I have known for a long
time that the “bright-line” criteria were anything but bright, and that
there were going to be a large number of questions when it came down to
actually applying them. Well, guess
what? People are applying them now, and
there are a large number of questions.
This is the first in what will probably be a number of posts (not all
together, of course) discussing bright-line criteria problems.
I used to think there would be a guidance
developed for using the BLC (beyond what is in the Guidance and Technical Basis
section of CIP-002-5.1, which is good but simply limited), but I certainly
don’t see that happening now. I imagine
these questions will be answered the way most other CIP v5 questions will be
answered: by each individual region (or even each auditor within each region),
with great variability across regions.
That’s why I call them the Not-so-Bright-Line Criteria.
The reason why it’s inevitable there will be
many questions on the BLC is that the electric power industry is tremendously
diverse. I am always struck by the
differences between facilities (e.g. one generating station vs. another, one
substation vs. another), between the NERC entities themselves (obviously, coops
vs. munis vs. IOUs, but even within those three categories there is huge
variability in what they do, etc. That’s
why NERC has all those registrations, and why almost no two entities have the
same registrations), and between the environments in which the entities operate
(entities in PJM have an entirely different set of constraints than those under
CAISO or SPP, for example). There is
simply no set of criteria like the BLC that could cover this diversity.
I noticed early on (when entities started
considering CIP v4) that just about everyone I talked to would say, “We think
we understand where we fit in the bright-line criteria, except for….” And here they
would rattle off a long story about how they have one substation or generating
plant that might look like it meets one of the criteria but in reality it
doesn’t because of some complicated reason that applies just in their region,
etc. I figure that, if every NERC entity
has at least one “except for” situation, and there are maybe 5-800 entities
subject to CIP v5, there are a whole bunch of these issues out there, waiting
for me to write about. So I expect to be
done with this series of posts in about 2020, and then only because CIP v7 or
v8 will be in force, not because all of the questions will have been answered.
Now on to the problem….
There are several strands to this problem,
but the main one is that there is no NERC definition of “substation”. Of course, the SDT knew this when they
drafted CIP v5, and for the most part the criteria in Attachment 1 of
CIP-002-5.1 are free of any dependence on the word “substation”. However, that is not the case for criterion
2.5.
In that criterion, the Facilities that are
Medium are those between 200 and 500kV.
As everybody knows by now, there is a formula to weight the different
lines in the substation, and the sum of those weights has to exceed 3,000 in
order for these Facilities (i.e. the 200-500kV ones) to be Medium. If that sum is less than 3,000, then all of
those Facilities, and the BES Cyber Systems associated with them, are Low
impact.
Now suppose you have a substation with two
control rooms, one that controls two 345kV lines and another that controls one
245kV line (whether this is likely to happen or not, I have no idea. I’m not a power engineer, and I don’t even
play one on TV – assuming there are any TV shows about power engineers). The two 345kV lines are worth 2600 points in
the formula, while the one 245kV line is worth 700 points. Together the substation has 3300 points,
meaning that all the BES Cyber Systems associated with these three lines will
be Medium impact[i].
But let’s say the two control rooms (and
their respective lines) are in two separate substations. The point total for the first substation will
be 2600, while the second will be 700.
In this case, all the BES Cyber Systems in both substations will be Low
impact, since they no longer meet criterion 2.5, and don’t meet any of the
other Medium criteria.
You probably know where I’m going on this,
but let’s go back to the original case where both control rooms are in the same
substation. Now let’s start moving the
two control rooms apart (since this is a thought experiment, we can do this in
the blink of an eye. It would take
somewhat longer than that – he says with a grin – to do this in real life).
Let’s move the second control room 200 yards
away from the first. Are they still the
same substation? If we think so, let’s
move them half a mile apart. Are they
still the same substation? How about if they’re
a mile apart? Or is it the fence that
makes the difference? As long as there
are two fences between the two control rooms, could they be located just twenty
feet from each other and be in separate substations?
Of course, there’s no answer to these
questions, since there’s no definition of “substation”. But I predict this will become an issue as
entities focus more on their compliance costs for substations subject to
criterion 2.5.
Now let’s put another turn on the screw. For the remaining discussion in this post, I
wish to acknowledge the assistance of a large transmission entity that brought
this issue up to me and helped me (try to) understand what is involved.
Suppose there’s a “transfer-trip” relay
associated with the 245kV line; this relay can trip one or more of the 345kV
lines in certain circumstances. In the scenario where both control rooms are
indisputably in the same substation, this doesn’t change anything; the BCS in both
control rooms will be Medium impact.
But let’s now throw another 245kV line into
the first control room, giving that control room by itself 3300 points under
criterion 2.5. And let’s move the second
control room – still containing the transfer-trip relay – 500 miles away, with
14 fences and a moat with alligators between it and the first control room; the
transfer-trip relay in the second control room still can trip the relay
associated with the 345kV line in the first control room (I realize this is an extremely unlikely situation in real life, and probably violates the laws of physics anyway. But stay with me). I don’t think anyone will dispute that the
second control room is in a separate substation. Since that substation only has 700 points
under criterion 2.5, and since it doesn’t meet any of the other Medium
criteria, it will be a Low substation (of course, the substation with the first control room now meets criterion 2.5, so the lines in the first control room are still Medium Facilities).
However, someone who hasn’t read my blog for
the past three months might point out that Attachment 1 Section 2 of
CIP-002-5.1 says that BES Cyber Systems “associated with” any assets or Facilities
that meet one of the Section 2 criteria are Medium impact. Since the transfer-trip relay in the second
control room is definitely associated with one of the Facilities (a 345kV line)
in the first control room, it will be Medium impact, right?
Of course, the answer to this question is “no”,
given NERC’s recent “ruling” on such situations, described in this
recent post; the transfer-trip relay in the second control room will be Low
impact. So now the question of what is a
substation again rears its head: as we gradually move the two control centers
closer to each other, at what point do the separate substations become one, meaning
the transfer-trip relay will go back to being a Medium impact?
Again, I don’t have the answer to this
question (that’s why I love being a blogger.
I can point out all sorts of thorny issues and make people at NERC and
the regions squirm, without having any responsibility at all to be constructive
and actually solve the problem), but I hope there will be one answer given at some point (presumably from NERC) rather than
eight or more answers (one for each region, and perhaps more for auditors
within the same region who have differing opinions on this).
Now I turn the screw again.[ii] Let’s suppose the substation in question isn’t
a criterion 2.5 one at all, but a criterion 2.4. It has a 500+kV line (we’ll say 765kV in this
case) controlled by one control room, and a 345kV line controlled by the second
control room. Once again, there is a
transfer-trip relay in the second control room that can trip the 765kV line.[iii]
In this case, the situation is different from
the criterion 2.5 case. Let’s look again
at what happens if both control rooms are at the same substation. Criterion 2.4 says that “Transmission
Facilities operated at 500 kV or higher” are Medium impact. This means the 765kV line is a Medium, but
the 345kV line is Low (since the substation itself doesn’t figure in criterion
2.4, as it does in 2.5). However, since
the transfer-trip relay is associated with the Medium impact (765kV) line, it
will also be a Medium BCS.
We once again separate the two control rooms
by 500 miles and alligators, so there are now two substations. The second control room will without doubt be
a Low impact, but since the transfer-trip relay remains associated with the
765kV line, it will be Medium impact, right?
Before you bring up NERC’s recent “ruling” referred to above, remember:
that ruling only applies to criterion 2.5.
We’re now dealing with 2.4.
But if you follow my blog closely, you’ll
know that the August “ruling” – by Steve Noess of NERC - that I referred to
wasn’t the first “ruling” on this issue.
The first was in June by Tobias Whitney of NERC, as described in this
post. Tobias reached the same conclusion
as Steve, namely that a “far-end” or transfer-trip relay located at a Low
substation but associated with a Medium line was Low impact, even though it is
clearly “associated with” a Medium Facility.
However, the reason Tobias gave was quite
different from Steve’s. Steve’s was
based strictly on the wording of criterion 2.5 (and followed very closely the
reasoning an Interested Party had provided me in a post
I did the day before Tobias made his pronouncement). On the other hand, Tobias’ reasoning was much
more general: he said[iv]
something to the effect that “Physical location IS a determinant factor for
impact classification.” Note there is nothing specific to criterion 2.5 in that dictum.
Let’s apply Tobias’ reasoning to the
criterion 2.4 case. Given that the
transfer-trip relay in the second control room is clearly in a separate
substation (and it’s 500 miles away from the first substation), I’d say that if
physical location is ever going to be a “determinant factor” for
classification, it should be here. I say
the transfer-trip relay has to be a Low impact one. So Steve’s and Tobias’ reasoning lead to
different results in this case.[v] Which person should you believe? I would say Steve, since his reasoning is written down (in an email), while Tobias' reasoning isn't (his is in a PowerPoint, but that was never officially released after the meeting, which is known as having your cake and eating it, too). So the transfer-trip relay, which is located in a Low substation, will still be Medium impact - because the criterion we're dealing with now is 2.4, not 2.5.
Once again, let’s start moving the second
control room back toward the first.
Whenever it becomes part of the original substation, then there will be no more question that the transfer-trip
relay is Medium impact (under either Steve's or Tobias' reasoning), and peace will be restored at NERC. Of
course, the whole question is when the two substations do become one, which is
the same as my original question: What is a substation? That question remains as unanswered as it's always been.
So we’re back where we started, but I hope
this exercise has at least cleared up what the issues are. It certainly has for me, and I hope it will in some way lead to the two issues in this post (the meaning of "substation" and the Steve/Tobias difference) being addressed in some definitive or semi-definitive way by NERC. This was fun, and I would like to hear of any
similar issues you may have discovered in the bright-line criteria. Contact me at talrich@hotmail.com.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
Remember that criterion 2.5 says that “Transmission Facilities” operating
between 200 and 500kV are Mediums, if they are associated with a substation
that meets the 3000-point threshold.
Since all three of these lines fall in that range, all the BCS
associated with them will be Mediums. Of
course, there’s an exception to this (Alrich’s Law states that no statement can
be made about a NERC regulation that doesn’t have at least one exception. So far, I have found no exceptions to this
law). That exception is the case of the “far-end”
relays discussed in this
post.
[ii]
Of course, when I speak of turning the screw, I’m thinking of Henry James’ wonderful
ghost story, “The Turn of the Screw”.
[iii]
This is the scenario – perhaps mangled in my retelling – that the entity I
referred to above brought to my attention.
[iv]
At a NERC CIPC meeting in Orlando.
[v]
My guess is that Tobias’ reasoning, since it could conceivably apply to other
criteria as well, will lead to further contradictions with Steve’s
reasoning. That is, unless someone at
NERC states whose reasoning is the one to follow in this case.
No comments:
Post a Comment