This is the fourth in a series of posts
discussing issues that came up in conversations at WECC’s CUG/CIPUG in Salt
Lake City recently. Parts II
and III
dealt with issues I considered fairly simple and noncontroversial. I also considered Part
I to be noncontroversial, but I was wrong.
It turns out that the issue addressed in that post is the subject of a
huge fissure in the NERC community on how CIP-002-5 R1 is interpreted. As I’ve said in a number of other posts,
addressing this fissure will require intervention by some Higher Power like
NERC – and the sooner the better. I
won’t describe Part I now; you can read it yourself. Don’t worry, I’ll wait for you to return
before I continue.
Now that you’re back, we’ll continue. I have heard in the last two days from
several sources – including an announcement at the WECC meeting – that there seems
to be consensus among NERC and the regions that the “far-end” relay associated
with a Medium substation won’t automatically itself be a Medium BCS, but will
be rated according to the substation’s overall rating. I’m perfectly fine with this, since virtually
every transmission entity I’ve talked with says that to do otherwise would
place a huge burden on them.
Does this mean we can all congratulate
ourselves that at least one issue in CIP-002-5 R1 has been settled? I don’t think so. The question is: On what grounds is this
ruling being made? Is it based on an
interpretation of the requirement, or is it simply an out-of-the-blue “Thou
Shalt” ruling that overrides any wording in the requirement?
To be quite honest, I sincerely hope it’s the
latter, but I fear it’s the former. In
other words, I would much prefer that this ruling be handed down on stone
tablets from above, rather than be justified as an interpretation of the
wording of CIP-002-5 R1. As I said in my
Part I post, I actually think this question is one of the few where the current
wording of the requirement (and Attachment 1) is quite clear: Any BES Cyber
System “associated with” an asset or Facility that meets one of the Medium
criteria is itself a Medium. And the
relay in question is clearly associated with the Medium substation.
However, I fear this will not happen, and
that NERC will try to justify this ruling as a valid interpretation of the
requirement. Moreover, I think I know
how that interpretation will be rationalized, since at least three people have
given me the same reasoning, including a regional auditor in a private conversation. I believe this reasoning – which I’ll outline
below - is simply wrong, period. Even
that in itself wouldn’t be a big problem (I don’t really mind bad reasoning as
long as the end result is good), but I think this bad reasoning will lead to serious
unintended consequences that NERC entities – especially transmission entities -
won’t like. The rest of this post will
elucidate what I mean by these two mysterious sentences.
Here is the basic reasoning for the interpretation,
that was outlined for me by the auditor and another person; I know it well,
because I was using the same reasoning more than a year ago, for example in this
post. CIP-002-5 R1 starts with:
Each Responsible Entity shall
implement a process that considers each of the following assets for purposes of
parts 1.1 through 1.3:
This is followed by the list of six asset
types, which is itself followed by requirement parts 1.1 to 1.3 (and I’ll just
reproduce R1.1 and R1.2, since they’re the only two that classify BES Cyber
Systems):
1.1. Identify each of the high
impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each
asset;
1.2. Identify each of the medium
impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each
asset;
The reasoning provided to me by the auditor essentially said, “Look at R1.2.
It says ‘at’ each asset, not ‘associated with’. Therefore, the remote relays aren’t BCS
because they aren’t at the Medium
substation. Q.E.D.” As I said, a year ago (actually as late as
six months ago) I also thought this was the meaning of R1.2. I considered this to be a contradiction with
the “associated with” language for Medium BCS in Section 2 of Attachment 1; I
attributed this contradiction to sloppiness on the part of the SDT.
However, earlier this year an Interested
Party pointed out to me that this really wasn’t a contradiction. That is because R1.2 and Section 2 of
Attachment 1 are doing two different things.
R1.2 is telling you the universe
of locations in which BES Cyber Systems can be found – that is, they can be
found only in the six types of assets shown.
I might decide I have a BCS in my bedroom, but since my bedroom isn’t one
of the six asset types, the system in question won’t be classified High or
Medium impact.[i] But R1.2 is not in itself saying how you classify BCS as Medium impact; that is
done in Section 2 of Attachment 1.
Section 2 of Attachment 1 tells you how to determine
whether a BCS, that has already been identified as a BCS through R1[ii],
is Medium impact. Specifically, any BCS
that resides at one of those six assets (per R1.2) and is associated with a Medium asset/Facility (per Section 2 of
Attachment 1) is a Medium BCS. The hypothetical
far-end relay we’ve been discussing resides in a transmission substation (in
fact, it resides in a Low substation, but that doesn’t make a difference here) –
one of the six asset types. Furthermore,
it’s associated with a Medium substation (by hypothesis). Therefore it’s a Medium BCS.
When the Interested Party explained this
logic to me, I thought it was kind of a strained interpretation. However, I now think it makes sense. And if this isn’t the correct interpretation
of R1.2 and the WECC auditor’s interpretation is correct, what does that
imply? It implies that R1.1 and R1.2 are
really telling you how to classify BCS,
not where they can be found.
Furthermore, it implies that the initial language in Sections 1 and 2 of
Attachment 1 is just a product of somebody’s opium dream and should be
ignored. Here are some of the reasons
why I think the auditor is wrong and my (and the IP’s) interpretation is right:
- The wording of R1.1
and R1.2 seems to directly justify the Interested Party’s
interpretation. Let’s parse R1.2,
which reads “Identify each of the medium impact BES Cyber Systems
according to Attachment 1, Section 2, if any, at each asset”. This says two things:
- We’re
going to go to Attachment 1, Section 2 to identify Medium BCS. Of course, Section 2 says “associated
with”. So the admonition to go to
Section 2 really says to identify Medium BCS by finding BCS that are associated with Medium
assets/Facilities.
- The words “at each asset” at the end don’t have anything to do with classifying the BCS. Rather, they limit where we are going to have to look for those Medium BCS – we’re only going to look for them at one of the six asset types shown just before this part. Again, let’s consider a BCS associated with a Medium asset/Facility; the BCS happens to be in my bedroom. Were it not for the “at each asset” wording, this BCS would be a Medium. As it is, it definitely won’t be a Medium because it’s not at one of the six asset types.[iii]
- On the other hand,
if the auditor’s interpretation is correct, the six asset types listed in
R1 must be what gets evaluated as High, Medium and Low impact in
Attachment 1; indeed, this is the way the R1 methodologies presented by
auditors from WECC and SPP have read (and it is also the way I once thought
R1 worked as well – for instance, see this
post). But look at the subjects of
the different criteria in Sections 1 and 2 of Attachment 1; they don’t
have much relation at all to the six asset types. For example, many list a term not seen
before, such as “Commissioned generation”, “BES reactive resource”,
“system or group of Elements that performs automatic Load shedding”, etc. None of these can be easily mapped – or
mapped at all – to one of the six asset types (if you weren’t one of the
three people who got through my recent, seemingly interminable post
on what’s wrong with CIP-002-5 R1, you may want to go back and try to plow
through that again, since it discusses this point in a lot more detail).
- The subject of
criteria 2.3 – 2.8 is the word “Facilities”. This is especially problematic for the
idea that just the six asset types are being classified in Attachment
1. Facility is a NERC defined term,
and it seems to exclude almost all of the six asset types (it definitely
excludes the first three types – control centers, transmission
substations, and generating facilities.
Again, the post linked above gives a lot more detail on this). So if the auditor’s interpretation is
correct, entities will have to pretend that “Facilities” doesn’t appear
anywhere in the Attachment 1 criteria.
- If the wording of
R1.1 – R1.3 overrides that of Sections 1, 2, and 3 in Attachment 1 (in the
current case, if the “at” in 1.2 overrides the “associated with” in
Section 2), what is the latter wording there for, anyway? To use R1.1 as an example, why did the
SDT go to such lengths to craft the wording in Section 1, saying that only
BCS “used by and located at” High control centers could be High BCS – if all
that’s important is the “at” in R1.1?
The “used by and located at” wording is deliberately meant to
exclude both a) devices that might be located at a control center but have
nothing to do with it operationally, and b) devices like RTU’s in
substations that are used by the control center but aren’t located at
it. If what I’m calling the “auditor’s”
interpretation is adopted by NERC, the “used by” qualification will go
away, and any BCS that happens
to be located within the four walls of a control center will be a High
impact, even if it has nothing to do with the control center itself.
I hope it’s clear that I think my and the
Interested Party’s interpretation is much better supported by the wording of
the requirement (and Attachment 1) than the auditor’s interpretation. However, as I’ve said multiple times before,
what’s needed for CIP-002-5 R1 is a consistent interpretation of the entire
requirement, not just of one part. And as
I’ve also said repeatedly, there can be no consistent interpretation that
doesn’t ride roughshod over some of
the wording, since there are serious contradictions in that wording. So you may well ask, “Why is it important whether
your interpretation of R1.2 is better than the auditor’s? Is this just one case where some of the
actual wording needs to be sacrificed for the greater good of coming up with an
interpretation that doesn’t bankrupt the TO/TOP community, due to having to
classify far-end relays as Medium BCS?”
As I said at the beginning, I will feel a lot
better about this upcoming ruling from NERC if it doesn’t try to justify itself as being a valid interpretation of
the wording, but instead is simply imposed as an act of Divine fiat. I say this
because I don’t think it is a valid interpretation. More seriously, as I hinted above, there are
direct consequences of this interpretation that may make some transmission
entities pause in their wholesale support of it.
To see what I mean, let’s go back to criteria
2.4 to 2.8, which apply to substations; all of these start with the words
“Transmission Facilities”. As I’ve
pointed out previously[iv],
that definitely does not refer to the substation itself, but to the BES elements
– lines, transformers, etc. – that are found at a substation. And this is good for transmission entities,
since they only have to classify BCS as Medium if they are associated with a
Medium Facility (usually meaning a line).
If a substation has both Medium and Low lines, the BCS associated with
the Low lines will be Lows, not Mediums; this is the case even if the
substation itself is Medium[v]
(see the above-referenced long post on CIP-002-5 problems for more about this).
However, this “slicing and dicing” of
substation BCS into Medium and Low impact has no meaning if NERC rules that the
correct interpretation is that the “at” in R1.2 somehow overrides the “associated
with” in Section 2 of Attachment 1. This
is because the “at” in 1.2 is followed by “each asset”. And since this refers to the six asset types,
NERC’s interpretation (if it actually is put forward as such) will have the
effect of nullifying the “Facilities” language in criteria 2.3 to 2.8
altogether. From now on, each of the
criteria in Attachment 1 will actually be interpreted to refer just to the six
asset types, nothing else. In other
words, only the substation as a whole will be considered, not the individual
lines in it – so if it’s a Medium substation, every BCS in it will be Medium,
regardless of whether the line it’s associated with is Medium or Low impact.[vi]
The possible NERC interpretation will also
impact generation, through criterion 2.3.
This is because 2.3 applies to “Each
generation Facility”. Here, “Facility”
refers to one or more individual units at a generating station that have been
designated what is sometimes called “Reliability Must Run”. If the Attachment 1 criteria are all ruled to
apply just to the six asset types (because the “at” in R1.1 and R1.2 is ruled
to apply to the classification of the BCS, not just to determining the “universe”
of locations where BCS might reside), then 2.3 will only apply at the level of
the entire plant. So even if only one unit in a plant has been designated RMR, all of the
other units will have to be treated as Medium impact themselves. This obviously will greatly increase the cost
of compliance at plants that contain one or more RMR units.
Here is a summary of what I have just argued:
- I’m all for
classifying “far-end” relays as Medium or Low BCS according to the
substation they’re located at, even if they are associated with a Medium
substation.
- However, this is
clearly not the way the requirement reads.
Therefore, an extraordinary act is required by NERC to make this
happen.
- NERC’s action
should be justified as effectively a change in the wording of CIP-002-5 R1
(i.e. a pronouncement that auditors will allow entities to classify
substation BCS solely according to the rating of the substation
itself). It should not be justified as a correct
interpretation of the language of the requirement, since by trying to do
that, NERC will look really silly (because it clearly isn’t a correct
interpretation). More importantly,
saying this is the correct interpretation will nullify the use of the word
“Facilities” in criteria 2.3 to 2.8 (as well as throw into question some
of the other criteria, as described in footnote vi below), which will
increase the compliance burden and cost for complying with substations and
generating stations that are subject to those criteria.[vii]
- Although I haven’t
said this so far in this post, I think NERC should issue even more of
these rulings (whether as “audit guidance” or some other vehicle of NERC’s
choosing) to address the other problems in CIP-002-5 R1.[viii]
Note: The Interested Party referred to in this post has weighed in with a different interpretation of criterion 2.5, which I think does work. See this post.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell..
[i]
Of course, this begs the question of why a system that could be considered a
BCS is in my bedroom in the first place.
If it had to be in my bedroom, then the bedroom would have to be a BES
asset. For example, if a system located
in my bedroom were used as an operator’s workstation for a High impact control
center, my bedroom would have to be declared a data center for that control
center.
[ii]
As I pointed out in my very long
post on what’s wrong with CIP-002-5 R1, neither R1 nor Attachment 1 ever
explicitly directs the entity to identify BCS in the first place; the ‘directive’
is implicit in the fact that you can’t classify BCS without first identifying
them. Since you’re not told how to identify BCS, you have to figure
that out for yourself. To do that, you
use the definitions of BCA and BCS, and the guidance in CIP-002-5 regarding the
BES Reliability Operating Services. Of
course, I think the fact that the requirement to identify BCS is never
explicitly stated is a big defect of CIP-002-5 R1.
[iii]
You may ask, since it’s not a Medium, will it be a Low BCS? To find out, we go to part 1.3, which reads,
“Identify each asset that contains a low impact BES Cyber System according to
Attachment 1, Section 3, if any.” This
means our question is really moot. The
BCS might or might not be a Low BCS, but it doesn’t matter. All we have to do is identify “each asset”
that contains a low BCS. Since my
bedroom isn’t one of the six asset types, it will never be on this list, and
the question whether the BCS in my bedroom is Low or not is equivalent to the
Medieval question of how many angels can dance on the head of a pin – quite
interesting speculation, but nothing that either could or needs to be
definitively answered.
[v]
Assuming the Low and Medium BCS aren’t networked together, in which case the
Low BCS will be Medium Protected Cyber Assets.
[vi]
It will also raise questions about some of the other Medium criteria as
well. For example, criterion 2.9 applies
to “Each Special Protection System (SPS), Remedial Action Scheme (RAS), or
automated switching System..” Of these,
only SPS is on the list of six asset types.
Does this mean RAS and automated switching Systems are actually not in
scope for this criterion, but were just put there by the SDT for fun?
[vii]
It will also affect High impact control centers. They will have to classify every BCS within
their four walls as High impact, even if it isn’t used by the control center at
all.
[viii]
However, as I hinted in my long post on CIP-002-5 R1’s problems, NERC won’t be
able to fix the problems through simply a couple targeted wording changes. The entire R1 and Attachment 1 need to be
effectively “rewritten” so that the problems are addressed comprehensively. Since the time has passed when this could be
done through the regular SAR process (i.e., it is now too late to change the
actual wording of the requirement), it needs to be accomplished through some
sort of back-door means like calling it “audit guidance”. If this isn’t done and a bunch of piecemeal “changes”
are made, this will only add to the confusion.
I’m hoping to post in the near future what I think should be the wording
of this “rewritten” requirement. Try to contain your excitement.
No comments:
Post a Comment