News from WECC, Part IV: A BIG Issue in CIP Version 5

This is the fourth in a series of posts discussing issues that came up in conversations at WECC’s CUG/CIPUG in Salt Lake City recently.  Parts II and III dealt with issues I considered fairly simple and noncontroversial.  I also considered Part I to be noncontroversial, but I was wrong.  It turns out that the issue addressed in that post is the subject of a huge fissure in the NERC community on how CIP-002-5 R1 is interpreted.  As I’ve said in a number of other posts, addressing this fissure will require intervention by some Higher Power like NERC – and the sooner the better.  I won’t describe Part I now; you can read it yourself.  Don’t worry, I’ll wait for you to return before I continue.

Now that you’re back, we’ll continue.  I have heard in the last two days from several sources – including an announcement at the WECC meeting – that there seems to be consensus among NERC and the regions that the “far-end” relay associated with a Medium substation won’t automatically itself be a Medium BCS, but will be rated according to the substation’s overall rating.  I’m perfectly fine with this, since virtually every transmission entity I’ve talked with says that to do otherwise would place a huge burden on them.

Does this mean we can all congratulate ourselves that at least one issue in CIP-002-5 R1 has been settled?  I don’t think so.  The question is: On what grounds is this ruling being made?  Is it based on an interpretation of the requirement, or is it simply an out-of-the-blue “Thou Shalt” ruling that overrides any wording in the requirement?

To be quite honest, I sincerely hope it’s the latter, but I fear it’s the former.  In other words, I would much prefer that this ruling be handed down on stone tablets from above, rather than be justified as an interpretation of the wording of CIP-002-5 R1.  As I said in my Part I post, I actually think this question is one of the few where the current wording of the requirement (and Attachment 1) is quite clear: Any BES Cyber System “associated with” an asset or Facility that meets one of the Medium criteria is itself a Medium.  And the relay in question is clearly associated with the Medium substation.

However, I fear this will not happen, and that NERC will try to justify this ruling as a valid interpretation of the requirement.  Moreover, I think I know how that interpretation will be rationalized, since at least three people have given me the same reasoning, including a regional auditor in a private conversation.  I believe this reasoning – which I’ll outline below - is simply wrong, period.  Even that in itself wouldn’t be a big problem (I don’t really mind bad reasoning as long as the end result is good), but I think this bad reasoning will lead to serious unintended consequences that NERC entities – especially transmission entities - won’t like.  The rest of this post will elucidate what I mean by these two mysterious sentences.

Here is the basic reasoning for the interpretation, that was outlined for me by the auditor and another person; I know it well, because I was using the same reasoning more than a year ago, for example in this post.  CIP-002-5 R1 starts with:

Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:

This is followed by the list of six asset types, which is itself followed by requirement parts 1.1 to 1.3 (and I’ll just reproduce R1.1 and R1.2, since they’re the only two that classify BES Cyber Systems):

1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;

1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset;

The reasoning provided to me by the auditor essentially said, “Look at R1.2.  It says ‘at’ each asset, not ‘associated with’.  Therefore, the remote relays aren’t BCS because they aren’t at the Medium substation.  Q.E.D.”  As I said, a year ago (actually as late as six months ago) I also thought this was the meaning of R1.2.  I considered this to be a contradiction with the “associated with” language for Medium BCS in Section 2 of Attachment 1; I attributed this contradiction to sloppiness on the part of the SDT. 

However, earlier this year an Interested Party pointed out to me that this really wasn’t a contradiction.  That is because R1.2 and Section 2 of Attachment 1 are doing two different things.  R1.2 is telling you the universe of locations in which BES Cyber Systems can be found – that is, they can be found only in the six types of assets shown.  I might decide I have a BCS in my bedroom, but since my bedroom isn’t one of the six asset types, the system in question won’t be classified High or Medium impact.[i]  But R1.2 is not in itself saying how you classify BCS as Medium impact; that is done in Section 2 of Attachment 1.

Section 2 of Attachment 1 tells you how to determine whether a BCS, that has already been identified as a BCS through R1[ii], is Medium impact.  Specifically, any BCS that resides at one of those six assets (per R1.2) and is associated with a Medium asset/Facility (per Section 2 of Attachment 1) is a Medium BCS.  The hypothetical far-end relay we’ve been discussing resides in a transmission substation (in fact, it resides in a Low substation, but that doesn’t make a difference here) – one of the six asset types.  Furthermore, it’s associated with a Medium substation (by hypothesis).  Therefore it’s a Medium BCS.

When the Interested Party explained this logic to me, I thought it was kind of a strained interpretation.  However, I now think it makes sense.  And if this isn’t the correct interpretation of R1.2 and the WECC auditor’s interpretation is correct, what does that imply?  It implies that R1.1 and R1.2 are really telling you how to classify BCS, not where they can be found.  Furthermore, it implies that the initial language in Sections 1 and 2 of Attachment 1 is just a product of somebody’s opium dream and should be ignored.  Here are some of the reasons why I think the auditor is wrong and my (and the IP’s) interpretation is right:

1. The wording of R1.1 and R1.2 seems to directly justify the Interested Party’s interpretation.  Let’s parse R1.2, which reads “Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset”.  This says two things:
1. We’re going to go to Attachment 1, Section 2 to identify Medium BCS.  Of course, Section 2 says “associated with”.  So the admonition to go to Section 2 really says to identify Medium BCS by finding BCS that are associated with Medium assets/Facilities.
2. The words “at each asset” at the end don’t have anything to do with classifying the BCS.  Rather, they limit where we are going to have to look for those Medium BCS – we’re only going to look for them at one of the six asset types shown just before this part.  Again, let’s consider a BCS associated with a Medium asset/Facility; the BCS happens to be in my bedroom.  Were it not for the “at each asset” wording, this BCS would be a Medium.  As it is, it definitely won’t be a Medium because it’s not at one of the six asset types.[iii]
2. On the other hand, if the auditor’s interpretation is correct, the six asset types listed in R1 must be what gets evaluated as High, Medium and Low impact in Attachment 1; indeed, this is the way the R1 methodologies presented by auditors from WECC and SPP have read (and it is also the way I once thought R1 worked as well – for instance, see this post).  But look at the subjects of the different criteria in Sections 1 and 2 of Attachment 1; they don’t have much relation at all to the six asset types.  For example, many list a term not seen before, such as “Commissioned generation”, “BES reactive resource”, “system or group of Elements that performs automatic Load shedding”, etc.  None of these can be easily mapped – or mapped at all – to one of the six asset types (if you weren’t one of the three people who got through my recent, seemingly interminable post on what’s wrong with CIP-002-5 R1, you may want to go back and try to plow through that again, since it discusses this point in a lot more detail).
3. The subject of criteria 2.3 – 2.8 is the word “Facilities”.  This is especially problematic for the idea that just the six asset types are being classified in Attachment 1.  Facility is a NERC defined term, and it seems to exclude almost all of the six asset types (it definitely excludes the first three types – control centers, transmission substations, and generating facilities.  Again, the post linked above gives a lot more detail on this).  So if the auditor’s interpretation is correct, entities will have to pretend that “Facilities” doesn’t appear anywhere in the Attachment 1 criteria.
4. If the wording of R1.1 – R1.3 overrides that of Sections 1, 2, and 3 in Attachment 1 (in the current case, if the “at” in 1.2 overrides the “associated with” in Section 2), what is the latter wording there for, anyway?  To use R1.1 as an example, why did the SDT go to such lengths to craft the wording in Section 1, saying that only BCS “used by and located at” High control centers could be High BCS – if all that’s important is the “at” in R1.1?  The “used by and located at” wording is deliberately meant to exclude both a) devices that might be located at a control center but have nothing to do with it operationally, and b) devices like RTU’s in substations that are used by the control center but aren’t located at it.  If what I’m calling the “auditor’s” interpretation is adopted by NERC, the “used by” qualification will go away, and any BCS that happens to be located within the four walls of a control center will be a High impact, even if it has nothing to do with the control center itself.

I hope it’s clear that I think my and the Interested Party’s interpretation is much better supported by the wording of the requirement (and Attachment 1) than the auditor’s interpretation.  However, as I’ve said multiple times before, what’s needed for CIP-002-5 R1 is a consistent interpretation of the entire requirement, not just of one part.  And as I’ve also said repeatedly, there can be no consistent interpretation that doesn’t ride roughshod over some of the wording, since there are serious contradictions in that wording.  So you may well ask, “Why is it important whether your interpretation of R1.2 is better than the auditor’s?  Is this just one case where some of the actual wording needs to be sacrificed for the greater good of coming up with an interpretation that doesn’t bankrupt the TO/TOP community, due to having to classify far-end relays as Medium BCS?”

As I said at the beginning, I will feel a lot better about this upcoming ruling from NERC if it doesn’t try to justify itself as being a valid interpretation of the wording, but instead is simply imposed as an act of Divine fiat. I say this because I don’t think it is a valid interpretation.  More seriously, as I hinted above, there are direct consequences of this interpretation that may make some transmission entities pause in their wholesale support of it.

To see what I mean, let’s go back to criteria 2.4 to 2.8, which apply to substations; all of these start with the words “Transmission Facilities”.  As I’ve pointed out previously[iv], that definitely does not refer to the substation itself, but to the BES elements – lines, transformers, etc. – that are found at a substation.  And this is good for transmission entities, since they only have to classify BCS as Medium if they are associated with a Medium Facility (usually meaning a line).  If a substation has both Medium and Low lines, the BCS associated with the Low lines will be Lows, not Mediums; this is the case even if the substation itself is Medium[v] (see the above-referenced long post on CIP-002-5 problems for more about this).

However, this “slicing and dicing” of substation BCS into Medium and Low impact has no meaning if NERC rules that the correct interpretation is that the “at” in R1.2 somehow overrides the “associated with” in Section 2 of Attachment 1.  This is because the “at” in 1.2 is followed by “each asset”.  And since this refers to the six asset types, NERC’s interpretation (if it actually is put forward as such) will have the effect of nullifying the “Facilities” language in criteria 2.3 to 2.8 altogether.  From now on, each of the criteria in Attachment 1 will actually be interpreted to refer just to the six asset types, nothing else.  In other words, only the substation as a whole will be considered, not the individual lines in it – so if it’s a Medium substation, every BCS in it will be Medium, regardless of whether the line it’s associated with is Medium or Low impact.[vi]

The possible NERC interpretation will also impact generation, through criterion 2.3.   This is because 2.3 applies to “Each generation Facility”.  Here, “Facility” refers to one or more individual units at a generating station that have been designated what is sometimes called “Reliability Must Run”.  If the Attachment 1 criteria are all ruled to apply just to the six asset types (because the “at” in R1.1 and R1.2 is ruled to apply to the classification of the BCS, not just to determining the “universe” of locations where BCS might reside), then 2.3 will only apply at the level of the entire plant.  So even if only one unit in a plant has been designated RMR, all of the other units will have to be treated as Medium impact themselves.  This obviously will greatly increase the cost of compliance at plants that contain one or more RMR units.

Here is a summary of what I have just argued:

1. I’m all for classifying “far-end” relays as Medium or Low BCS according to the substation they’re located at, even if they are associated with a Medium substation.
2. However, this is clearly not the way the requirement reads.  Therefore, an extraordinary act is required by NERC to make this happen.
3. NERC’s action should be justified as effectively a change in the wording of CIP-002-5 R1 (i.e. a pronouncement that auditors will allow entities to classify substation BCS solely according to the rating of the substation itself).  It should not be justified as a correct interpretation of the language of the requirement, since by trying to do that, NERC will look really silly (because it clearly isn’t a correct interpretation).  More importantly, saying this is the correct interpretation will nullify the use of the word “Facilities” in criteria 2.3 to 2.8 (as well as throw into question some of the other criteria, as described in footnote vi below), which will increase the compliance burden and cost for complying with substations and generating stations that are subject to those criteria.[vii]
4. Although I haven’t said this so far in this post, I think NERC should issue even more of these rulings (whether as “audit guidance” or some other vehicle of NERC’s choosing) to address the other problems in CIP-002-5 R1.[viii]

Note: The Interested Party referred to in this post has weighed in with a different interpretation of criterion 2.5, which I think does work.  See this post.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell..

---

[i] Of course, this begs the question of why a system that could be considered a BCS is in my bedroom in the first place.  If it had to be in my bedroom, then the bedroom would have to be a BES asset.  For example, if a system located in my bedroom were used as an operator’s workstation for a High impact control center, my bedroom would have to be declared a data center for that control center.

[ii] As I pointed out in my very long post on what’s wrong with CIP-002-5 R1, neither R1 nor Attachment 1 ever explicitly directs the entity to identify BCS in the first place; the ‘directive’ is implicit in the fact that you can’t classify BCS without first identifying them.  Since you’re not told how to identify BCS, you have to figure that out for yourself.  To do that, you use the definitions of BCA and BCS, and the guidance in CIP-002-5 regarding the BES Reliability Operating Services.  Of course, I think the fact that the requirement to identify BCS is never explicitly stated is a big defect of CIP-002-5 R1.

[iii] You may ask, since it’s not a Medium, will it be a Low BCS?  To find out, we go to part 1.3, which reads, “Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any.”  This means our question is really moot.  The BCS might or might not be a Low BCS, but it doesn’t matter.  All we have to do is identify “each asset” that contains a low BCS.  Since my bedroom isn’t one of the six asset types, it will never be on this list, and the question whether the BCS in my bedroom is Low or not is equivalent to the Medieval question of how many angels can dance on the head of a pin – quite interesting speculation, but nothing that either could or needs to be definitively answered.

[iv] Including the “Questions of Scope” section of the long post already referenced.

[v] Assuming the Low and Medium BCS aren’t networked together, in which case the Low BCS will be Medium Protected Cyber Assets.

[vi] It will also raise questions about some of the other Medium criteria as well.  For example, criterion 2.9 applies to “Each Special Protection System (SPS), Remedial Action Scheme (RAS), or automated switching System..”  Of these, only SPS is on the list of six asset types.  Does this mean RAS and automated switching Systems are actually not in scope for this criterion, but were just put there by the SDT for fun?

[vii] It will also affect High impact control centers.  They will have to classify every BCS within their four walls as High impact, even if it isn’t used by the control center at all.

[viii] However, as I hinted in my long post on CIP-002-5 R1’s problems, NERC won’t be able to fix the problems through simply a couple targeted wording changes.  The entire R1 and Attachment 1 need to be effectively “rewritten” so that the problems are addressed comprehensively.  Since the time has passed when this could be done through the regular SAR process (i.e., it is now too late to change the actual wording of the requirement), it needs to be accomplished through some sort of back-door means like calling it “audit guidance”.  If this isn’t done and a bunch of piecemeal “changes” are made, this will only add to the confusion.  I’m hoping to post in the near future what I think should be the wording of this “rewritten” requirement. Try to contain your excitement.