My Interested Party friend has weighed in
with some helpful information on a point I’d noted in my recent post
on field assets controlled by High control centers. In that post, I stated that I believed that field
devices (like RTU’s) under the control of High impact control centers wouldn't
themselves become Highs, due to the words “used by and located at” in Section 1
of Attachment 1.
However, I also pointed out in an end note that
this is probably different for Medium impact control centers, since the
corresponding wording in Section 2 of Attachment 1 is “associated with”,
meaning a BES Cyber System doesn't have to be physically located at the control
center in order for it to be a Medium BCS.
However, the IP sent me an email pointing out
that the Guidelines and Technical Basis discussion for CIP-002-5 does include
language showing it was the SDT’s intent that Medium control centers be treated
the same as Highs in this regard: BCS do have to be located at the control
center in order for them to become Medium BCS.
Here is what he says:
From the Interested
Party
Even Medium impacting control center BCS do
not extend beyond the confines of the control center. Yes, it is not as
crystal clear in the language of Criteria 2.11, 2.12, and 2.13 because of the
“associated with” language at the beginning of Section 2. However, the
reader can rely upon Guidelines and Technical Basis to provide sufficient
guidance that makes the expectations clear. The guidance explicitly
states (emphasis is mine):
- Criterion 2.11 categorizes as medium impact BES Cyber Systems used by and at Control Centers that
perform the functional obligations of the Generator Operator for an
aggregate generation of 1500 MW or higher in a single interconnection, and
that have not already been included in Part 1.
- Criterion 2.12 categorizes as medium impact those BES Cyber Systems used by and at Control Centers and
associated data centers performing the functional obligations of a
Transmission Operator and that have not already been categorized as high
impact.
- Criterion 2.13 categorizes as medium impact those BA Control Centers
that “control” 1500 MW of generation or more in a single interconnection
and that have not already been included in Part 1. The 1500 MW threshold
is consistent with the impact level and rationale specified for Criterion
2.1.
This is consistent with the explicit
expectation of “used by and at” for High impact BES Cyber Systems, which only
apply to control center BCS. It is worth noting that the guidance for
Criterion 2.13 fails to include the language “those BES Cyber Systems used by
and at”. I believe this is an oversight by the drafting team that was not
caught in review. I believe it is safe to assert the missing language
because the guidance otherwise asserts the control center itself to be Medium
impacting and that is inconsistent with the rest of the Criteria and the
direction of the Standard overall.
There is no expectation that Medium impacting
BCS at a control center will automatically convey Medium impact to the BCS at
every substation the control center systems communicate with. Only if the
entity has defined a super ESP that encompasses the control centers and the
substations in one perimeter will the issue of Protected Cyber Asset come up
that would result in treatment of the substation BCS as medium impacting.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
No comments:
Post a Comment