Monday, July 28, 2014

Corrections to Yesterday's Post

Correction No. 1: In my post on the question of the "top-down" vs. "bottom-up" approaches to BES Cyber System identification, I stated "I actually know of only two auditor presentations that have squarely addressed the BCS identification issue.  Kevin Perry of SPP, in his webinar on CIP v5 last February, only talked about the top-down approach.  On the other hand, Joe Baugh of WECC, in his presentation linked above (starting on slide 40), only discusses what I call the bottom-up approach, and never even mentions the BROS."

Kevin informed me by email this morning that I didn't read his webinar narrative closely enough, since he does state in there that  he is open to the entity's using either approach; in fact, he suggests they use both, as I also suggest.

I further went on to say "Does this mean that SPP entities should use top-down, WECC entities should use bottom-up, and all other entities are simply SOL?  At the moment, I’d say yes..." Obviously, I was wrong to suggest SPP entities need to use top-down.  But I was also wrong to suggest WECC entities need to use bottom-up.  Just because Joe Baugh didn't mention top-down in his presentation that I referenced, this doesn't mean WECC won't allow either approach - or a blended one like I and SPP suggested.

However, my statement about other entities being SOL stands, and should be generalized. All NERC entities are SOL until there is some sort of comprehensive interpretation of CIP-002-5 R1 published; and I really think NERC should do it, not the individual regions.

Correction No. 2: This isn't a correction per se, but an enhancement suggested by the generation CIP compliance person that I mentioned in the first post.  He says:

The fix to SPP's concern about missing systems such as environmental is to apply criteria for misuse, misoperation, or failure to operate from the BCA definition to evaluation/classification of the BES Asset's systems.

So if the system's misuse, misoperation, or failure to operate adversely affects performance of a BROS within the 15 minute window and it has cyber assets, it is a BCS.

This should be written into the required Process and applied before identifying and classifying cyber assets.

The upshot of this is that, once an entity has done the top-down approach and come up with a list of BES Cyber Systems, it should then consider all of the other systems at the facility - i.e. the remainder of systems that weren't considered so far because they don't fulfill a reliability purpose. The entity should consider whether misuse, etc. of each of these systems can affect a BROS within 15 minutes. If so, the system should also be considered a BCS.  This provides a rule that would capture the environmental system discussed in the original post, which wouldn't be identified by the top-down approach since it doesn't fulfill a BROS.   If someone were to fool the environmental system into thinking there had been an environmental excursion, the plant would shut down in ten minutes in this hypothetical scenario.

I should also point out that this works both ways.  I recommend that, once an entity has developed their list of BCS using the top-down approach, they should consider whether each BCS so identified can have a 15-minute impact on reliability if misused, etc. (as required by the definition of BES Cyber Asset).  If the answer to that question is no, then it shouldn't be listed as a BES Cyber System.  The top-down analysis by itself won't catch this, since it doesn't build up from BES Cyber Assets as the bottom-up approach does.

Of course, if you actually use both the top-down and bottom-up approaches, then you don't have to add these two qualifications just discussed; they are both part of the bottom-up approach.  In most cases, I don't think it's a huge burden to use both approaches.  The big exception is large generating stations, where there are often literally thousands of cyber assets, and where - as I discussed in the first post - there can be many Low impact BCS, which shouldn't have to be inventoried.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

No comments:

Post a Comment