Many of you will know I have been complaining
for quite some time that NERC needs to step forward and start providing some
guidance on the many interpretation issues that are found in CIP version 5, and
especially in CIP-002-5.1 R1 and Attachment 1 (my particular obsession). I wish to announce that NERC does seem to
have taken one step in that direction.
I’m told that NERC has formed a “CIP Version
5 Transition Stakeholders Group”, consisting of representatives of NERC, the
eight regions, the six entities that participated in the Transition Study, some
drafting team members, and some “industry representatives” (my source thinks
the latter may be members of the NERC CIPC).
And what is this distinguished group going to do? Well, it seems they’re going to come up with
answers to questions about CIP v5 from NERC entities (that would be you) – I’m
told you just have to email those to Tobias Whitney or Steve Noess of NERC (I’ll
do a post on the questions I would like to ask; anyone who has suggestions they’d
like to have me include can email them to me at talrich@hotmail.com).
What is the legal basis for this group? That’s interesting. I’m told it comes from Section 11 of Appendix
3a of the NERC Rules
of Procedure (the page is numbered 43, but it seems to be page 174 of the
actual document. Don’t ask me why they
couldn’t just number all the pages consecutively). That section, called the “Process for
Approving Supporting Documents”, discusses “documents that may be developed to
enhance stakeholder understanding and implementation of a Reliability Standard.” Six types of documents are described; the
first one, “Reference”, is described as
Descriptive, technical information
or analysis or explanatory information to support the understanding and
interpretation of a Reliability Standard. A standard reference may support the
implementation of a Reliability Standard or satisfy another purpose consistent
with the reliability and market interface principles.
And who is authorized to prepare these
documents? You’ll be surprised to hear
that it is “any entity”. So as long as
you’re an entity – that is, you exist – you’re authorized to prepare them (presumably,
Peter Pan is excluded. But you could
argue even he’s an entity, albeit fictional).
It seems the new CV5TSG (remember, you heard that acronym here first!)
is as much an entity as anyone else is, so they will take it upon themselves to
prepare documents.
Section 11 goes on to say that the NERC
Standards Committee “shall authorize the posting of all supporting references
that are linked to an approved Reliability Standard.” It seems that any document that meets the
definition of “reference” above will be posted.
I guess that’s what the new CV5TSG will be doing – preparing references
on questions regarding CIP v5.
Is this a good thing? Definitely.
Is it going to be enough? Well,
that depends on your definition of “enough”.
If you’re looking for interpretations of the v5 standards that will
serve as mandatory guides to the auditors (and therefore for the NERC entities
themselves), you’ll be disappointed.
There is no way this group can do Interpretations. As I’ve discussed previously,
NERC simply cannot produce official interpretations of any standard without
going through the entire Request for Interpretation process, which could easily
take two years or more. There is no way that the current interpretation
issues with CIP v5 can be dealt with in that time frame; they need to be
addressed much more quickly.
But my guess is the group will produce
well-reasoned documents that may clarify some important points. I’m told they’ll be similar to the “Lessons
Learned” documents that have already been posted,
which have been well-written if not particularly earth-shattering. Note that the quote above does say references
can “support the understanding and interpretation of a Reliability Standard.” If the CV5TSG actually produces documents
that do that, this will be a significant step forward.
But there’s a catch (of course). We’re now just over 18 months away from April
1, 2016, when High and Medium impact assets (and their owners/operators) need
to be 100% compliant with CIP Version 5.
There are lots of questions that need to be answered (you could go to
almost any one of my posts since the end of April 2013 and find at least three
or four) quite quickly – especially on CIP-002-5 R1 and Attachment 1, which of
course are the foundation for everything else in CIP version 5. How likely is it that this team will be able
to address most if not all of the significant questions soon enough for that to
be of help – say by the end of this year at the latest?
And here, Dear Readers, is the bad news: I
think it’s highly unlikely this will happen.
I’m going to spend a little time discussing what’s at stake here:
- Those of you who
were involved with NERC CIP compliance four or five years ago know that
the NERC CIPC published two very good guidelines on the CIP-002 asset identification
process: one on identifying Critical Assets, the other on identifying
Critical Cyber Assets (if you need a copy of these, you can email me and I’ll
send them to you. Alternatively,
you could spend a couple hours looking for them on the NERC website). These were both excellent documents, and
the latter still provides good insights into issues like “external routable
connectivity” that remain in CIP v5.
- I think it would
be great if similar guidelines were developed now, although – given that
the identification and classification of “big iron” and “little iron” are
so intertwined in CIP-002-5.1 – this would need to be a single
document. This would really be the
right thing to do, and it is what I have been in part requesting since 2012. But this is simply not going to happen. I believe the two previous documents took around a year to develop, and even
if the team started now, the new document would arrive way too late for it
to be of help in the initial identification of BES Cyber Systems, prior to
the April 1, 2016 date[i]
(I keep threatening to write my own mini-version of this document as a
post, and I intend to do it soon).
- So the best we can
hope for is answers to specific questions.
While not being the comprehensive approach I’d prefer (at least for
the CIP-002-5.1 questions), it’s certainly better than nothing.
- So what are the
questions the new team will be addressing?
My contact says efforts are underway on the following topics: a)
Grouping BES Cyber Assets into BES Cyber Systems; b) a definitive
discussion of the “far-end” transfer-trip relay issue
(this was already addressed in an email from Steve Noess, but I guess the
new document would be more thoroughgoing and would carry more official
weight - although I of course CAN’T call it an interpretation); c) Virtual
Systems and VLANs (which has been an issue since CIP V1, so this is
certainly needed); d) Disaggregation of BES Cyber Assets at a generating
plant (I assume this refers to the fact that BES Cyber Systems identified
through what I call the “top-down” approach need to then be disaggregated
into their component cyber assets.
See this
post); and “perhaps” even e) What the word “programmable” means in the
definition of BES Cyber Asset (my next post will address this issue, which
is a pretty big one, especially for generating plants).
- What will be the
pace at which the group turns out these documents? Remember, these are people who all have
day jobs. They’ll be meeting once a
month (I doubt for more than two days).
Even though I know that work is already proceeding on some of these
questions (the virtualization question has been under discussion by a group
of the NERC CIPC for at least a few months), I sincerely doubt they’ll be
able to turn out more than say two documents a month. So the list above can perhaps be
completely taken care of this year.
- That’s wonderful,
but what about all of the other 5,689 “interpretation” questions on CIP
version 5? It won’t do most
entities a lot of good to have them addressed even next year, let alone in
2017 or 2018.
- There is another
initiative I know that’s going on, which is that NERC is providing uniform training on CIP
v5 for all of the auditors in the regions.
Again, that’s great and really needs to happen, but is that
training really going to address a lot of the other questions that the
CV5TSG won’t be able to address in the near future? I can assure you that won’t happen.
So what are we left with for all of the other
v5 problems (and now I’m even more motivated to come up with a list of issues that
I see. I hope some people will email me
their issues as well; I promise to list them all, without attribution of
course)? I’m afraid they will ultimately
be dealt with using the time-tested NERC method: auditor discretion. Isn’t that wonderful?
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
This doesn’t mean it shouldn’t be done, since entities will always be coming
into the CIP program, adding new Medium or High impact assets, etc. But I certainly don’t see any movement to do
that, so this is all academic.
Sept. 19: In the NERC webinar on CIP v5 Revisions today, Tobias Whitney announced the CV5TSG, and seemed to indicate that the process may be a little faster than I had anticipated. He said they'd be posting something for comment in a few weeks, addressing about 7 CIP v5 topics (virtualization, far-end relays, etc). I didn't understand whether the team would be posting drafts of their "interpretations" of these topics, or whether they would be merely soliciting ideas on how to address them. In any case, it's good that there will be some visible action in the near future.
ReplyDelete