entity that is not taking basically this approach.  This isn’t because they’re slavish followers of my blog, but because it is the approach that makes intuitive sense.  I certainly hope it’s the one the auditors will follow as well; the initial presentations I’ve seen from WECC, SPP and RFC lead me to believe this is the case.

[ii] I admit I have somewhat embellished the steps I listed in the third post from January.  I have made explicit a step that was implicit in the wording I used, so now I have five steps, not four.

[iii] I am being careful in my wording here.  BCS that are High impact are those that are “used by and located at” a High asset (only control centers are High, of course).  BCS that are Medium impact are those “associated with” a Medium impact BES asset or Facility.  For more on this distinction, see this post.

[iv] I have heard it argued that BCS that aren’t Medium in 2.1 and 2.2 aren’t even Lows – they’re simply out of scope.  But since these are BCS after all (impact on the BES in 15 minutes, all of that), I don’t see how you can say they aren’t anything at all.  By Attachment 1, BCS that aren't High or Medium impact are Low impact.

[v] There is another “exception” which really isn’t one.  It is very possible there will be BCS located at a substation, generating station or control center that are actually associated with another asset.  For example, there may be a Low impact SPS (SPS is one of the six types of assets listed in R1) located at a Medium impact generating station or substation.  As long as the BCS associated with that SPS aren’t networked with the BCS of the Medium impact substation, they would be Low impact.  My point is that this really isn't an exception, since the BCS associated with the SPS are taking the impact level of that asset, not the substation where they happen to reside.

[vi] There is another consideration for your list of Lows.  You probably know that any asset that meets the new definition of the BES (basically, elements connected at 100kV+) has to be at least a Low.  Well, that’s not completely true either.  If an asset doesn’t have any devices associated with it that meet the definition of cyber asset – “programmable electronic device” – then it isn’t even a Low; it really is completely out of scope for CIP v5.  This is because CIP-002-5 R1.3 defines a Low asset as one that “contains a low impact BES Cyber System according to Attachment 1, Section 3...”  If there are no cyber assets at all that are associated with the asset (and I say “associated with”, not “at”, since that is how Section 3 of Attachment 1 reads), then there obviously can’t be any low impact BCS.

[vii] I know there were a lot of things that had to be done to comply with each of these steps in CIP v1-3 – develop your RBAM, inventory your cyber assets, etc.  But I believe these were the two basic logical steps for CIP versions 1-3.

[viii] Criterion 2.3 uses that word as well, but regarding generating stations.  In that case, it refers to a unit or units at one plant that have been designated what is sometimes called “Reliability Must Run”.

[ix] Two points here: 1)You may wonder about lines that are at Distribution voltages, which is now defined as under 100kV.  Are they also Lows?  No, they are nothing at all for CIP purposes, since purely Distribution assets/Facilities aren’t part of the scope of CIP v5 (although it was pointed out to me that a Distribution Provider with a cranking path substation, called out in Section 4.2, could have Distribution lines that are Low impact).  2) Keep in mind that if there are enough other Transmission lines at the substation, it may end up meeting Criterion 2.5.  Then all of the lines between 200 and 500kV would be Medium impact Facilities.

[x] To make this clearer, you can say that in v1-3, you “classified” your assets into just two types, Critical and non-Critical.  In v5, you classify them into four types: High, Medium, Low, and No Impact (see footnote vi above for a discussion of what No impact means).

[xi] So far I have just referred to lines as Facilities, but keep in mind that Facilities can include breakers, transformers, etc.  You should consider all of these that have associated BCS as potential Medium impact Facilities.

[xii] I’m hereby analogizing – with no small amount of chutzpah – my set of rules that includes substations with Einstein’s General Theory of Relativity.  My previous set of rules, that didn’t include substations, was the equivalent of his Special Theory, which became a special case of the General Theory.  Hey, it’s my blog.  If I want to compare myself to Einstein, I will.

[xiii] Now as I write this sentence, I realize there is at least one exception to it, having to do with Criterion 2.5.  Since I will wait to the follow-on post to discuss this, it seems these aren’t my final set of rules after all.  Hold the stone tablets.

[xiv] And yes, I know that I’ve promised at least three “follow-on” posts recently that I have yet to deliver on.  This is different, though, since I won’t hold this post to be finished until I have addressed the problem(s) raised by criteria 2.5 – 2.8.  I want to produce my Final General Rule of BES Cyber System Identification as soon as possible, so they can get to work on those stone tablets.

2 comments:

  1. Here's a question: In the military, If you have one piece of information it may not be classified, but as you add pieces it could become classified, such as you have time 2pm, then you have location 5th street then you have personnel all of a sudden you patched all the info together. So; apply that to this: if you have a few medium assets wouldn't the facility itself rise to High priorty? If the Facility goes down you lose multiple medium assets.

    ReplyDelete
  2. Louis, I certainly agree that it would be nice if there were a better way to determine the rating of a facility than the bright-line criteria. However, that is what is in the standard, and it's actually an improvement from before. As I've discussed in this post and others, applying the bright-line criteria is quite challenging in itself. Adding new "criteria" will make it more so, and risks making the whole thing completely unauditable.

    Come to think of it, one could make the case that v5 is already unauditable...

    ReplyDelete