I am currently in Salt Lake City for WECC’s
CUG/CIPUG (Compliance User Group / CIP User Group) meetings, and have already
had some interesting discussions on CIP-002-5 R1 (no surprise here, of
course). They touch on issues I had
wanted to write about as part of a comprehensive post describing how I think
entities should comply with that fundamental requirement. However, the time to write that comprehensive
post has proved elusive so far, and in addition there are still a lot of issues
with R1 that I’m learning more about.
So I’m going to write a few posts that are
shorter than normal (of course, saying these are shorter than normal isn’t much
of a statement, after my last post
was 7200 words), to address particular issues that I know are on people’s minds
now. And the topic of relays in
substations is a hugely important one
now – to just about every transmission entity I’ve talked with.
I’ll first state the problem the way I think
most entities are looking at it. I’ll
then restate it in what I think is the correct way to look at it. Finally, I’ll talk about how the problem
might be addressed – but I’ll warn you, I don’t have a wonderful answer sitting
on my table that I can just serve up as the finishing touch to this post. The best I can do is state what I think the
real issue is, then make the appeal I’ve been making all too often lately – for
some sort of entity (regulatory, political, Divine, somebody) to clear this up. No
NERC entity can accurately plan for achieving CIP version 5 compliance if they
don’t know for sure what assets (both cyber and physical assets) are in scope.
The way I’ve heard this issue stated is this:
- In CIP-002-5
Attachment 1, Medium impact BES Cyber Systems are defined as those that
are “associated with” the subjects of the criteria in Section 2.
- Since some of
those criteria apply to substations (specifically, criteria 2.4 to 2.8), these
substations are also Medium impact.
- Because
transmission lines almost always go from one substation to another, there
is a good possibility that a line that originates in a Medium substation
will terminate in a Low substation.
- Transmission lines
frequently have relays on both ends that can trip the line if certain
conditions are met[i]. In the case just described, the relay in
the Low substation will now be a Medium BES Cyber System because it is “associated
with” the Medium substation.
- Because the Low
substation contains a Medium BCS, it will then be Medium. And the same “domino effect” will occur
with other Low substations, as they in turn become Medium. All of a sudden, the TO or TOP could
have the vast majority of their substations be Mediums, when there are
actually just a few that actually meet the Medium criteria in Attachment
1.
- Worrying about a domino effect is fallacious reasoning here, as it was during the Vietnam War. Just because a Low substation has a Medium impact relay located in it, it won’t become Medium itself, although steps will need to be taken to prevent other cyber assets in the substation from themselves rising to the Medium level. What will be required is first that the Medium relay be physically enclosed separately from the rest of the substation, and that only those with CIP authorization be able to access the relay. If you could put the relay in a box and lock the box, that would seem to do the trick – although I’ve heard there would be a lot of problems with actually doing this.
Second,
the relay will need to be on its own network, isolated from any other
network(s) in the substation – and if this isn’t done, then the other cyber
assets on the network will become Medium Protected Cyber Assets, and will have
to comply with almost all of the requirements that apply to Medium BCS. But even if these two things couldn’t be
done, and other cyber assets in the Low substation became Medium PCAs, it would
still not be the case that the Medium designation would spread like the Ebola
virus to surrounding Low substations. An
adjacent Low substation would have to contain a relay associated with a Medium
substation for it to have a Medium BCS – and as I’ve just said, that substation
will still be Low even if all its cyber assets end up being Medium impact.
- And to say that
criteria 2.4 to 2.8 apply to substations isn’t really correct (i.e., I’ve
been taking a shortcut in talking the way I have up until now). The subject of each of these criteria is
the word Facility, which applies to elements like lines, transformers,
etc. This means that it is actually
the Facility that is Medium impact in criteria 2.4 to 2.8, not the
substation itself. For that reason,
BES Cyber Systems that are associated with a Medium impact line (although
if you substitute “transformer” or other Facility, that is equally valid)
are Medium impact, while those associated with a Low impact line (i.e. one
that doesn’t meet criteria 2.4 to 2.8) are Low impact. And this is the case even if the two
lines are at the same substation
(for more on this issue, see this post).
- In CIP-002-5
Attachment 1, Medium impact BES Cyber Systems are defined as those that
are “associated with” the subjects of the criteria in Section 2.
- Since some of
those criteria apply to Facilities located at substations (specifically,
criteria 2.4 to 2.8), these Facilities (lines, etc) are also Medium impact.
- While the wording
of Attachment 1 is ambiguous on this point, the substations at which the
Facilities described in 2.4 – 2.8 reside should be considered Medium
impact (although Criterion 2.5 is a special case and deserves its own
post).
- Because
transmission lines almost always go from one substation to another, there
is a good possibility that a Medium line that originates in a Medium
substation will terminate in a Low substation.
- Transmission lines
frequently have relays on both ends that can trip the line if certain
conditions are met. In the case
just described, the relay in the Low substation will now be a Medium BES
Cyber System because it is “associated with” the Medium substation. However, the Low substation itself will not
become Medium, unless it otherwise meets one of criteria 2.4 – 2.8.
I have to give my honest opinion: I see no
way that the wording of CIP-002-5 R1 and Attachment 1 can lead to any other
conclusion than that the relay in question is a Medium. There are many ambiguities and inconsistencies
in the language of CIP-002-5, but in this case I don’t see any.
However, this doesn’t mean that nothing can
be done to change the situation. There will be a lot of problems caused by having to protect
Medium relays at Low substations. Even if the locked box idea I mention above
could be made to work, it would be expensive to implement and maintain, as
would controlling physical access so that only CIP-qualified individuals could
touch it. I’m not at all saying that someone shouldn’t take a look at what
could be done to change this.[ii]
In my last
post, I called for NERC to do something
to address the many ambiguities in CIP-002-5 R1. This issue isn’t technically an ambiguity,
but it also should be addressed.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
I’ve heard the relay at the other end be referred to as a “far-end” relay or a “transfer-trip”
relay. I’m sure there are other terms as
well.
[ii]
The first thing many people mention is the idea of an Interpretation of this issue. Besides the fact that a formal Interpretation
would probably take at least two years to be resolved,
I simply don’t see that the final ruling by FERC will be any different from
what I’ve just said: the wording of CIP-002-5 R1 and Attachment 1 is clear on
this point and the “far-end” relay is itself a Medium BES Cyber System.
I also wish to point out that I know at least some of
the CSO706 SDT members say that the far-end relays in this case would be Low
impact, not Medium. This fact in itself
isn’t significant from a strict compliance point of view, since the views of
the SDT members aren’t weighed in determining
violations, but it does point out the need for NERC to look at this
issue and provide some sort of audit guidance, etc.
No comments:
Post a Comment