Remember to Use the Facilities

Kevin Perry, the Chief CIP Auditor of SPP, emailed me regarding the penultimate paragraph in my most recent post, where I opined that the biggest current problem regarding interpretation of CIP-002-5.1 is how the word “Facilities” will be interpreted in criteria 2.3 – 2.8 of Attachment 1.   Before I get into what he said, I want to discuss this issue in more detail than I did in that single paragraph.

Here is the problem, in longhand:

1. The popular belief seems to be that the “bright-line” criteria in Attachment 1 refer to assets[i].  More specifically, the belief goes that the word “Facilities” in criterion 2.3 refers to the generating station, and the same word in 2.4 – 2.8 refers to the substation.[ii] 
2.  I myself used to hold the same belief, and it was only early this year that a couple CIP compliance people from transmission entities removed the scales from my eyes and showed me that, in criteria 2.4 – 2.8, “Facilities” refers to the individual lines, transformers, etc. at the substation.
3. The implication of this is that, in a substation, BES Cyber Systems take their classification from the Facility, not the substation itself.  For example, let’s look at criterion 2.4, which starts with the words “Transmission Facilities operated at 500 kV or higher.”  A BCS associated with a 500kV line at a criterion 2.4 substation will be Medium impact.  But a BCS associated with a 245kV line at the same substation will be Low impact.  If you subscribe to the popular belief that all the criteria refer to assets, then you would have to classify the latter BCS as Medium.
4. A similar argument holds for generating stations subject to criterion 2.3.  This starts out with the words “Each generation Facility…”, followed by a discussion of a designation often called “Reliability Must Run”.  I am told that sometimes a single unit in a plant, but not the whole plant, will be designated RMR.  If that is the case, and if the owner of the plant subscribes to the belief that all the criteria refer to assets, then the entire plant will need to be declared Medium impact, and all the BCS in it will be Medium (of course, the special rule about Medium BCS needing to affect the whole plant in criterion 2.1 doesn’t apply here).  On the other hand, if the entity that owns the plant is enlightened and reads my blog (the two terms are synonymous), they will realize that each unit in the plant is a Facility – and since only one of those Facilities has been designated RMR, that is the only unit that will have Medium BCS.  All of the BCS in the other units will be Low impact.  I’m sure generation people who read this will agree with me that the impact of this difference could literally be millions of dollars in compliance costs for a single plant.

In my last post, I said “From what I’ve heard from the regions and from the draft CIP-002-5 RSAW, it seems this word is going to simply be interpreted as meaning ‘asset’.”  This is what prompted Kevin Perry’s email to me, since he pointed out that, in his webinar last February, he had addressed this issue correctly.  I went back through his Narrative document and read some of the slides more closely (especially slides 44-48).  I agreed that he was using this interpretation, so I stand corrected in my implication that all of the NERC regions are using the “asset-only” interpretation.  At least SPP is not.

However, Kevin does go on to point out that the interpretation in question – the interpretation that says that criteria 2.3 – 2.8 don’t refer to assets but to Facilities – is “absolutely” correct, and he doesn’t think any entity will be issued a PV if they take that interpretation. 

I agree with Kevin that there probably won’t be PV’s given to entities that use the correct interpretation.  But I also don’t think that solves the problem.  The issue is that so few entities know they are allowed to classify BES Cyber Systems by the Facility they’re associated with (in criteria 2.3 – 2.8), not just the asset; therefore, they won’t even attempt to do this.  I think they should at least be educated that this is an option, even though they may decide that they still want to follow the “assets only” interpretation.[iii]

Kevin also said he believes most of the auditors understand this issue.  I simply don’t think that’s the case.  The only other auditor that I know of who has publicly presented his position is Joe Baugh of WECC, in the CIP-002 presentation found at this link.  I’ve gone through it carefully (and heard him give an earlier version in February), and I’m sure there is no mention of anything other than an asset being the subject of one of the Attachment 1 criteria.  And I’m just picking on Joe because he and Kevin are the only two auditors I know of who have presented their interpretations of CIP-002-5.1 R1 and Attachment 1.  My guess is most auditors – outside of SPP – believe that “Facilities” in criteria 2.3 – 2.8 refers to the asset itself.

Kevin does tell me that there will be training for all the regional auditors soon, which will include the excellent BES Cyber System identification exercise that SPP ran in February and again in June[iv].  If so, this will hopefully solve the problem of auditors not understanding this issue; but it won’t solve the problem of end users not knowing the “Facilities” interpretation is a valid one.  All of this comes down to what was the real subject of my last post: the need for NERC to stand up and state their interpretation of the various gray areas in CIP Version 5.  This is one of the grayer ones.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

---

[i] Since this isn’t a defined term, a lot of people believe that it is “defined” by the list of six asset types in CIP-002-5.1 R1: control centers, substations, etc.  That was my belief until Kevin Perry straightened me out about that early this year.  He pointed out that the list of six assets is simply the locations where BES Cyber Systems can be found – they aren’t the subjects of the criteria themselves.

[ii] At this point I need to note a dispute I have with Kevin Perry, the CSO706 SDT members, and a lot of people at NERC.  They say the criteria in Attachment 1 are criteria for BES Cyber Systems, not for assets/Facilities/whatever.  They are certainly correct in saying this, as far as the wording of Attachment 1 is concerned.  In fact, the SDT conducted a webinar and put out a “concept paper” in 2009 that laid out their intention to move CIP in exactly this direction (at the time, they were thinking CIP v3 would be where this idea came to fruition; of course, it was only in v5 that it finally did).

My contention is that it don’t mean s___ (OK, it doesn’t mean a hill of beans) that the strict wording says this.  I haven’t talked to a single NERC entity (and I’ve talked to quite a few) that is really using this approach – that is, starting with their list of BES Cyber Systems (across their entire system) and then classifying them by running them through Attachment 1.  Every entity I’ve talked to about this is interpreting the criteria as applying to “big iron” – the assets or Facilities – not the “little iron”, which is the BES Cyber Systems themselves.  They are all classifying their big iron High/Medium/Low and then classifying the BES Cyber Systems according to the assets/Facilities they are located at or associated with.

And I think the entities are perfectly justified in using this interpretation, since literally all of the criteria refer to big iron, not little.  If they really were criteria for classifying BCS, they would read something like “BCS whose loss or misuse could directly lead to loss of 3000 MW of load are High impact” or “BCS whose loss or misuse could potentially result in the loss of 1500 MW of generation are Medium impact.”  Instead, all of the criteria in Sections 1 and 2 of Attachment 1 refer to big iron; it is only because of the prefaces to each of those sections (like “Each BES Cyber System used by and located at any of the following” for Section 1) that these asset/Facility criteria are supposedly turned into criteria for BCS. 

I contend that just sticking a preface on the criteria hasn’t magically changed their nature, as the SDT seems to have hoped; they are still criteria for big iron.  And here’s the proof: The CIP v5 criteria are very similar to the CIP v4 ones (some are virtually identical).  But there is no question at all that the v4 criteria were for assets – they were criteria for identifying Critical Assets.  The idea that sticking a 13-word preface in front of the same criteria would instantly change how everybody thinks about them is nonsense.  They are and always will be criteria for big iron, and that is beyond a doubt how almost everybody is viewing them.  And if you look at Kevin’s webinar narrative – in the link shown above – you’ll see various statements where he uses language that implies even he is operating as if the criteria refer to big iron.  For example, “..only the Belcher plant aligns with the Medium Impact Rating Criteria..” (slide 40) and “..the possibility of having High impacting control centers..” (slide 31).

However, this issue is not part of my argument in this post, which is why I put it in a footnote.  The question whether criteria 2.3 – 2.8 refer to assets (generating plants in 2.3, substations in 2.4 – 2.8) or Facilities is a separate issue, except that some purists will say “These criteria don’t refer to either assets or Facilities.  They refer to BES Cyber Systems”.  If you hear someone say this, I suggest you give them a rousing Bronx cheer and return to classifying your little iron according to the classification of the big iron it supports.

[iii] I recently talked with a compliance person at a large entity that told me they were aware of the correct interpretation, but decided to stick with the “asset-only” approach.  That is, for their substations subject to criteria 2.4 – 2.8, they will still classify all BCS according to the substation’s classification, not that of the line or transformer.  The main reason they did this – besides the regulatory uncertainty – was that in some substations they would have to spend time and money segregating the Medium and Low BCS on different networks (since if they are all on the same network, the Low BCS will end up being Medium Protected Cyber Assets and therefore subject to most of the requirements that apply to Medium BCS).  Therefore, they decided it wasn’t worth the extra effort now to base their classifications on the Facility rather than the substation itself.  I can’t argue with this reasoning.

[iv] I attended the February exercise, and found it extremely helpful – much better than watching ten hours of PowerPoints on the same topic.  If you would like to see the materials from the exercise – which SPP agrees can be shared with all NERC entities – you can email me at talrich@hotmail.com.