One of the things that gives me the most pleasure about writing this blog is seeing that people are constantly going back and reading previous posts. This is certainly how I would like to see it work, since I have addressed different topics at different times. It would be nice to have everything rolled up into a single book (I imagine I’ve written a book or two in length by now), but given all the uncertainty with CIP v5, I don’t think that’s possible yet. Maybe a year from now.
Usually, the old posts that people are reading are those I’ve referred to in recent posts. However, that is not the case with the post “Facilities, Systems and Equipment” that I wrote Aug. 28 of 2013. I don’t believe I’ve ever made a reference back to that post, yet recently it’s had a few dozen hits. This may have something to do with the fact that I’ve been talking a lot about the use (or misuse) of the word “Facilities” in criteria 2.3 – 2.8 of Attachment 1, even though that issue has little to do with the issue I addressed in the 2013 post.
I’ll let you read the 2013 post on your own, but to summarize it briefly, it expresses complete mystery as to why the words “Facilities, systems and equipment” are used in Section 4.2 of CIP-002-5 (actually, that same section appears in every other CIP v5 standard as well). Working out from the idea that it was simply a mistake on the part of the SDT (“What were they thinking…?”), it then draws a couple conclusions which should be important to NERC entities. In this post I want to update those conclusions, because my thinking – and the overall situation – has changed since that time.
First, I want to say I remain as mystified as I was a year ago as to why those words are in Section 4.2; I’ll let you read why I feel that way in the old post. But I do need to disagree with two of the conclusions I drew in the post.
The first conclusion I drew was that having this wording in there was going to lead to the auditors requiring entities to show that, before even starting to comply with Requirement 1, they had made a list of every Facility, system or piece of equipment they owned. Listing Facilities wouldn’t be impossible, but every system? And every single monkey wrench? This would be a classic case of paperwork solely for the sake of regulatory compliance. In that post, I recommended that FERC change this wording (as well as the wording of the rest of R1), to prevent this from happening.
Well, FERC didn’t change any of the wording (or order it changed) when they wrote Order 791. But to be honest, I no longer see this as being an issue. It has certainly never come up in any discussion I’ve had. I think everyone – entities and auditors – agrees this is hardly a battle worth fighting, so I don’t think it’s at all likely it ever will come up. Section 4.2 simply doesn’t affect how the entity complies with CIP-002-5.1 R1 (where there certainly are a lot of other battles worth fighting!). I think it will just be neglected by all concerned, and that’s fine with me.[i]
Note (Aug. 27): I spoke too soon when I said above that this is something that won’t affect how an entity complies with CIP-002-5.1 R1. Just today I corresponded with an entity that pointed out something to me that I had mentioned in a couple posts (including this one under the section “Questions of Scope”) but had put out of my mind for a while: There is no way a control center could be considered a Facility, according to the NERC definition of Facility (and the related definition of Element). So the fact that 4.2.2 says that all “BES Facilities” are what’s in scope for CIP v5 clearly implies – if you’re one of those sticky people that insists that words have clear meanings – that no control centers are in scope for CIP v5! A small omission, don’t you think?
Of course, I advised the entity not to act on this consideration, since I’m sure they won’t be able to make it stick with NERC (plus there is an obvious contradiction with R1 and Attachment 1, which refer repeatedly to control centers as being in scope). But it just goes to show that CIP-002-5.1 is a sloppily-written standard.
The second conclusion I drew is more important, though. I said that “Facilities, systems and equipment” should be replaced by the six asset types listed in R1 (control centers, transmission substations, etc). I said this because I thought the real “scope” of R1 was those six asset types. In other words, I believed that the criteria in Attachment 1 all refer to one of those six asset types, and if an asset isn’t on that list, you don’t have to ever consider it as you go through the criteria. I recommended that FERC make that substitution in the language of 4.2, but I also suggested that entities interpret “Facilities, systems and equipment” to mean the six asset types.
This was my belief last August, and it remains today the belief of some (perhaps many) in NERC and the regions, as well as many entities. But in January or February of this year, an Interested Party pointed out to me that this was simply not the case; the six asset types listed in R1 are the locations where BES Cyber Assets and BES Cyber Systems can be found, and the criteria in Attachment 1 don’t necessarily refer just to these types of assets (although they can in some cases). I have discussed this in a number of posts, including this one.
The third and last point I made (I won’t call it a “conclusion”) was that the SDT’s use of the word “Facilities” in criteria 2.3 – 2.8 was simply a mistake.[ii] However, that is not the case, as I also had revealed to me early this year. The use of Facilities was deliberate and also correct, IMHO. My last post discusses this in more detail.
The fact is, the use of “Facilities” in Attachment 1 is totally unrelated to its use in Section 4.2. The entity (and auditor) can safely ignore its use in 4.2, yet still take full advantage of its use in Attachment 1. But as far as I can see, people are ignoring 4.2 but are not yet taking full advantage of the term in Attachment 1.
Now that I’ve heartily disagreed with my 2013 self, how would I rewrite “Facilities, systems and equipment” in 4.2 so that it was meaningful and helpful, rather than irrelevant at best? My answer to this is simple: replace the words “Facilities, systems and equipment” in Section 4.2 with “assets”. In other words, all assets (with a lower case a, since it isn’t a defined term) can potentially be the subject of the Attachment 1 criteria.
You may ask, “Why don’t you say ‘assets or Facilities’?” The answer is I believe every Facility is an asset, although the converse isn’t true.
You may next ask why I leave out “systems and equipment”. That is because I don’t think those words should be in Section 4.2, which is really there to let the entity know what “big iron” will be in scope for v5, not “little iron”. And if you look at the title of the section – “Facilities” – as well as Section 4.2.2, which says that “all BES Facilities” are in scope, that just reinforces my opinion.[iii]
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] Of course, the very fact that I’m touting the fact that the miswording of 4.2 has no real consequence – and saying that is a good thing – is kind of sad when you think about it. What should be the case is that a requirement be well-worded and meaningful, even if it might be misguided. Simply saying that it can safely be ignored – since there are plenty of other places in CIP v5 where the wording is either confusing or contradictory, and thus cannot be ignored – is faint praise indeed.
[ii] Actually, as I said in a paragraph labeled “4” close to the end of the post, I thought the SDT had done this because they were concerned about separating out transmission from distribution “Facilities” in substations – since only the former are subject to the criteria.
[iii] Of course, the title of 4.2 shouldn’t be “Facilities” but “assets”. And 4.2.2 should read “All BES assets”. But as I’ve already said, it doesn’t particularly matter what this section says.