My previous post outlined one important CIP-002-5 issue that I had discussed with other attendees at WECC’s CUG/CIPUG in Salt Lake City this week. This post discusses another issue, having to do with criterion 2.5 in Attachment 1 of CIP-002-5.
Criterion 2.5 is one of a group of five criteria (2.4 – 2.8) that apply to substations. As I mentioned in the previous post, and in two other posts including this one, the subject of each of these criteria is the word “Facilities”, not the substation itself. So what is being classified isn’t the substation, but rather the lines, transformers and other elements associated with the substation.
As an example of how this works, let’s look at criterion 2.4. The important part of this criterion reads “Transmission Facilities operated at 500 kV or higher”. So if you have a substation with a 500kV line attached to it, criterion 2.4 says the 500kV line is a Medium impact Facility, and all BES Cyber Systems associated with it will also be Mediums. If there also happens to be a 135kV line at that substation, it will be Low impact, and its associated BCS will be Lows. Criteria 2.6, 2.7 and 2.8 operate in roughly the same way.
However, criterion 2.5 is different. It reads:
Transmission Facilities that are operating between 200 kV and 499 kV at a single
station or substation, where the station or substation is connected at 200 kV or higher
voltages to three or more other Transmission stations or substations and has an
"aggregate weighted value" exceeding 3000 according to the table below. (followed by the description of the table and the table itself)
If 2.5 were like the other four criteria, it would simply read “Transmission Facilities that are operating between 200 kV and 499 kV at a single station or substation”, without any of the following verbiage. Of course, if this were the actual wording, it would mean that every transmission line of 200-499kV would be Medium impact, as would its associated BCS. The SDT obviously didn’t want this to happen, so they inserted the table and the stipulation that the Facilities this criterion applies to are those located at a substation with 3000 points.
This makes sense, but it also means that 2.5 is different from the other “substation” criteria (2.4-2.8) in that it is explicitly setting a criterion for the substation as well as the Facilities located at it.
Why does this make a difference? Because Attachment 1 is written entirely from the point of view that only BES Cyber Systems are classified High, Medium or Low impact, not the assets at which they’re located. On the other hand, I haven’t talked with a single NERC entity that has told me they are actually approaching BCS classification in this way. Every single one has told me they are first classifying the “big iron” – commonly called “assets” or lower-case “facilities” – and then classifying the BES Cyber Systems according to the big iron they are located at or associated with.[i]
But when an entity that is following this approach comes to criterion 2.5, what do they find? That there are two types of big iron being classified here. The substation with 3000 points as well as the 200-499 kV Facility (line, transformer, etc) located at that substation are both being classified as Medium impact.
However, since BES Cyber Systems are being classified based on the Facility they’re associated with, this means that in practice this criterion works the way the other four (2.4-2.8) work: The Facility gives its classification to its associated BCS, although in this case it only does so if the substation meets the 3000 point threshold.
In practice, this means that a 245kV line at this substation will be a Medium impact, while a 135kV line will be Low. BCS associated with either line will take the classification of the line, with the usual exception that if they are networked together, they will all be Medium due to the high-water-mark principle.
You may ask whether all of this is a problem – the fact that in criterion 2.5 and only that one, there are actually two types of “big iron” being classified – the Facilities and the asset itself. My answer is no, it isn’t a problem by itself, although it does illustrate how impossible it is to make any sort of general rules about complying with CIP-002-5 R1 (or to diagram them). But it is a problem if an entity doesn’t understand this, since they may well end up classifying more BCS as Medium than they need to.
Part III of this exciting series can be found here. And Part IV, which returns to this problem, is here.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.