This post is actually an extended footnote to the previous post on the CIP-002-5 RSAW. But it’s lengthy enough –and relevant in its own right – that I decided to make it a separate post. It has to do with the discussion at the end of what I call “Issue 4” – i.e. the big issue with this RSAW that I think could and will lead to the final collapse of CIP v5, if nothing is done to change this.[i]
In the section on Issue 4, I brought up the first note in the “Notes to Auditor” section at the end of the RSAW:
Results-based Requirement: The auditor should note that this is a results-based Requirement. As such, the entity has great latitude in determining how the result is achieved. The auditor should focus on verifying that the result is complete and correct.
I pointed out in the previous post that this sounds wonderful, but it only works if the “result” aimed for in the requirement is clear and unambiguous; this is certainly not the case here.
However, on further reflection I realized there is a basic logical flaw in this statement. You can see that by asking how the auditor will determine if the intended result of CIP-002-5 R1 – the correct identification and classification of BES Cyber Systems – was achieved.
Let’s imagine an easy case: Suppose the auditors were given special glasses that made each actual BES Cyber System appear blue. All they would have to do is put these glasses on, look around the facilities being audited, note the blue systems, and compare this to the list already provided by the entity being audited. Of course, any discrepancies will be instantly identified, and appropriate PV’s can be issued.
But there are no special glasses in this case. So how does the auditor determine if a system in front of him/her is a BCS? You would probably say, “Of course, it’s a BCS if it meets the definition of a BCS.” So what is the definition of a BCS? It’s linked to the BES Cyber Asset definition[ii]:
A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.
Is an auditor going to be able to tell if an alleged BCS meets this definition simply by looking at it? Certainly not. He/she is going to ask the entity to show how they arrived at the determination that this is a BES Cyber System. In other words, they will look at the documented process for this determination, meaning they will look for a discussion of how this result was achieved.
Now let’s go back to the RSAW quote above, but substitute in what we have just learned:
Results-based Requirement: The auditor should note that this is a results-based Requirement. As such, the entity has great latitude in determining how the result is achieved. The auditor should focus on verifying that the result was achieved by a correct process.
Do you see the problem? Even though this is supposedly a “results-based” requirement, the only way to determine whether the result is correct is to look at how it was achieved. And as I said repeatedly in the previous post, the RSAW says nothing about what the process of BCS identification / classification should be – except that it should be one which achieves this “result”. So we’re just chasing our own tail here.
What do I recommend to fix the problem? The same thing I’ve been saying for a year: CIP-002-5 R1 needs to be “reworded”. It’s no longer possible to change the actual wording, but there needs to be some interpretation, probably from NERC, of what the requirement means. Unfortunately, the RSAW isn’t that interpretation.
But no matter what happens, R1 isn’t ever going to be a “results-based” requirement; there will never be a way an auditor can determine if an entity has correctly identified BES Cyber Systems other than by looking at the process they used to identify them. But the process itself needs to be made clear, and at the moment it is anything but clear.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] And this isn’t saying that the RSAW is the cause of this problem, but rather the symptom of it. The problem is the inconsistent and ambiguous wording of CIP-002-5 R1. Some people thought the RSAW might fix the problem, but instead it makes it worse by not even attempting to clarify the ambiguity. Instead, it pretends that this is in some way a virtue and that the auditors can and want to step into the role of interpreter/judge/executioner to make all this better. They can’t do that, and they certainly don’t want to.
[ii] This ignores a complication in that I believe almost all auditors will say that an alternative “definition” for BCS is a system that assists with the performance of a BES Reliability Operating Service – discussed in the Guidance section of CIP-002-5 R1 but not in the requirement itself. This just reinforces my argument, so I won’t pursue it further now, for fear of violating what Little League teams call the “Slaughter Rule”.