Tuesday, August 26, 2014

“Facilities, Systems and Equipment” – the Sequel

One of the things that gives me the most pleasure about writing this blog is seeing that people are constantly going back and reading previous posts.  This is certainly how I would like to see it work, since I have addressed different topics at different times.  It would be nice to have everything rolled up into a single book (I imagine I’ve written a book or two in length by now), but given all the uncertainty with CIP v5, I don’t think that’s possible yet.  Maybe a year from now.

Usually, the old posts that people are reading are those I’ve referred to in recent posts.  However, that is not the case with the post “Facilities, Systems and Equipment” that I wrote Aug. 28 of 2013.  I don’t believe I’ve ever made a reference back to that post, yet recently it’s had a few dozen hits.  This may have something to do with the fact that I’ve been talking a lot about the use (or misuse) of the word “Facilities” in criteria 2.3 – 2.8 of Attachment 1, even though that issue has little to do with the issue I addressed in the 2013 post.

I’ll let you read the 2013 post on your own, but to summarize it briefly, it expresses complete mystery as to why the words “Facilities, systems and equipment” are used in Section 4.2 of CIP-002-5 (actually, that same section appears in every other CIP v5 standard as well).  Working out from the idea that it was simply a mistake on the part of the SDT (“What were they thinking…?”), it then draws a couple conclusions which should be important to NERC entities.  In this post I want to update those conclusions, because my thinking – and the overall situation – has changed since that time. 

First, I want to say I remain as mystified as I was a year ago as to why those words are in Section 4.2; I’ll let you read why I feel that way in the old post.  But I do need to disagree with two of the conclusions I drew in the post.

The first conclusion I drew was that having this wording in there was going to lead to the auditors requiring entities to show that, before even starting to comply with Requirement 1, they had made a list of every Facility, system or piece of equipment they owned.  Listing Facilities wouldn’t be impossible, but every system?  And every single monkey wrench?  This would be a classic case of paperwork solely for the sake of regulatory compliance.  In that post, I recommended that FERC change this wording (as well as the wording of the rest of R1), to prevent this from happening.

Well, FERC didn’t change any of the wording (or order it changed) when they wrote Order 791.  But to be honest, I no longer see this as being an issue.  It has certainly never come up in any discussion I’ve had.  I think everyone – entities and auditors – agrees this is hardly a battle worth fighting, so I don’t think it’s at all likely it ever will come up.  Section 4.2 simply doesn’t affect how the entity complies with CIP-002-5.1 R1 (where there certainly are a lot of other battles worth fighting!).  I think it will just be neglected by all concerned, and that’s fine with me.[i]

Note (Aug. 27): I spoke too soon when I said above that this is something that won’t affect how an entity complies with CIP-002-5.1 R1.  Just today I corresponded with an entity that pointed out something to me that I had mentioned in a couple posts (including this one under the section “Questions of Scope”) but had put out of my mind for a while: There is no way a control center could be considered a Facility, according to the NERC definition of Facility (and the related definition of Element).  So the fact that 4.2.2 says that all “BES Facilities” are what’s in scope for CIP v5 clearly implies – if you’re one of those sticky people that insists that words have clear meanings – that no control centers are in scope for CIP v5!  A small omission, don’t you think?

Of course, I advised the entity not to act on this consideration, since I’m sure they won’t be able to make it stick with NERC (plus there is an obvious contradiction with R1 and Attachment 1, which refer repeatedly to control centers as being in scope).  But it just goes to show that CIP-002-5.1 is a sloppily-written standard.

The second conclusion I drew is more important, though.  I said that “Facilities, systems and equipment” should be replaced by the six asset types listed in R1 (control centers, transmission substations, etc).  I said this because I thought the real “scope” of R1 was those six asset types.  In other words, I believed that the criteria in Attachment 1 all refer to one of those six asset types, and if an asset isn’t on that list, you don’t have to ever consider it as you go through the criteria.  I recommended that FERC make that substitution in the language of 4.2, but I also suggested that entities interpret “Facilities, systems and equipment” to mean the six asset types.

This was my belief last August, and it remains today the belief of some (perhaps many) in NERC and the regions, as well as many entities.  But in January or February of this year, an Interested Party pointed out to me that this was simply not the case; the six asset types listed in R1 are the locations where BES Cyber Assets and BES Cyber Systems can be found, and the criteria in Attachment 1 don’t necessarily refer just to these types of assets (although they can in some cases).  I have discussed this in a number of posts, including this one.

The third and last point I made (I won’t call it a “conclusion”) was that the SDT’s use of the word “Facilities” in criteria 2.3 – 2.8 was simply a mistake.[ii]  However, that is not the case, as I also had revealed to me early this year. The use of Facilities was deliberate and also correct, IMHO.  My last post discusses this in more detail.

The fact is, the use of “Facilities” in Attachment 1 is totally unrelated to its use in Section 4.2.  The entity (and auditor) can safely ignore its use in 4.2, yet still take full advantage of its use in Attachment 1.  But as far as I can see, people are ignoring 4.2 but are not yet taking full advantage of the term in Attachment 1.

Now that I’ve heartily disagreed with my 2013 self, how would I rewrite “Facilities, systems and equipment” in 4.2 so that it was meaningful and helpful, rather than irrelevant at best?  My answer to this is simple: replace the words “Facilities, systems and equipment” in Section 4.2 with “assets”.  In other words, all assets (with a lower case a, since it isn’t a defined term) can potentially be the subject of the Attachment 1 criteria. 

You may ask, “Why don’t you say ‘assets or Facilities’?”  The answer is I believe every Facility is an asset, although the converse isn’t true. 

You may next ask why I leave out “systems and equipment”.   That is because I don’t think those words should be in Section 4.2, which is really there to let the entity know what “big iron” will be in scope for v5, not “little iron”.   And if you look at the title of the section – “Facilities” – as well as Section 4.2.2, which says that “all BES Facilities” are in scope, that just reinforces my opinion.[iii]

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] Of course, the very fact that I’m touting the fact that the miswording of 4.2 has no real consequence – and saying that is a good thing – is kind of sad when you think about it.  What should be the case is that a requirement be well-worded and meaningful, even if it might be misguided.  Simply saying that it can safely be ignored – since there are plenty of other places in CIP v5 where the wording is either confusing or contradictory, and thus cannot be ignored – is faint praise indeed.

[ii] Actually, as I said in a paragraph labeled “4” close to the end of the post, I thought the SDT had done this because they were concerned about separating out transmission from distribution “Facilities” in substations – since only the former are subject to the criteria. 

[iii] Of course, the title of 4.2 shouldn’t be “Facilities” but “assets”.  And 4.2.2 should read “All BES assets”.  But as I’ve already said, it doesn’t particularly matter what this section says.  

Sunday, August 17, 2014

Remember to Use the Facilities

Kevin Perry, the Chief CIP Auditor of SPP, emailed me regarding the penultimate paragraph in my most recent post, where I opined that the biggest current problem regarding interpretation of CIP-002-5.1 is how the word “Facilities” will be interpreted in criteria 2.3 – 2.8 of Attachment 1.   Before I get into what he said, I want to discuss this issue in more detail than I did in that single paragraph.

Here is the problem, in longhand:

  1. The popular belief seems to be that the “bright-line” criteria in Attachment 1 refer to assets[i].  More specifically, the belief goes that the word “Facilities” in criterion 2.3 refers to the generating station, and the same word in 2.4 – 2.8 refers to the substation.[ii] 
  2.  I myself used to hold the same belief, and it was only early this year that a couple CIP compliance people from transmission entities removed the scales from my eyes and showed me that, in criteria 2.4 – 2.8, “Facilities” refers to the individual lines, transformers, etc. at the substation.
  3. The implication of this is that, in a substation, BES Cyber Systems take their classification from the Facility, not the substation itself.  For example, let’s look at criterion 2.4, which starts with the words “Transmission Facilities operated at 500 kV or higher.”  A BCS associated with a 500kV line at a criterion 2.4 substation will be Medium impact.  But a BCS associated with a 245kV line at the same substation will be Low impact.  If you subscribe to the popular belief that all the criteria refer to assets, then you would have to classify the latter BCS as Medium.
  4. A similar argument holds for generating stations subject to criterion 2.3.  This starts out with the words “Each generation Facility…”, followed by a discussion of a designation often called “Reliability Must Run”.  I am told that sometimes a single unit in a plant, but not the whole plant, will be designated RMR.  If that is the case, and if the owner of the plant subscribes to the belief that all the criteria refer to assets, then the entire plant will need to be declared Medium impact, and all the BCS in it will be Medium (of course, the special rule about Medium BCS needing to affect the whole plant in criterion 2.1 doesn’t apply here).  On the other hand, if the entity that owns the plant is enlightened and reads my blog (the two terms are synonymous), they will realize that each unit in the plant is a Facility – and since only one of those Facilities has been designated RMR, that is the only unit that will have Medium BCS.  All of the BCS in the other units will be Low impact.  I’m sure generation people who read this will agree with me that the impact of this difference could literally be millions of dollars in compliance costs for a single plant.

In my last post, I said “From what I’ve heard from the regions and from the draft CIP-002-5 RSAW, it seems this word is going to simply be interpreted as meaning ‘asset’.”  This is what prompted Kevin Perry’s email to me, since he pointed out that, in his webinar last February, he had addressed this issue correctly.  I went back through his Narrative document and read some of the slides more closely (especially slides 44-48).  I agreed that he was using this interpretation, so I stand corrected in my implication that all of the NERC regions are using the “asset-only” interpretation.  At least SPP is not.

However, Kevin does go on to point out that the interpretation in question – the interpretation that says that criteria 2.3 – 2.8 don’t refer to assets but to Facilities – is “absolutely” correct, and he doesn’t think any entity will be issued a PV if they take that interpretation. 

I agree with Kevin that there probably won’t be PV’s given to entities that use the correct interpretation.  But I also don’t think that solves the problem.  The issue is that so few entities know they are allowed to classify BES Cyber Systems by the Facility they’re associated with (in criteria 2.3 – 2.8), not just the asset; therefore, they won’t even attempt to do this.  I think they should at least be educated that this is an option, even though they may decide that they still want to follow the “assets only” interpretation.[iii]

Kevin also said he believes most of the auditors understand this issue.  I simply don’t think that’s the case.  The only other auditor that I know of who has publicly presented his position is Joe Baugh of WECC, in the CIP-002 presentation found at this link.  I’ve gone through it carefully (and heard him give an earlier version in February), and I’m sure there is no mention of anything other than an asset being the subject of one of the Attachment 1 criteria.  And I’m just picking on Joe because he and Kevin are the only two auditors I know of who have presented their interpretations of CIP-002-5.1 R1 and Attachment 1.  My guess is most auditors – outside of SPP – believe that “Facilities” in criteria 2.3 – 2.8 refers to the asset itself.

Kevin does tell me that there will be training for all the regional auditors soon, which will include the excellent BES Cyber System identification exercise that SPP ran in February and again in June[iv].  If so, this will hopefully solve the problem of auditors not understanding this issue; but it won’t solve the problem of end users not knowing the “Facilities” interpretation is a valid one.  All of this comes down to what was the real subject of my last post: the need for NERC to stand up and state their interpretation of the various gray areas in CIP Version 5.  This is one of the grayer ones.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] Since this isn’t a defined term, a lot of people believe that it is “defined” by the list of six asset types in CIP-002-5.1 R1: control centers, substations, etc.  That was my belief until Kevin Perry straightened me out about that early this year.  He pointed out that the list of six assets is simply the locations where BES Cyber Systems can be found – they aren’t the subjects of the criteria themselves.

[ii] At this point I need to note a dispute I have with Kevin Perry, the CSO706 SDT members, and a lot of people at NERC.  They say the criteria in Attachment 1 are criteria for BES Cyber Systems, not for assets/Facilities/whatever.  They are certainly correct in saying this, as far as the wording of Attachment 1 is concerned.  In fact, the SDT conducted a webinar and put out a “concept paper” in 2009 that laid out their intention to move CIP in exactly this direction (at the time, they were thinking CIP v3 would be where this idea came to fruition; of course, it was only in v5 that it finally did).

My contention is that it don’t mean s___ (OK, it doesn’t mean a hill of beans) that the strict wording says this.  I haven’t talked to a single NERC entity (and I’ve talked to quite a few) that is really using this approach – that is, starting with their list of BES Cyber Systems (across their entire system) and then classifying them by running them through Attachment 1.  Every entity I’ve talked to about this is interpreting the criteria as applying to “big iron” – the assets or Facilities – not the “little iron”, which is the BES Cyber Systems themselves.  They are all classifying their big iron High/Medium/Low and then classifying the BES Cyber Systems according to the assets/Facilities they are located at or associated with.

And I think the entities are perfectly justified in using this interpretation, since literally all of the criteria refer to big iron, not little.  If they really were criteria for classifying BCS, they would read something like “BCS whose loss or misuse could directly lead to loss of 3000 MW of load are High impact” or “BCS whose loss or misuse could potentially result in the loss of 1500 MW of generation are Medium impact.”  Instead, all of the criteria in Sections 1 and 2 of Attachment 1 refer to big iron; it is only because of the prefaces to each of those sections (like “Each BES Cyber System used by and located at any of the following” for Section 1) that these asset/Facility criteria are supposedly turned into criteria for BCS. 

I contend that just sticking a preface on the criteria hasn’t magically changed their nature, as the SDT seems to have hoped; they are still criteria for big iron.  And here’s the proof: The CIP v5 criteria are very similar to the CIP v4 ones (some are virtually identical).  But there is no question at all that the v4 criteria were for assets – they were criteria for identifying Critical Assets.  The idea that sticking a 13-word preface in front of the same criteria would instantly change how everybody thinks about them is nonsense.  They are and always will be criteria for big iron, and that is beyond a doubt how almost everybody is viewing them.  And if you look at Kevin’s webinar narrative – in the link shown above – you’ll see various statements where he uses language that implies even he is operating as if the criteria refer to big iron.  For example, “..only the Belcher plant aligns with the Medium Impact Rating Criteria..” (slide 40) and “..the possibility of having High impacting control centers..” (slide 31).

However, this issue is not part of my argument in this post, which is why I put it in a footnote.  The question whether criteria 2.3 – 2.8 refer to assets (generating plants in 2.3, substations in 2.4 – 2.8) or Facilities is a separate issue, except that some purists will say “These criteria don’t refer to either assets or Facilities.  They refer to BES Cyber Systems”.  If you hear someone say this, I suggest you give them a rousing Bronx cheer and return to classifying your little iron according to the classification of the big iron it supports.

[iii] I recently talked with a compliance person at a large entity that told me they were aware of the correct interpretation, but decided to stick with the “asset-only” approach.  That is, for their substations subject to criteria 2.4 – 2.8, they will still classify all BCS according to the substation’s classification, not that of the line or transformer.  The main reason they did this – besides the regulatory uncertainty – was that in some substations they would have to spend time and money segregating the Medium and Low BCS on different networks (since if they are all on the same network, the Low BCS will end up being Medium Protected Cyber Assets and therefore subject to most of the requirements that apply to Medium BCS).  Therefore, they decided it wasn’t worth the extra effort now to base their classifications on the Facility rather than the substation itself.  I can’t argue with this reasoning.

[iv] I attended the February exercise, and found it extremely helpful – much better than watching ten hours of PowerPoints on the same topic.  If you would like to see the materials from the exercise – which SPP agrees can be shared with all NERC entities – you can email me at talrich@hotmail.com.

Tuesday, August 12, 2014

Signs of Life at NERC!

Steve Noess of NERC sent out an email to the SDT Plus List this week that gave me some small encouragement (unfortunately, small is the right word) that NERC may realize they are the only ones that can clear up the many interpretation issues in CIP Version 5. 

The email started by describing a recent meeting of representatives of the six entities in the V5 Transition Study, along with a host of others from NERC and the regions.  It then continued to discuss two areas in CIP-002-5 R1 where clarification is sorely needed, and to provide some interpretation guidance on them.  Since the second clarification – having to do with criterion 2.1 – wasn’t really surprising and didn’t go beyond what I think everyone pretty well understood the criterion to mean, I will focus on the first clarification.

Ironically, the first clarification had already been provided by Tobias Whitney of NERC, as described in my post from June.  This is the issue of “far-end relays”, although I referred to it as the “transfer-trip relay” issue.  Steve’s opinion on this issue didn’t differ from Tobias’ opinion: they agree that a relay located at a Low impact substation, protecting a line from a Medium impact substation (through criterion 2.5), will be Low impact.

However, Steve’s reason differed from Tobias’ reason, or at least was more refined.  Tobias said something to the effect of “Physical location IS a determinant factor for impact classification.”  As I pointed out in the post, this isn’t clearly based on anything that’s written in the standard.  However, Steve used a line of reasoning that is very much like the reasoning an Interested Party had provided me, which I wrote about in a previous post on this topic.  This does, IMHO, justify the opinion based on the wording of the standard.

The upshot is that Steve Noess provided – in written form - something very much like an interpretation of wording in CIP Version 5.  If you haven’t been in the NERC world too long, you can be forgiven for not understanding why this is quite a big deal.  Interpretations of NERC standards are supposed to come through a formal process, in which an entity submits a Request for Interpretation, a NERC team develops the interpretation, it is balloted (sometimes multiple times) by the NERC ballot body, it is approved by the NERC Board, and finally it is approved – hopefully – by FERC. 

This is easily a 2-3 year process, which in the case of CIP-002-5 R1 issues doesn’t do a lot of good.  People need to know how to identify their BES Cyber Systems now, not a year or so after the compliance date.  This is why I have been saying for a while that somebody needs to step outside the normal “legal” process and provide some interpretations of the V5 wording issues (and I finally settled on NERC as the entity that has to do that, after at first hoping that the Regional Entities might take the initiative to do it on their own).

So I wish to say I’m very pleased that Steve Noess has taken it on himself to step outside the bounds of legality and address what has been a very important question for most transmission entities.  Steve, if you get thrown in jail for doing this, I’ll bake you a cake with a file in it (although it will be the first cake I’ve ever baked, so you may want to throw it away once you've retrieved the file).

But you’re not done yet, Steve.  In your email, you go on to say “There are several additional topics being prioritized for similar treatment and collaboration as the two mentioned above, including topics such as virtualization, Interactive Remote Access, EACMS, and others.”  This is great, but I certainly hope you don’t think that all the problems with interpretation of CIP-002-5 have been addressed.  There are still some very serious problems, and unfortunately they won’t be as “easy” (if you want to call it that) to deal with as the far-end relay question was.

Steve, that is because much of the wording of CIP-002-5 R1 and Attachment 1 is confusing and outright contradictory.  You aren’t for the most part going to be able to come up with a direct interpretation of the existing wording that will solve these problems – unless you plan to rewrite CIP-002-5 (which you don’t, of course).  You (or someone of your stature at NERC) will need to simply say, “This is the way NERC entities need to read CIP-002-5 R1….Someone else may read the words differently and come up with a different interpretation.  But I’m speaking for NERC, and this is the way you need to interpret this.”

Steve, I realize this is a pretty harsh thing to have to say, so I’ll give you an out.  I suggest you enlist the help of a third party to make your case.  For instance, many people throughout history – usually called “prophets” – have enlisted God’s support for their statements, and have said they were just revealing what He had told them in a dream, or inscribed on some stone tablets that they’d just found.  You might try that approach.

However, this is a secular age, and that might not work as well now as it did – say – 2500 years ago.  Fortunately, I think you have already hit on an alternative.  In your email, immediately after you provided your well-reasoned opinion why the wording of criterion 2.5 supported your interpretation, you stated “This also conforms to the intent of the Standard Drafting Team..” 

Of course, that’s it!  All you have to do is say you’re simply relaying the intent of the SDT!  And who’s to question you on that, since you worked very closely with the Version 5 SDT for its last – and most crucial – two years of existence (OK, maybe it was just a year and a half.  In any case, you did more than anyone else to drive V5 through to completion in 2012)? 

As I pointed out in this post (the four paragraphs starting with the number 9), it is a fool’s errand to try to objectively determine the SDT’s intentions at this point.  And there’s no way an entity could use the SDT’s “intentions” to support their case if they appealed a violation to FERC or the courts.  But that shouldn’t stop you from stating that your opinions are based on those intentions, Steve - since the alternative is having to dummy up some stone tablets at home and say they just dropped from the sky.

I’m really not kidding about this, either.  There are serious wording problems in CIP-002-5 (and probably in other V5 standards) that aren’t going to be solved by careful reading, like the relay problem was.  I’ve written about these problems in over 25 posts, starting with this post in April, 2013 (I just noticed that post has had over 1300 page views).

And if you’re not sure where to start, here’s what I currently see as the biggest problem in CIP-002-5: It’s the use of the word “Facilities” in criteria 2.3 – 2.8 of Attachment 1.   From what I’ve heard from the regions and from the draft CIP-002-5 RSAW, it seems this word is going to simply be interpreted as meaning “asset” – i.e. these criteria are no different from the others, which all do address assets of some type.  As I discussed in this post (footnote iv), entities will have to identify many more BES Cyber Systems than I believe they should have to identify, if this interpretation isn’t changed.  I realize there is some other wording in CIP-002-5 that supports NERC’s current interpretation, Steve - so you’ll just have to go beyond the words (and if you want to point to a higher authority, I suggest you refer to the quote from Lewis Carroll in footnote v of the post I just referenced). 

That’s why you’ll have to make the transition from lawyer to prophet, Steve.  Hundreds of NERC entities are counting on you.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.