My Interested Party friend has weighed in with some helpful information on a point I’d noted in my recent post on field assets controlled by High control centers. In that post, I stated that I believed that field devices (like RTU’s) under the control of High impact control centers wouldn't themselves become Highs, due to the words “used by and located at” in Section 1 of Attachment 1.
However, I also pointed out in an end note that this is probably different for Medium impact control centers, since the corresponding wording in Section 2 of Attachment 1 is “associated with”, meaning a BES Cyber System doesn't have to be physically located at the control center in order for it to be a Medium BCS.
However, the IP sent me an email pointing out that the Guidelines and Technical Basis discussion for CIP-002-5 does include language showing it was the SDT’s intent that Medium control centers be treated the same as Highs in this regard: BCS do have to be located at the control center in order for them to become Medium BCS. Here is what he says:
From the Interested Party
Even Medium impacting control center BCS do not extend beyond the confines of the control center. Yes, it is not as crystal clear in the language of Criteria 2.11, 2.12, and 2.13 because of the “associated with” language at the beginning of Section 2. However, the reader can rely upon Guidelines and Technical Basis to provide sufficient guidance that makes the expectations clear. The guidance explicitly states (emphasis is mine):
- Criterion 2.11 categorizes as medium impact BES Cyber Systems used by and at Control Centers that perform the functional obligations of the Generator Operator for an aggregate generation of 1500 MW or higher in a single interconnection, and that have not already been included in Part 1.
- Criterion 2.12 categorizes as medium impact those BES Cyber Systems used by and at Control Centers and associated data centers performing the functional obligations of a Transmission Operator and that have not already been categorized as high impact.
- Criterion 2.13 categorizes as medium impact those BA Control Centers that “control” 1500 MW of generation or more in a single interconnection and that have not already been included in Part 1. The 1500 MW threshold is consistent with the impact level and rationale specified for Criterion 2.1.
This is consistent with the explicit expectation of “used by and at” for High impact BES Cyber Systems, which only apply to control center BCS. It is worth noting that the guidance for Criterion 2.13 fails to include the language “those BES Cyber Systems used by and at”. I believe this is an oversight by the drafting team that was not caught in review. I believe it is safe to assert the missing language because the guidance otherwise asserts the control center itself to be Medium impacting and that is inconsistent with the rest of the Criteria and the direction of the Standard overall.
There is no expectation that Medium impacting BCS at a control center will automatically convey Medium impact to the BCS at every substation the control center systems communicate with. Only if the entity has defined a super ESP that encompasses the control centers and the substations in one perimeter will the issue of Protected Cyber Asset come up that would result in treatment of the substation BCS as medium impacting.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.