Wednesday, June 4, 2014

News from WECC Part I: The CIP Version 5 Relay Question


I am currently in Salt Lake City for WECC’s CUG/CIPUG (Compliance User Group / CIP User Group) meetings, and have already had some interesting discussions on CIP-002-5 R1 (no surprise here, of course).  They touch on issues I had wanted to write about as part of a comprehensive post describing how I think entities should comply with that fundamental requirement.  However, the time to write that comprehensive post has proved elusive so far, and in addition there are still a lot of issues with R1 that I’m learning more about.

So I’m going to write a few posts that are shorter than normal (of course, saying these are shorter than normal isn’t much of a statement, after my last post was 7200 words), to address particular issues that I know are on people’s minds now.  And the topic of relays in substations is a hugely important one now – to just about every transmission entity I’ve talked with.

I’ll first state the problem the way I think most entities are looking at it.  I’ll then restate it in what I think is the correct way to look at it.  Finally, I’ll talk about how the problem might be addressed – but I’ll warn you, I don’t have a wonderful answer sitting on my table that I can just serve up as the finishing touch to this post.  The best I can do is state what I think the real issue is, then make the appeal I’ve been making all too often lately – for some sort of entity (regulatory, political, Divine, somebody) to clear this up.  No NERC entity can accurately plan for achieving CIP version 5 compliance if they don’t know for sure what assets (both cyber and physical assets) are in scope.

The way I’ve heard this issue stated is this:

  1. In CIP-002-5 Attachment 1, Medium impact BES Cyber Systems are defined as those that are “associated with” the subjects of the criteria in Section 2. 
  2. Since some of those criteria apply to substations (specifically, criteria 2.4 to 2.8), these substations are also Medium impact.
  3. Because transmission lines almost always go from one substation to another, there is a good possibility that a line that originates in a Medium substation will terminate in a Low substation.
  4. Transmission lines frequently have relays on both ends that can trip the line if certain conditions are met[i].  In the case just described, the relay in the Low substation will now be a Medium BES Cyber System because it is “associated with” the Medium substation.
  5. Because the Low substation contains a Medium BCS, it will then be Medium.  And the same “domino effect” will occur with other Low substations, as they in turn become Medium.  All of a sudden, the TO or TOP could have the vast majority of their substations be Mediums, when there are actually just a few that actually meet the Medium criteria in Attachment 1.
 Here are the errors with the above analysis, starting with the easy ones:

  1. Worrying about a domino effect is fallacious reasoning here, as it was during the Vietnam War.  Just because a Low substation has a Medium impact relay located in it, it won’t become Medium itself, although steps will need to be taken to prevent other cyber assets in the substation from themselves rising to the Medium level.  What will be required is first that the Medium relay be physically enclosed separately from the rest of the substation, and that only those with CIP authorization be able to access the relay.  If you could put the relay in a box and lock the box, that would seem to do the trick – although I’ve heard there would be a lot of problems with actually doing this.  
Second, the relay will need to be on its own network, isolated from any other network(s) in the substation – and if this isn’t done, then the other cyber assets on the network will become Medium Protected Cyber Assets, and will have to comply with almost all of the requirements that apply to Medium BCS.  But even if these two things couldn’t be done, and other cyber assets in the Low substation became Medium PCAs, it would still not be the case that the Medium designation would spread like the Ebola virus to surrounding Low substations.  An adjacent Low substation would have to contain a relay associated with a Medium substation for it to have a Medium BCS – and as I’ve just said, that substation will still be Low even if all its cyber assets end up being Medium impact.

  1. And to say that criteria 2.4 to 2.8 apply to substations isn’t really correct (i.e., I’ve been taking a shortcut in talking the way I have up until now).  The subject of each of these criteria is the word Facility, which applies to elements like lines, transformers, etc.  This means that it is actually the Facility that is Medium impact in criteria 2.4 to 2.8, not the substation itself.  For that reason, BES Cyber Systems that are associated with a Medium impact line (although if you substitute “transformer” or other Facility, that is equally valid) are Medium impact, while those associated with a Low impact line (i.e. one that doesn’t meet criteria 2.4 to 2.8) are Low impact.  And this is the case even if the two lines are at the same substation (for more on this issue, see this post). 
 I will now restate the problem using what I consider the correct language:

  1. In CIP-002-5 Attachment 1, Medium impact BES Cyber Systems are defined as those that are “associated with” the subjects of the criteria in Section 2. 
  2. Since some of those criteria apply to Facilities located at substations (specifically, criteria 2.4 to 2.8), these Facilities (lines, etc) are also Medium impact. 
  3. While the wording of Attachment 1 is ambiguous on this point, the substations at which the Facilities described in 2.4 – 2.8 reside should be considered Medium impact (although Criterion 2.5 is a special case and deserves its own post). 
  4. Because transmission lines almost always go from one substation to another, there is a good possibility that a Medium line that originates in a Medium substation will terminate in a Low substation. 
  5. Transmission lines frequently have relays on both ends that can trip the line if certain conditions are met.  In the case just described, the relay in the Low substation will now be a Medium BES Cyber System because it is “associated with” the Medium substation.  However, the Low substation itself will not become Medium, unless it otherwise meets one of criteria 2.4 – 2.8.
 Now that we have what I consider a proper wording of the problem, is this a correct interpretation of Attachment 1?  In other words, will a relay that is located in a Low impact substation, but that is associated with a Medium impact line coming from a Medium substation, itself be a Medium BCS?  I have been assured by a number of transmission entities that this is a huge question, one on which a lot of time and money will be riding.

I have to give my honest opinion: I see no way that the wording of CIP-002-5 R1 and Attachment 1 can lead to any other conclusion than that the relay in question is a Medium.  There are many ambiguities and inconsistencies in the language of CIP-002-5, but in this case I don’t see any.

However, this doesn’t mean that nothing can be done to change the situation.   There will be a lot of problems caused by having to protect Medium relays at Low substations.  Even if the locked box idea I mention above could be made to work, it would be expensive to implement and maintain, as would controlling physical access so that only CIP-qualified individuals could touch it.  I’m not at all saying that someone shouldn’t take a look at what could be done to change this.[ii] 

In my last post, I called for NERC to do something to address the many ambiguities in CIP-002-5 R1.  This issue isn’t technically an ambiguity, but it also should be addressed.

Part II of this exciting series can be found here.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.



[i] I’ve heard the relay at the other end be referred to as a “far-end” relay or a “transfer-trip” relay.  I’m sure there are other terms as well.

[ii] The first thing many people mention is the idea of an Interpretation of this issue.  Besides the fact that a formal Interpretation would probably take at least two years to be resolved, I simply don’t see that the final ruling by FERC will be any different from what I’ve just said: the wording of CIP-002-5 R1 and Attachment 1 is clear on this point and the “far-end” relay is itself a Medium BES Cyber System.

I also wish to point out that I know at least some of the CSO706 SDT members say that the far-end relays in this case would be Low impact, not Medium.  This fact in itself isn’t significant from a strict compliance point of view, since the views of the SDT members aren’t weighed in determining  violations, but it does point out the need for NERC to look at this issue and provide some sort of audit guidance, etc.

No comments:

Post a Comment