My previous post
outlined one important CIP-002-5 issue that I had discussed with other
attendees at WECC’s CUG/CIPUG in Salt Lake City this week. This post discusses another issue, having to
do with criterion 2.5 in Attachment 1 of CIP-002-5.
Criterion 2.5 is one of a group of five
criteria (2.4 – 2.8) that apply to substations.
As I mentioned in the previous post, and in two other posts including this
one, the subject of each of these criteria is the word “Facilities”, not the
substation itself. So what is being
classified isn’t the substation, but rather the lines, transformers and other
elements associated with the substation.
As an example of how this works, let’s look
at criterion 2.4. The important part of
this criterion reads “Transmission Facilities operated at 500 kV or higher”. So if you have a substation with a 500kV line
attached to it, criterion 2.4 says the 500kV line is a Medium impact Facility,
and all BES Cyber Systems associated with it will also be Mediums. If there also happens to be a 135kV line at
that substation, it will be Low impact, and its associated BCS will be
Lows. Criteria 2.6, 2.7 and 2.8 operate
in roughly the same way.
However, criterion 2.5 is different. It reads:
Transmission Facilities that are
operating between 200 kV and 499 kV at a single
station or substation, where the
station or substation is connected at 200 kV or higher
voltages to three or more other
Transmission stations or substations and has an
"aggregate weighted value"
exceeding 3000 according to the table below. (followed by the description of the table and the table itself)
If 2.5 were like the other four criteria, it
would simply read “Transmission Facilities that are operating between 200 kV
and 499 kV at a single station or substation”, without any of the following
verbiage. Of course, if this were the
actual wording, it would mean that every
transmission line of 200-499kV would be Medium impact, as would its associated
BCS. The SDT obviously didn’t want this
to happen, so they inserted the table and the stipulation that the Facilities
this criterion applies to are those located at a substation with 3000 points.
This makes sense, but it also means that 2.5
is different from the other “substation” criteria (2.4-2.8) in that it is
explicitly setting a criterion for the substation as well as the Facilities
located at it.
Why does this make a difference? Because Attachment 1 is written entirely from
the point of view that only BES Cyber Systems are classified High, Medium or
Low impact, not the assets at which they’re located. On the other hand, I haven’t talked with a
single NERC entity that has told me they are actually approaching BCS
classification in this way. Every single
one has told me they are first classifying the “big iron” – commonly called “assets”
or lower-case “facilities” – and then classifying the BES Cyber Systems
according to the big iron they are located at or associated with.[i]
But when an entity that is following this
approach comes to criterion 2.5, what do they find? That there are two types of big iron being
classified here. The substation with
3000 points as well as the 200-499 kV Facility (line, transformer, etc) located
at that substation are both being classified as Medium impact.
However, since BES Cyber Systems are being
classified based on the Facility they’re associated with, this means that in
practice this criterion works the way the other four (2.4-2.8) work: The
Facility gives its classification to its associated BCS, although in this case
it only does so if the substation meets the 3000 point threshold.
In practice, this means that a 245kV line at
this substation will be a Medium impact, while a 135kV line will be Low. BCS associated with either line will take the
classification of the line, with the usual exception that if they are networked
together, they will all be Medium due to the high-water-mark principle.
You may ask whether all of this is a problem –
the fact that in criterion 2.5 and only that one, there are actually two types
of “big iron” being classified – the Facilities and the asset itself. My answer is no, it isn’t a problem by
itself, although it does illustrate how impossible it is to make any sort of
general rules about complying with CIP-002-5 R1 (or to diagram them). But it is a problem if an entity doesn’t
understand this, since they may well end up classifying more BCS as Medium than
they need to.
Part III of this exciting series can be found here. And Part IV, which returns to this problem, is here.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
Concerned by the statement and wondering why scope unnecessary bcs in at a regulatory risk... what answers have you gotten?
ReplyDeletehaven’t talked with a single NERC entity that has told me they are actually approaching BCS classification in this way. Every single one has told me they are first classifying the “big iron” – commonly called “assets” or lower-case “facilities” – and then classifying the BES Cyber Systems according to the big iron they are located at or associated with.
Sorry, John. I don't understand your question. Please restate it.
ReplyDeleteTom
If I understand that quote, you're saying every NERC entity you are talking to is rating their BCSs based on the Asset rating (station) rather than the BES System rating (facility). This scopes in a LOT of BES Cyber Systems for the compliance program adding significant regulatory risk. What rationalle have they given you for that choice?
ReplyDeleteJohn, you're partially misunderstanding what I said. You're correct in saying that NERC entities are first rating their assets, then rating their BCS based on the asset rating. But the alternative approach is to follow the literal rating of Attachment 1, and consider every BCS in your entire system against the bright-line criteria. This would be a huge effort, and would most likely end up with the same BCS ratings as the first approach - so why do it?
ReplyDeleteNeither approach would result in identifying more BCS, since we're talking here about classifying BCS that have already been identified. Hope this helps.