Kevin Perry, the Chief CIP Auditor of SPP,
emailed me regarding the penultimate paragraph in my most recent post,
where I opined that the biggest current problem regarding interpretation of
CIP-002-5.1 is how the word “Facilities” will be interpreted in criteria 2.3 –
2.8 of Attachment 1. Before I get into
what he said, I want to discuss this issue in more detail than I did in that
single paragraph.
Here is the problem, in longhand:
- The popular belief
seems to be that the “bright-line” criteria in Attachment 1 refer to
assets[i]. More specifically, the belief goes that the
word “Facilities” in criterion 2.3 refers to the generating station, and
the same word in 2.4 – 2.8 refers to the substation.[ii]
- I myself used to hold the same belief,
and it was only early this year that a couple CIP compliance people from
transmission entities removed the scales from my eyes and showed me that,
in criteria 2.4 – 2.8, “Facilities” refers to the individual lines,
transformers, etc. at the substation.
- The implication of
this is that, in a substation, BES Cyber Systems take their classification
from the Facility, not the substation itself. For example, let’s look at criterion
2.4, which starts with the words “Transmission Facilities operated at 500
kV or higher.” A BCS associated
with a 500kV line at a criterion 2.4 substation will be Medium
impact. But a BCS associated with a
245kV line at the same substation will be Low impact. If you subscribe to the popular belief
that all the criteria refer to assets, then you would have to classify the
latter BCS as Medium.
- A similar argument
holds for generating stations subject to criterion 2.3. This starts out with the words “Each
generation Facility…”, followed by a discussion of a designation often
called “Reliability Must Run”. I am
told that sometimes a single unit in a plant, but not the whole plant,
will be designated RMR. If that is
the case, and if the owner of the plant subscribes to the belief that all
the criteria refer to assets, then the entire plant will need to be
declared Medium impact, and all the BCS in it will be Medium (of course, the
special rule about Medium BCS needing to affect the whole plant in
criterion 2.1 doesn’t apply here).
On the other hand, if the entity that owns the plant is enlightened
and reads my blog (the two terms are synonymous), they will realize that
each unit in the plant is a Facility – and since only one of those
Facilities has been designated RMR, that is the only unit that will have
Medium BCS. All of the BCS in the
other units will be Low impact. I’m
sure generation people who read this will agree with me that the impact of
this difference could literally be millions of dollars in compliance costs
for a single plant.
In my last post, I said “From what I’ve heard
from the regions and from the draft CIP-002-5 RSAW, it seems this word is going
to simply be interpreted as meaning ‘asset’.”
This is what prompted Kevin Perry’s email to me, since he pointed out
that, in his webinar last February, he had addressed this issue correctly. I went back through his
Narrative document and read some of the slides more closely (especially slides
44-48). I agreed that he was using this
interpretation, so I stand corrected in my implication that all of the NERC
regions are using the “asset-only” interpretation. At least SPP is not.
However, Kevin does go on to point out that
the interpretation in question – the interpretation that says that criteria 2.3
– 2.8 don’t refer to assets but to Facilities – is “absolutely” correct, and he
doesn’t think any entity will be issued a PV if they take that
interpretation.
I agree with Kevin that there probably won’t
be PV’s given to entities that use the correct interpretation. But I also don’t think that solves the
problem. The issue is that so few
entities know they are allowed to classify BES Cyber Systems by the Facility
they’re associated with (in criteria 2.3 – 2.8), not just the asset; therefore,
they won’t even attempt to do this. I
think they should at least be educated that this is an option, even though they
may decide that they still want to follow the “assets only” interpretation.[iii]
Kevin also said he believes most of the
auditors understand this issue. I simply
don’t think that’s the case. The only
other auditor that I know of who has publicly presented his position is Joe Baugh
of WECC, in the CIP-002 presentation found at this
link. I’ve gone through it carefully
(and heard him give an earlier version in February), and I’m sure there is no
mention of anything other than an asset being the subject of one of the
Attachment 1 criteria. And I’m just
picking on Joe because he and Kevin are the only two auditors I know of who
have presented their interpretations of CIP-002-5.1 R1 and Attachment 1. My guess is most auditors – outside of SPP –
believe that “Facilities” in criteria 2.3 – 2.8 refers to the asset itself.
Kevin does tell me that there will be
training for all the regional auditors soon, which will include the excellent
BES Cyber System identification exercise that SPP ran in February and again in
June[iv]. If so, this will hopefully solve the problem
of auditors not understanding this issue; but it won’t solve the problem of end
users not knowing the “Facilities” interpretation is a valid one. All of this comes down to what was the real
subject of my last post: the need for NERC to stand up and state their
interpretation of the various gray areas in CIP Version 5. This is one of the grayer ones.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
Since this isn’t a defined term, a lot
of people believe that it is “defined” by the list of six asset types in
CIP-002-5.1 R1: control centers, substations, etc. That was my belief until Kevin Perry
straightened me out about that early this year.
He pointed out that the list of six assets is simply the locations where BES Cyber Systems can be
found – they aren’t the subjects of the criteria themselves.
[ii]
At this point I need to note a dispute I have with Kevin Perry, the CSO706 SDT
members, and a lot of people at NERC.
They say the criteria in Attachment 1 are criteria for BES Cyber
Systems, not for assets/Facilities/whatever.
They are certainly correct in saying this, as far as the wording of
Attachment 1 is concerned. In fact, the
SDT conducted a webinar
and put out a “concept
paper” in 2009 that laid out their intention to move CIP in exactly this
direction (at the time, they were thinking CIP v3 would be where this idea came
to fruition; of course, it was only in v5 that it finally did).
My contention is
that it don’t mean s___ (OK, it doesn’t mean a hill of beans) that the strict
wording says this. I haven’t talked to a
single NERC entity (and I’ve talked to quite a few) that is really using this
approach – that is, starting with their list of BES Cyber Systems (across their
entire system) and then classifying them by running them through Attachment
1. Every entity I’ve talked to about
this is interpreting the criteria as applying to “big iron” – the assets or
Facilities – not the “little iron”, which is the BES Cyber Systems
themselves. They are all classifying
their big iron High/Medium/Low and then classifying the BES Cyber Systems
according to the assets/Facilities they are located at or associated with.
And I think the entities are perfectly justified in
using this interpretation, since literally all of the criteria refer to big
iron, not little. If they really were
criteria for classifying BCS, they would read something like “BCS whose loss or
misuse could directly lead to loss of 3000 MW of load are High impact” or “BCS
whose loss or misuse could potentially result in the loss of 1500 MW of
generation are Medium impact.” Instead, all of the criteria in Sections 1 and 2
of Attachment 1 refer to big iron; it is only because of the prefaces to each
of those sections (like “Each BES Cyber System used by and located at any of
the following” for Section 1) that these asset/Facility criteria are supposedly
turned into criteria for BCS.
I contend that just sticking a preface on the criteria
hasn’t magically changed their nature, as the SDT seems to have hoped; they are
still criteria for big iron. And here’s
the proof: The CIP v5 criteria are very similar to the CIP v4 ones (some are
virtually identical). But there is no
question at all that the v4 criteria were for assets – they were criteria for
identifying Critical Assets. The idea
that sticking a 13-word preface in front of the same criteria would instantly
change how everybody thinks about them is nonsense. They are and always will be criteria for big
iron, and that is beyond a doubt how almost everybody is viewing them. And if you look at Kevin’s webinar narrative –
in the link shown above – you’ll see various statements where he uses language
that implies even he is operating as if the criteria refer to big iron. For example, “..only the Belcher plant aligns
with the Medium Impact Rating Criteria..” (slide 40) and “..the possibility of
having High impacting control centers..” (slide 31).
However, this issue is not part of my argument in this
post, which is why I put it in a footnote.
The question whether criteria 2.3 – 2.8 refer to assets (generating
plants in 2.3, substations in 2.4 – 2.8) or Facilities is a separate issue,
except that some purists will say “These criteria don’t refer to either assets
or Facilities. They refer to BES Cyber
Systems”. If you hear someone say this,
I suggest you give them a rousing Bronx cheer and return to classifying your
little iron according to the classification of the big iron it supports.
[iii]
I recently talked with a compliance person at a large entity that told me they
were aware of the correct interpretation, but decided to stick with the
“asset-only” approach. That is, for
their substations subject to criteria 2.4 – 2.8, they will still classify all
BCS according to the substation’s classification, not that of the line or
transformer. The main reason they did
this – besides the regulatory uncertainty – was that in some substations they
would have to spend time and money segregating the Medium and Low BCS on
different networks (since if they are all on the same network, the Low BCS will
end up being Medium Protected Cyber Assets and therefore subject to most of the
requirements that apply to Medium BCS). Therefore, they decided it wasn’t worth the extra effort now
to base their classifications on the Facility rather than the substation itself. I can’t argue with this reasoning.
[iv]
I attended the February exercise, and found it extremely helpful – much better
than watching ten hours of PowerPoints on the same topic. If you would like to see the materials from
the exercise – which SPP agrees can be shared with all NERC entities – you can
email me at talrich@hotmail.com.
No comments:
Post a Comment