Thursday, February 26, 2015

Making It Up as they Go Along, Part II: What the SGAS Mean

Note on April 18, 2016: I put a reference to this post in a post I put up yesterday, so I expect at least a few people will read this. I admit that I would write this more concisely if I had time to do it over, but the points are all still valid. I do want to emphasize that, were I employed by a NERC entity, I would be the first to sign up for my SGAS - I'm not in any way blaming the entities for this misguided policy. And I would support the SGAS if the results were somehow made public - there are a number of ways that they could be sanitized so that no information traceable to a particular entity is disclosed. The whole problem is that the results aren't disclosed, so entities can't take advantage of any information provided to their peers.

Dear Reader: Since 2014, this blog has maintained a proud tradition of annual April Fool’s Day posts.  I can assure you this tradition will continue this year.  However, as I write the post below, I am beginning to worry that people will interpret this as my early entry for April Fool’s.  Let me assure you, this is not the case.  What this post discusses is real; I wish it were otherwise.  I will find it very hard to top this come April 1.

I have started a series of posts documenting how NERC and the regions are simply improvising as they deal with the many serious interpretation issues for CIP Version 5 – issues that keep sprouting out of the ground like weeds on a warm spring day.  Part I was my first post on two emails from ISO New England that were causing generators to wring their hands and explore alternative careers in fast food – anything but NERC CIP; this was followed by four more posts on those emails, although I didn't label them part of this series. 

However, an email from NERC today (and an email conversation with a former auditor whose opinions I greatly respect) reminded me that there is a much more important example of “Making It Up as they Go Along” on the table – and that is from NERC itself.  The email discussed the Small Group Advisory Sessions (SGAS) that NERC has suddenly started advertising.  These are 60-90 minute sessions in which a group of SMEs from a NERC entity sits down with NERC staff to talk about “issues pertinent to that entity’s implementation of the CIP v5 Standards.”  

So what’s wrong with that?  What’s the matter with NERC sitting down to answer people’s questions?  I have no problem with their doing that.  What I do have a problem with – and others do, too – is that these are explicitly stated to be “closed” sessions.

First, what will be the subject of these closed sessions – important enough for critical NERC CIP SMEs to take a couple of days off and fly to Atlanta for a 60-90 minute meeting[i]?  It’s safe to say it won’t be the Braves’ prospects for 2015.  It’s also safe to say the meetings won’t rehash some compliance issues that have already been settled through Lessons Learned, etc. (although there are precious few of those that I would call genuinely “settled”) – or that may be addressed in the public CIP v5 Workshop going on at the same time in Atlanta.

Children, I’m afraid I have some bad news for you: The nice lessons you learned in Civics class about public bodies always dealing with public issues in a public manner don’t necessarily correspond with the reality of this terrible world we live in.  These sessions will be to discuss compliance issues that haven’t been publicly dealt with by NERC – or at least not officially “resolved”[ii]; that’s why entities will probably be lining up to have these meetings.  Whatever NERC says in the meetings will presumably never go beyond the ears of the attendees, as well as some others in their organizations.

Even that may not seem so bad on the face of it.  Given the fact that sensitive cyber security issues are being discussed, could these be anything but closed discussions?  And isn't it true that entities sit down one-on-one with their Regional Entities to discuss compliance issues all the time?  Why is it different if they sit down with NERC?

There is a big difference.  The entities are supposed to be getting all of their guidance on compliance from their regions.  The regions know all of their entities well, and if they have a closed meeting with one entity, they will presumably share anything that has general applicability with other entities who should be notified.  Even if they don’t immediately share these compliance points, they will certainly do so if another entity raises the same issue with them.  NERC isn't the auditor for any of the entities in the US (or Canada, for that matter)[iii]; the Regions[iv] are.

NERC doesn't have the same relationship with the entities as do the regions, and they could never make sure they had shared a particular piece of information with all of the entities in North America to whom it might apply.  Let me correct that: they could certainly share the information with all such entities by putting it out in a public document.  For example, if they end up telling entity X that two of their Transmission assets – that are contiguous but don’t share a common fence – actually constitute two substations for the purposes of Criterion 2.5 (an issue I discussed in this post), they could try to generalize[v] that ruling into a public document like a Lessons Learned.  Yet NERC doesn't seem to have any intention of doing that.

Is this bad?  More specifically, does it meet one or more of the “unholy trinity” by being

  1. Illegal,
  2. Immoral, or
  3. Fattening?
I think we can rule out no. 3, although that depends on the type of snacks NERC has in the room.  As for number one, it is definitely illegal (in the sense that it violates the NERC Rules of Procedure, not that it will result in somebody being thrown in jail).  But that’s not my concern here – I have said repeatedly that the only way CIP v5 (and especially CIP-002-5.1 R1) can be successfully implemented is if a number of illegal interpretations are made – by somebody[vi].  The last chance NERC had to fix the problems with v5 legally was when they wrote the SAR for the CIP v5 Revisions (aka v6) – instead, they kept the scope of the SAR narrowly to the four mandates FERC had made in Order 791.  I’m just glad to see that NERC is finally stepping up even to do these illegal interpretations, since for a while it looked like they weren't going to.

So are the SGAS immoral?  On the surface, they are.  If NERC is making “rulings” for individual entities, then that is unfair to those that can’t set up an SGAS.  According to the latest email from NERC, the SGAS will be offered on nine days in February, March and April.  If you assume they set up six meetings on each of those days (probably an over-estimate), that leads to 54 meetings, and 54 entities (presumably large ones) that have had their biggest v5 interpretation issues addressed by NERC.  What about the other hundred or more[vii]  entities that don’t get to do this?  I suggest there be a new Functional Model classification for these entities: SOL.

But hey, I’m a realistic guy.  NERC has a job to do – successfully implement the v5 standards on April Fool’s Day, 2016.  It may not be fair to some of the other entities that they don’t get an SGAS, but maybe NERC can help them out by setting up individual phone calls, etc.  Strict morality is a nice thing to have, but desperate times call for desperate measures – and make no mistake, with the implementation date 13 months away and about 500 serious v5 issues on the table, these are desperate times indeed.

No, the core of my objection to the SGAS is that they could well destroy the enforceability of CIP version 5 (and I really mean v5.5 here, as well as almost everywhere else where I say “v5” nowadays).  The reason I say that is quite simple: How can you possibly call something a “standard” that doesn't apply in the same way to every entity to which it’s supposed to apply?  Even more importantly, how could any penalty assessed for a CIP v5 violation ever be upheld if the entity challenges it in court?

Now, I have repeatedly suggested that CIP-002-5.1 R1 should be declared an “open” requirement by NERC, meaning no penalties will ever be assessed for “violations” resulting from good-faith efforts to understand what that requirement (and Attachment 1) means.  In fact, I have also said that R1 will be open regardless of whether or not NERC declares it so: there is so much ambiguity and contradiction in the wording that no violation could ever be upheld in a court of law (and of course, NERC CIP v5 is regulatory law because of FERC’s approval of it; penalties can be appealed in the regular court system); I even doubt any auditor would assess a PV in the first place, given that it will result in a huge battle and will most likely end up being deep-sixed.

In making this statement, I did wonder if the “open-ness” of R1 would “spread” to the requirements in the other standards.  After all, R1 is where you identify and classify your BES Cyber Systems.  If there is no ironclad methodology for doing that, then clearly the entity can never be certain it is applying the remaining requirements to the right systems – and the auditors can’t verify that, either.  However, I reasoned to myself that, even though the BCS identification process is fatally flawed, it is still possible to say objectively whether or not the entity has properly complied with the other v5 requirements – if you accept as given the BCS lists that came out of CIP-002-5.1 R1.  And auditors could still issue PVs for entities that missed the boat on these other requirements[viii].

But that reasoning is out the window.  There’s nothing in the SGAS announcement that says the closed discussions between the entities and NERC will be limited to CIP-002-5.1 R1; so potentially any other v5 requirement could be discussed as well – and NERC might well issue private “rulings” for those requirements. 

So what happens – say, five years from now – when an entity has been fined by FERC for violating CIP-007-6 R2, for example?  They appeal it to the courts, and their argument is quite simple: It’s impossible to know whether or not NERC might have given a private “interpretation” of that requirement during one of the SGAS.  It is quite possible that another entity was given advice on complying with this requirement (patch management) that could have applied to the entity that was fined as well.  They would then have done things differently and avoided the violation.  How could the fine possibly be upheld?  On any v5 requirement?

I’m reminded of the early 2000’s, when all companies finally jumped on the Internet.  At first, they just put up static pages; for example, a bank would just show its hours and locations, provide some forms to download, etc.  Then they all started trying to “personalize” the site.  Instead of “”, the site became “”.  You would log in and get access to your personal banking information, do transactions online, etc.

It seems that the SGAS are following that same process.  Instead of having just one version of CIP v5 for everybody, now everyone (at least the lucky ones) will have “my CIP v5” – their own CIP v5 custom tailored for their own unique environment.  It’s all about serving the customer. 

Of course, at that point you can’t use the word “standards” for CIP v5; something like “suggestions”, “guidelines”, etc. would be much more appropriate.  And of course, there will be no more talk about fines or nasty stuff like that – how can you issue a fine against someone simply because they didn't take your suggestion?  If FERC is happy with this situation then hey, who am I to complain?

At this point, I have to pause to retrieve my tongue.  It’s so far back in my cheek that I’m in danger of swallowing it.  I told you it’s going to be very hard to top this post on April Fool’s Day.

So what can NERC do to avoid this perhaps fatal blow to all of CIP v5?  I see two overall options.  First, they could:

  1. Keep the SGAS – I do like the idea of having NERC meet with entities to discuss v5 – but make it quite clear the meetings are solely for gathering questions the entities have about the meaning of particular wording in CIP v5 (of course, the first SGAS already took place this week.  I hope NERC anticipated this post and followed my advice before I gave it).
  2. Once NERC has all these questions in hand (and they should gather them from other sources as well, especially the entities who can’t make an SGAS), they should commit to addressing every one of them in an open manner – presumably through something like the Lessons Learned documents (but I’m even OK if NERC short-circuits the LL process and just issues their “rulings”.  Strictly speaking, they’ll be illegal, but at least they’ll be completely public).
  3. However, there’s no way NERC can address all of these questions in time for the answers to be of help for entities trying to comply with the 4/1/16 date.  That has to be pushed back by at least a year.

What’s NERC’s second option?  It’s to continue on their current course and hope everything works out for the better.  And my money’s on their choosing Door Number Two.  CIP v5 has been dealt a potentially fatal blow.  The victim is staggering but still standing.  Will he finally fall for good?  And if he does, when will that happen?

To Be Continued…

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] There is a larger meeting – open to all NERC entities – that they will be able to attend while they’re waiting around for their private hour with NERC.  So they don’t just have to go to the bar and watch TV.

[ii] Of course, “resolved” isn't the right word for what NERC is doing.  As I've said repeatedly, NERC has no way to give binding interpretations of standards, except by going through the RFI process – which requires 2-3 years.  The most they can do is put out a document for public comment – which is what the Lessons Learned are – then revise it to incorporate those comments.  They presumably hope this process will build a consensus among the entities and the regions regarding the topics discussed in the Lessons Learned.

[iii] I believe NERC is the auditor for the regions themselves, and perhaps for the ISOs.

[iv] In Canada, it’s not even the Regions.  The entity that enforces the standards is different in each province.

[v] Of course, I’m sure the nature of the issues brought up in these meetings will be quite specific to the particular situation of the entity, so it will be hard to generalize NERC’s “ruling” on an issue to other NERC entities.  On the other hand, these “rulings” will constitute non-public interpretations, regardless of whether or not there is only one entity they could apply to.  Back in 2012 (in a post on another blog that I re-posted here in 2013), I suggested some sort of “Supreme Court of CIP” that would officially resolve the myriad questions that I could see were going to come up about application of the bright-line criteria.  It seems NERC may be taking me up on that suggestion, although I’m sure they don’t remember my making it – and of course, I intended the “court” sessions to be public, not private.  I hope to do a new post soon on the problem of the bright-line criteria.  I would say it is the most serious problem for CIP v5, if I didn't know a couple others that are in pretty close contention for that title.

[vi] And I've suggested at various times that “somebody” could be God, Barack Obama, Judge Judy, Joe DiMaggio, The Tibetan Book of the Dead – basically, any person or thing, alive or dead, that would have enough authority to command the respect of the NERC community.  In practice, of course, NERC is the preferred “somebody”, although for a while it looked like they weren't going to do anything to address the v5 interpretation issues.  Now they’re finally doing something on a fairly large scale (although not sufficiently large) - I'm referring to the Lessons Learned and FAQs; the fact that these don't constitute "legal" interpretations of v5 doesn't bother me in the least.  The SGAS do bother me, although not the fact that they're "illegal", but the fact that their results won't be made public.

[vii] I of course don’t know how many entities are subject to all of CIP v5 – i.e. they have High and/or Medium impact assets with High or Medium BES Cyber Systems.  It may not be more than 200.  In any case, it’s more than 54.

[viii] The only possible exception to this statement would be CIP-005-5 R1, since that also deals with “fundamental” asset classification issues.  For example, it’s the requirement that results in your having to identify Protected Cyber Assets.  If the BCS are identified “incorrectly”, the PCAs will be as well.  And the question of what constitutes External Routable Connectivity is a huge issue that is nowhere close to being resolved.  I guess this falls into 005 R1 as much as it does in any other requirement.

Sunday, February 22, 2015

Update to Friday's Post

In the post I did two days ago on the ISO New England emails, I stated that there were only three “legal” ways out of ISO NE’s dilemma – how to designate just the particular BES Cyber Systems that perform the AVR function in generating plants as Medium impact, while not making the whole plant, or even one unit, Medium impact as well.  I also said that I was sure ISO NE wouldn’t pursue any of the three.  Therefore, I suggested an “illegal” option – getting NERC to issue a “ruling” on the issue, even though it has no status under the Rules of Procedure – as the best approach possible (and one which I believe will be used very frequently, as the myriad of hidden issues in the bright-line criteria bubble up to the surface as entities try to make sense of the criteria).

However, an Interested Party pointed out to me that there is a fourth “legal” option:  “Write a Standards Authorization Request outlining the specific dilemma and asking for the issue to be fixed through a change in the Criterion.”  Under the NERC Rules of Procedure, any entity can write a SAR for a change to an existing standard or even a completely new standard.  This is perfectly true.  In fact, I’d add a fifth legal option: submitting a Request for Interpretation on this issue to NERC.

Both of these options are quite legal, but they both have the same problem: they will take at the very minimum two years to yield fruit (a revised standard in one case, an Interpretation on this issue in the other case), and probably longer than that (the RFI also faces the challenge that FERC may reject the Interpretation once it has been drafted and approved by the NERC ballot body.  This happened with two Interpretations of CIP v3 in 2012).

I should have said that there were only three legal options that might conceivably result in guidance to the generators in New England in time for them to come into compliance with CIP v5 by April 1, 2016.  There are two legal options that will provide guidance to entities sometime after the compliance date, but that leaves the possibility that generators will a) not be in compliance next April or b) be in Medium compliance for a plant or unit that it turns out didn’t have to be Medium impact after all.

I have of course advocated for NERC (or somebody else) to write a SAR to rewrite the entire CIP-002-5.1, not just Criterion 2.6.  I think that is a much better approach, rather than trying to write a SAR for each problem in CIP-002-5.1 R1 and Attachment 1.  You could write literally hundreds of SARs and still not be any closer to fixing the fundamental problems with these two items.  NERC needs to simply start over and write these clean.  However, this will definitely not solve the problems in time to help people for initial compliance.  That’s why I’m also saying (in the same post) that R1 needs to be declared an “open” requirement, and that the compliance dates for CIP v5 and v6 need to be pushed back by a year (in this post).

And by the way, with every passing day (and with every glass of red wine), I become more certain that all of these three things will happen – or at least two of them.  Anyone up for a bet?

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

Friday, February 20, 2015

Episode 4: ISO New England and the Emails of Doom

This is my fourth and (probably) final post in a series of posts (starting with this one) about two emails that ISO New England sent out to generators in their area.  The emails stated that generators need to protect…well, what they have to protect is the issue, let’s just say they need to protect something….as Medium impact under Criterion 2.6 in Attachment 1 of CIP-002-5.1.

I’m interested in these emails primarily because they have created a big stir among the generators that received them (including a customer of mine); at least some of the generators are very concerned that they may end up with entire units or even plants becoming Medium impact - when they hadn’t even considered that could happen, and when there are just about 13 months left before the compliance date.  However, I’m also interested because these emails illustrate the very serious problems that are going to keep coming up with CIP-002-5.1 R1 and Attachment 1 as entities get down to the nuts and bolts of actually complying. 

To save you the time required to read my first post about this topic, I will summarize what in it was relevant for this post (it is still worth reading, and will undoubtedly take its place among the great blog posts of all time):

In December, ISO New England sent to a number of generators in their area an email that read “In accordance with Criterion 2.6 of NERC Standard CIP-002-5, ISO New England has determined that Generation Facilities represented by your company have an AVR and/or PSS (if equipped) that is critical to the derivation of IROLs and their associated contingencies, as specified by FAC‐014‐2, Establish and Communicate System Operating Limits, R5.1.1 and R5.1.3.”  Criterion 2.6 reads “Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

I had three entities contact me about this, in a state of great confusion.  “WTF?”, one asked (I assume he was referring to the Western Transmission Forum).  What is going to be in scope?  Just the AVR system?  The unit it’s part of?  The entire plant?

There were evidently a lot of questions raised about this email, since a new, longer one followed a few weeks later.  Its heart was this sentence: “NPCC indicated that its expectation is that because AVR/PSS status is the specific component of a generator that is critical to the derivation of IROLs, Generator Operators must protect the generator’s primary means of transmitting AVR/PSS status to ISO-NE under CIP-02-5.1 as a Medium Impact BES Cyber Asset.”

This email was more comforting.  It said that NPCC (the NERC Regional Entity that includes New England) “expected” that AVR/PSS would have to be a Medium BES Cyber Asset.  The implication was that neither the whole plant, nor even just a unit, would be Medium impact; just the AVR/PSS system(s) themselves.[i] 

The post linked above recounts in great detail a discussion I had at the WECC CIP User Group meeting at the end of January about this issue – with a senior NERC staff member and two gentlemen from one of the generation entities that received this email – as well as my own conclusions later on.  To summarize these (actually, to go beyond what I said in the post):

  1. None of the bright-line criteria actually apply to BES Cyber Systems.  Rather, they apply to either assets or Facilities.  The preamble to Section 2 of Attachment 1 says that BCS “associated with any of the following” – meaning BCS associated with the assets or Facilities referred to in the 2.X criteria – are Medium impact.   This shows that ISO NE was wrong in asserting that the AVR/PSS systems would be Medium BCS under 2.6.  Criterion 2.6 itself (as well as all the other High and Medium criteria) just tells the entity that an asset or Facility is Medium impact; it is up to the entity to identify the BCS associated with that asset/Facility, which will then be Medium BCS.  So we need to look at the subject of 2.6 to find out what assets or Facilities that criterion is actually designating as Medium impact.  If an asset or Facility doesn’t meet one of the Medium criteria, then none of the BES Cyber Systems associated with it will be Mediums, unless they happen to be associated with another asset/Facility that does meet one of the Medium criteria.
  2. Unfortunately, the Standards Drafting Team didn’t do anybody a favor by simply using the word “Generation” in the subject of 2.6.  This isn’t a NERC defined term, but comparing 2.6 to the use of “Generation” in criterion 2.1 leads me to conclude that only the entire plant can be designated Medium when you simply use that word (without “Facilities” following it). Yet it was also quite clear from the second email that ISO NE and NPCC weren’t trying to designate the entire plant as Medium impact. 
  3. But let’s move on.  Since the emails clearly weren’t considering “Generation” in 2.6 to mean the whole plant (which is of course an “asset”), this means they were considering it to mean “Generation Facilities”.  This sounds somewhat plausible, given that the second part of the subject of 2.6 is “Transmission Facilities”, and because the SDT actually said in the Guidance section that 2.6 refers to “Generation Facilities”[ii].   On the other hand, if the SDT meant for 2.6 to refer to “Generation Facilities”, why doesn’t it SAY that?  In any case, I’m willing to stipulate that “Generation” in 2.6 is really shorthand for “Generation Facilities”.
  4. If 2.6 really applies to Generation Facilities, there is a clear way for the ISO NE emails to be legitimate: if the AVR is really a Facility, not a system.  Then the AVR is Medium impact by 2.6, and the BCS associated with it are Medium BCS.  This is what I was thinking when I wrote the post linked above.
  5. However, a very experienced NERC compliance manager from a large electric utility (whom I have known for a long time, and who I believe suffered through one of the first – and most chaotic - CIP audits in the country – a very interesting experience, as he recounted to me at the time) disabused me of this notion in an email.  He made quite clear that AVR is a system, not a Facility.  If you’re having trouble thinking of an example of a case where a system would be separate from a Facility, think of a relay controlling a line in a substation.  The line is the Facility, while the relay is the BES Cyber System.  If the Facility is a Medium (say, it’s a 500+kV line at a Criterion 2.4 substation), then the relay is a Medium BCS.  In the case of AVR, there is no Facility (as I had thought); AVR is just a cyber system that is associated with a Facility called a generating unit, and also with a generating plant.  AVR can only be Medium impact if the entire plant or the unit becomes Medium impact under Criterion 2.6.
  6. Because the AVR system doesn’t have any “status” of its own in Criterion 2.6 (i.e. it can’t itself be the subject of the criterion, as ISO NE seems to want it to be), ISO NE’s emails don’t comply with the wording of R1 and Attachment 1; they are meaningless as a guide to compliance for the entities that received them.
So what does this all mean for the question of what – if anything – has been designated Medium impact by the two ISO NE emails?  There are just three “legal” outcomes to this analysis – meaning outcomes that comply with the wording of CIP-002-5.1 R1 and Attachment 1.  They all involve ISO NE rewriting or rescinding its emails:

  1. Since the best interpretation of 2.6 is that “Generation” refers to the entire plant, if ISO NE is so concerned about protecting AVR, they need to resend the email and tell the generators their AVR’s will be Medium BCS since they’re associated with a plant that meets Criterion 2.6.  Therefore, all the BCS associated with the plant need to also be treated as Medium impact as well (hey, don’t blame me for saying this.  I’m trying to state what Attachment 1 says).
  2. Since the second best interpretation of 2.6 is that “Generation” really is shorthand for “Generation Facilities”, if ISO NE is so concerned about protecting AVR but doesn’t want to make the whole plant Medium, they need to resend the email and tell the generators their AVR’s will be Medium BCS since they’re associated with a Facility (i.e. the unit[iii]) that meets Criterion 2.6.  Therefore, all the BCS associated with the unit need to also be treated as Medium impact.
  3. If ISO NE decides that protecting the AVR systems isn’t important enough to require entire plants or units to be declared Medium impact, they need to send out an email saying the two previous emails are null and void.  Thus, unless the plants or units in question have another reason to be considered Medium impact, they will remain Lows, and the AVR systems will be Low BCS.
But I can almost guarantee you that none of these three outcomes will actually come to pass.  ISO NE is determined to protect the AVR systems, but I’m sure they’re also determined not to force most of the plants in their footprint to be declared Medium impact.  How can this problem possibly be solved legally?

It can’t be solved legally.  Either NERC will make some sort of “ruling” that ISO NE and NPCC are right, and just the AVR systems are Medium BCS, or (and I’m sure this is the preferred course of action) none of the parties will say anything at all beyond the emails in question (I understand there were one or two further emails, but I think they just supported ISO NE’s position). 

Which outcome do I hope for?  The second option is very bad because it leaves so much uncertainty for the generators.  I hope NERC simply makes a “ruling” that the AVR systems in this case are BES Cyber Systems, for no reason having to do with the wording of Criterion 2.6 (since there is no way that 2.6 could be made to fit this ruling).  As I’ve said repeatedly, we’re well beyond the point where we need to think of CIP-002-R1 and Attachment 1 as being fixed “Requirements” that have a right and wrong interpretation – and for which entities can be assessed PVs for making the wrong interpretation.  That idea is soooo 2014.  Until CIP-002-5.1 R1 and Attachment 1 are rewritten (a three-year process at least),  I am sure there will be no PV’s assessed for good faith efforts to comply.

NERC, go ahead and issue your ruling, fatwa, Papal encyclical, whatever you want to call it.  You can base it on the Teachings of Don Juan, the Tibetan Book of the Dead, the Kabbalah, I am the Walrus, or any other sacred text you want.  Or you can not base it on any text at all – just say “This is so because we said it’s so.”  This last is my personal favorite, since it’s much closer to the truth than trying to come up with some spurious textual justification for your ruling.  The justification for doing this is that ISO New England feels strongly that the AVR systems need to be Medium impact BES Cyber Systems, but they don’t want to have the plants or units themselves be Mediums.  What further justification do you need?

However, NERC, please don’t pretend that what you’re doing in this ruling is somehow in line with CIP-002-5.1 R1 and the Rules of Procedure; it violates both of them.  But you know what?  Before long, you’ll be issuing these Attachment 1 rulings weekly or even daily – and they’ll all violate R1 and the ROP.  The bright-line criteria are a black hole, with each criterion leading to ten questions, those ten questions each leading to ten more, etc; each of these questions will require its own “ruling”, and Attachment 1 will provide guidance for almost none of them.  The good news, of course, is that you’ll all have job security until you retire.  Just keep those rulings coming!

I’m finished with this post, but there is a sequel coming soon.  In my email discussion with the NERC compliance manager I mentioned above as well as another entity, I began to see how this discussion fits into a Larger Picture; that Larger Picture perhaps points a way for the Attachment 1 criteria to be written in a more sustainable fashion (if the entire CIP-002 is rewritten).  And since I’m a Larger Picture kind of guy (that’s why you’re paying me, of course), I’m not going to let this thought drop.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] However, for some of the generators, this “clarification” was anything but comforting.  A couple paragraphs down in the same email, ISO NE said they expected the “Responsible Entity to implement a process that considers the circuitry associated with the generator’s primary means of transmitting AVR/PSS status to ISO-NE as a Medium Impact BES Cyber System…”  This seems to say that all of the cabling associated with the AVR system, including the maze of cabling that connects it to the DCS, is Medium impact.  I know one entity that is tearing their hair out over this, since they have several plants that received these emails and protecting all of that cabling would be a nightmare.  But of course, cabling itself can’t be a BCS anyway – so technically this sentence is meaningless; but when you have ISO NE and NPCC making this meaningless statement, and you’re on the receiving end of the email, you need to make sure you deal with this now, rather than four years from now in an audit.

[ii] Of course, the SDT shouldn’t have capitalized “Generation” since it isn’t a defined term. It’s hard to understand how they could make a mistake like that.

[iii] A unit can be a Facility, but the entire plant can’t.  If you read the definitions of Facility and Element (which is included in the “Facility” definition), you’ll see that a Facility has to have terminals on it.  Multi-unit plants don’t have terminals, but the single units do.

Saturday, February 14, 2015

The Final Compliance Schedule for CIP v5.5

If you read yesterday's post, you'll know that CIP v7 has died an unlamented death after a mere three months in this cruel world; all of the v7 standards have now returned to being v6 ones (i.e. with either a "-6" or "-2" suffix).  

Since my post from last fall that set out the compliance schedule for the new CIP versions has been very popular, I decided just to revise it to reflect the change in standard names (there is no change in compliance dates), rather than write a new post; please go there for the record of the definitive compliance schedule for CIP v5.5.

When I originally wrote that post, I had to point out that, since the v7 implementation plan hadn't been finally approved by NERC, there was still the possibility of change to the plan.  However, with the v6 filing to FERC yesterday (which I won't link here, since the filing is 3300 pages, and doesn't contain anything new, other than the fact that v7 is gone), there is no longer any possibility of change to the v5.5 standards or implementation plan (except perhaps an errata filing), unless FERC orders them in the future.  So, for the first time since 2007, there are no longer any new CIP standards in development.  Whether that's good or bad is left as an exercise to the reader.

Friday, February 13, 2015

NERC Files CIP Version 6 with FERC, Grants Industry a Small Favor

Today, Friday the 13th (!), NERC filed CIP Version 6 with FERC.  The standards filed have of course been well known for a while, since they have been commented and balloted on.  But there was one surprise – a mildly pleasant one (but only mildly).

The most interesting aspect of this filing (pointed out to me by Lew Folkerth of RFC) is that CIP version 7 - which I welcomed last November – seems to have died a quiet, unlamented death, a mere three months after its birth.  Version 7, we hardly knew ye.  What was the cause of death?

Of course, that’s a long story (what isn’t a long story, in the NERC world?).  For those who may have become frustrated and stopped keeping score at home:

  1. In Order 791 in November 2013, FERC approved CIP v5 but ordered four changes to it.
  2. NERC’s rules state that no changes can be made to a standard once it has been approved.  Therefore the changes would have to go into a new version.
  3. There have been two previous occasions where NERC made changes to just parts of a CIP version – going from v2 to v3 and from v3 to v4.  In both cases, all the standards were “revised” to the new version level, even though just one standard was actually changed (CIP-006 in the former case, CIP-002 in the latter).  This meant that, going forward, entities had to comply with only one version.
  4. Because of the “version fatigue” that set in during the runup to CIP v5 approval, where the entities were whiplashed by a version that looked something like CIP v5 (called CIP-010-1 and CIP-011-1, not to be confused with the CIP-010-1 and CIP-011-1 in Version 5), then by CIP v4, and finally by the CIP v5 we all know and love today, NERC staff members developed the idea that they would be strung up from the highest tree if they told the membership, “Guess what, we have a NEW CIP standard for you!”  
  5. Thus, even though NERC did put together a Standards Drafting Team and started work on the changes ordered by FERC, they called these changes the “CIP Version 5 Revisions”.  I at first assumed they were just going to rename all the v5 standards as V6 versions (i.e. CIP-002 through -009 would be “-6”, and -010 and -011 would be “-2”).  So I was dismayed when the new SDT released their first drafts of the revised standards last summer.  This was when I found that three of the standards - CIP-002, -005 and -008 – hadn’t been revised.  Since those standards remained at the v5 level, this meant that entities would have to comply with three v5 standards and seven v6 ones.   I thought, “This is terrible.  What could possibly be worse?”
  6. I got my answer to that question in November.  There had just been a crucial ballot on v6, where two of the four changes ordered by FERC had passed, but two hadn’t.  This put NERC in a bind, because FERC had mandated that two of the four changes (removing “Identify, Assess and Correct” as well as providing protection for “communications networks”) be submitted to them by Feb. 3, 2015.  Fortunately, the two that had passed were the ones with the deadline.  NERC thought at the time that there was no longer enough time to make adjustments so that the two standards that hadn’t passed - CIP-003 (Lows) and CIP-010 (Transient Electronic Devices) – could make it out of the balloting in time to be submitted before FERC’s deadline.  So they decided to submit to FERC the two changes that had passed first, then submit the remaining two once they had also passed the ballot.[i]
  7.  But when NERC’s Board of Trustees approved a new set of standards with the suffix “-6”, this meant that the remaining standards – still being balloted - needed to be called v7.  And sure enough, in this post in November, I heralded the birth of CIP Version 7 – tongue firmly in cheek.  I followed this up with a post setting out the schedule for compliance with all three versions.
  8. But it turns out that NERC didn’t file v6 with FERC after the Board approved the standards last fall.  It seems the SDT moved quickly to address the issues in CIP-003 and -010, and got approval on the next ballot (there was still a final ballot required – which used to be called the “recirculation ballot” – but that was accomplished in January).  So the wizards at NERC realized that, with a little luck, they would be able to incorporate the v7 standards into the v6 filing, saving FERC the trouble of having to approve both versions, and NERC the embarrassment of having to explain why two approvals were needed in the first place.
  9. Of course, NERC didn’t quite meet FERC’s deadline of Feb. 3, since they just filed the standards today.  They had requested a ten-day extension from FERC in January.
Thus, what was filed today was both the v6 and v7 standards.  However, NERC put a nice flourish on this by getting the Board in January to also rename the v7 standards as v6 ones.[ii]  This means that all of the revised standards will be v6 ones – i.e. with suffixes “-6” or “-2”, not also “-7” or “-3”.

My first full-time boss was a man who always said, when some minor break had come his way or someone had made a big deal about conveying a minor benefit, “Thank God for small favors”.  This is how I look at this latest development.  It is certainly nice that the industry doesn’t have to comply with v5, v6 and v7, but only with v5 and v6.  It would of course be nicer if they only had to comply with v6 and not v5 at all, but that’s water under the bridge (the SDT co-chair admitted in their last webinar that they would have done things differently if they had it to do over again).   But I’ll take the small favor.

One point before I go.  A compliance person at a NERC entity said to me last week that they were getting ready to comply with CIP v5 “and then versions 6 and 7”.  I wanted to tell him that he was looking at it the wrong way.  He needs to look at CIP versions 5 and 6 as one version.  It has a complicated compliance schedule, I’ll agree (and the fact that all the new standards are v6 now, not v6 and v7, doesn’t change the compliance schedule at all); but the fact is that entities need to be working on compliance for all of the new standards, not just the three v5 ones.

To remind people of this need, I had named the “compliance version” of CIP as v6.3940 in November, reflecting the fact that most of the standards that entities have to comply with are v7 ones.  Since v7 is gone, I need to change that.  Last July, I named the unholy mixture of v5 and v6 as v5.5; I later revised that to v5.7879 (reflecting, again tongue-in-cheek, the fact that there are 7 v6 standards and just 3 v5 ones).  I could go back to either name, but since 5.5 is a little simpler to deal with, I’m going to – at least a lot of the time - start referring to the compliance standards as CIP v5.5, not v5.  Who knows, maybe it will go viral.

Feb. 14: I've updated my post from last November on the compliance schedule for the new CIP versions. I have removed all references to CIP v7 (which has now not only passed away, but officially become an "unperson" as in the novel "1984") and replaced them with the appropriate v6 references. Since I've heard some people actually did take my suggestion to print out the post and put it on their wall, I regret to say they will need to do that again.  Since there will be no more changes to CIP v5.5 (unless FERC orders them), I think you won't have to do this again.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] I’m leaving out a sordid detail here – the “-X” standards.  If you must read about this sorry event, you can do that here.

[ii] However, there needed to be another step for this to happen.  The v7 standards themselves needed to be renamed as v6 , while the v7 Implementation Plan needed to be revised (so it only referred to “-6” and “-2” standards, with no “-7” or “-3” ones).  NERC seems to have done that, before they were ratified by the Board (but after the final ballot, which was for the v7 standards).  I personally wonder if the Board has the authority to amend standards – even for such a small change – without having another ballot.  In any case, I’m personally glad they did, and will be glad to testify in court in favor of the Board members, if they’re sued for this egregious violation of the NERC Rules of Procedure.

Thursday, February 12, 2015

Another Follow-Up to the ISO New England Post

I had an email conversation two days ago with a knowledgeable person about my post on the emails sent to generators by ISO New England.  The post pointed out that the emails advised the generators that their AVR systems and associated RTUs would be Medium impact BES Cyber Assets according to Criterion 2.6 in Attachment 1 of CIP-002-5.1.  However, the wording of 2.6 doesn’t support this assertion – rather, 2.6 seems to require the entire unit be Medium impact (and perhaps the entire plant).[i] 

I implied in the post that ISO NE (and probably NPCC, who participated in this discussion) didn’t really understand how R1 and Attachment 1 work.  The criteria don’t tell you what BCS are Medium impact; they tell you what assets or Facilities are Medium impact.  The entity then classifies BCS associated with those assets/Facilities as Mediums.

This party – who understands the nuances of CIP-002-5.1 R1 very well - tried to convince me in his email that in fact ISO NE’s position could be correct if you first attach the preamble to the criteria in Section 2 of Attachment 1 to Criterion 2.6 itself.  Criterion 2.6 will now read “Each BES Cyber System associated with generation at a single plant location or Transmission Facilities at a single station or substation location that are identified…”

He then made several transformations to this “sentence” (adding a couple commas, assuming “are” should really be “is”, making a change due to how NE ISO calculates IROLs, etc), and voila!  He came out with “Each BES Cyber System associated with generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

In other words, he’s saying the NE ISO analysis – designating two particular cyber assets as Medium BCS, but nothing else at the plant - makes sense if you just do this “simple” little manipulation of the wording of Criterion 2.6.  I told him that he deserved a medal from NERC for “Extraordinary Effort in Defense of the Wording of CIP-002-5.1”, but that he still hadn’t convinced me – for reasons which I won’t bother to put down here (since I’m determined to keep this post short, for a change).

But even if I didn’t have any objection to his logic, I would still have rejected it as a defense of ISO NE.  If they had really been thinking in the same lines as my friend, they would have put everything he said in their email; however, they didn’t.  The email didn’t even think to provide a justification for the designation of the two cyber assets as BES Cyber Assets; it was clear ISO NE didn’t understand CIP-002-5.1 R1 well enough to know they were wrong.

My point here isn’t to bash ISO NE.  In fact, a post I’ll do very soon will point out that not understanding CIP-002-5.1 R1 is by far the rule among all parties – NERC, the regions, the NERC entities – not the exception.  My point is that any standard that forces people to go through such contortions in order to identify its true meaning – requiring at least a Masters in Linguistics, a double E degree, and an intimate knowledge of how different ISO’s operate - is clearly not a “standard” at all.  NERC entities can’t apply it with any sort of certainty that they’re doing the right thing, and auditors can’t assess penalties for “violations” of wording that is as transparent as mud. 

Of course, other than that, I have no issues with CIP-002-5.1.  I think the font it’s written in is wonderful.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] As I said in the other post, I actually agree that the only option that makes sense is the one that ISO NE chose – just designating the two devices as Medium impact BCAs; however, this can’t be done while following the wording of Criterion 2.6.  The point of the post was that more and more decisions are being made by NERC and the regions (NPCC seems to have participated in this decision) in a purely ad hoc manner, because frankly that’s the only way that most decisions on the bright-line criteria will have to be made. And probably a lot of the decisions on other parts of CIP v5 as well (in fact, of course, the whole idea that NERC or the regions are making “decisions” on v5 is not in accordance with NERC’s rules.  Lessons Learned at least have some semblance of legitimacy in the Rules of Procedure; “decisions” have none).

Tuesday, February 10, 2015

Follow-up to Yesterday's Post - ISO New England's Confusing Emails

Referring to yesterday's post on ISO New England's emails to generators, it turns out the second ISO NE email may not have settled the matter of what's in scope at the plants in question.  One of the entities that I'd discussed this issue with told me today they are very concerned about the following wording in that email:

"If ISO-NE identifies a generator for which its AVR/PSS status is critical to the derivation of IROLs, this triggers an obligation under CIP-002-5.1 for the Responsible Entity to implement a process that considers the circuitry associated with the generator’s primary means of transmitting AVR/PSS status to ISO-NE as a Medium Impact BES Cyber System..."

If "circuitry" means the wiring that connects the AVR system to the DCS, that is a big deal - I guess that wiring is quite complex.  If the entity needs to put special physical protections on that wiring, it would be expensive and a big effort.

To be honest, when I read this at first, I thought "circuitry" referred to the RTU, which - along with the AVR computer itself - is definitely part of the BES Cyber System that needs to be protected.  But the next paragraph in the email addresses the RTU, so I was wrong about this.

As with a couple other statements in the email, the reference to circuitry being a BCS doesn't make sense.  Wiring isn't a cyber asset; it therefore can't be part of a BES Cyber System.  It would receive physical protection if it were part of an ESP - i.e. connecting two or more Cyber Assets within the ESP.  However, if just the AVR system and the RTU are BCS (or they're part of one BCS), the ESP will just enclose them - so the PSP would presumably just enclose them as well (I know one entity that is literally discussing putting a box around the AVR and the RTU).

Thus, in order for physical protection of the wiring between the AVR system and the DCS to be required, both the DCS and the AVR would need to be Medium impact BES Cyber Systems.  And since the DCS is the heart of the control systems in the plant, if you're making that a Medium, you're essentially making everything in the plant Medium impact - either as a BCS or a Protected Cyber Asset.  Yet this clearly isn't what ISO NE intended.

It would have been nice if they'd left the "circuitry" word out of the email.  As it is, the entity I mentioned is now investing a lot of effort into getting this issue resolved with NERC.

And of course, this will lead to another ad hoc ruling, as discussed in yesterday's post. Problems with the bright-line criteria are like the Hydra: you cut off one head and two more grow back.  Except I think it's more than two when you're dealing with the BLC.  The BLC have the Hydra licked, hands down.

Monday, February 9, 2015

Making it up as they Go along, Part I: the ISO New England Affair

I have had a number of epiphanies over the course of writing this blog and examining/reporting on CIP version 5.  I had another one last weekend after I had written my post on the WECC CIP User Group (CIPUG) meeting in Anaheim.  It concerned a couple of private discussions of an issue that was never brought up at the meeting itself.

Here’s the issue: In January, I had three entities with generation assets in New England independently approach me with the same question (two earlier in the month, one at the CIPUG itself).  They had all received an email from the ISO New England that said:

“In accordance with Criterion 2.6 of NERC Standard CIP-002-5, ISO New England has determined that Generation Facilities represented by your company have an AVR and/or PSS (if equipped) that is critical to the derivation of IROLs and their associated contingencies, as specified by FAC‐014‐2, Establish and Communicate System Operating Limits, R5.1.1 and R5.1.3.” 

For those of you who (like me) aren’t generation gurus, AVR refers to “automated voltage regulator” and PSS is “power systems stabilizer”.  These are systems that can regulate voltage when it gets out of a certain range required for stability of the grid.  IROLs - “Interconnection Reliability Operating Limits” - are defined in the NERC glossary as

“The value (such as MW, MVar, Amperes, Frequency or Volts) derived from, or a subset of the System Operating Limits, which if exceeded, could expose a widespread area of the Bulk Electric System to instability, uncontrolled separation(s) or cascading outages.”

Evidently ISO NE requires most (or even all) generators to have an AVR system, as well as an RTU to report its status back to ISO NE.  To make a long story short, it seems that knowing the status of these systems is required for ISO NE to derive IROLs.  The email is saying that “Generation Facilities” with AVR fall under Criterion 2.6 of Attachment 1 of CIP-002-5.1 as Medium impact.  The criterion reads:

“Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

All three entities reached out to me because they wanted to know what ISO NE meant would be in scope as Medium impact.  Was it the whole plant?  The unit?  Or just the AVR system?  Two employees of one of these entities brought this up to me at the CIPUG, which they were attending because they also have assets in WECC.  After discussing it with them separately at dinner, we all (by chance) ended up discussing it the next day at a break, with a high-ranking NERC staff member who was attending the meeting.

Let me be clear before I go any further that my interest in this discussion isn’t primarily how it turned out, although I will tell you now that all three parties – the entity, myself and the NERC staff member –ended up in agreement on how this email should be interpreted (and a later email from ISO NE reinforced that conclusion).  My interest in this case (perhaps “fear and dread” is a better term) has much more to do with the process by which this “decision” was made.  The epiphany I experienced was the realization that, at least as far as the Attachment 1 criteria go, this process will probably not be the exception but the rule – in other words, between now and 4/1/16 the only way of addressing questions about application of the bright-line criteria (and perhaps in other areas of CIP v5 as well, like CIP-002-5.1 R1 and CIP-005-5 R1) will be through ad hoc “rulings” – not Lessons Learned, FAQs, etc.  This deals a further blow to any small hope I may still have had that CIP-002-5.1 (and perhaps one or more other v5 standards) can ever be a clear-cut, enforceable standard.  It also shows that NERC and the regions are simply making up their approach to CIP v5 implementation as they go along – it is now way too late to deal with these issues in the “proper” way.

Now that I’ve told you the punch line of this post, you’re free to go.  However, if you want to know why I came to this conclusion, you can read on.

I’m sure a lot of entities had questions about the ISO NE email, since the ISO subsequently sent a follow-on email.  Because these two emails were obviously sent to the same large number of entities, I have no ethical qualms about discussing and quoting their contents.  The email described a conversation among representatives of ISO NE, NPCC (which is, of course, the Regional Entity covering New England) and a large integrated utility.  The heart of the email was this sentence:

“NPCC indicated that its expectation is that because AVR/PSS status is the specific component of a generator that is critical to the derivation of IROLs, Generator Operators must protect the generator’s primary means of transmitting AVR/PSS status to ISO-NE under CIP-02-5.1 as a Medium Impact BES Cyber Asset.”

In other words, neither the entire plant nor even one unit is Medium impact under Criterion 2.6; just the AVR/PSS system (and its RTU) is.  At the WECC meeting, I, the entity (not the one referred to in the above email) and the NERC staff member all agreed this was the right approach from the standpoint of protecting the grid, as well as not requiring a lot of unnecessary compliance expense by a large number of generation entities.[i]

So is everybody happy?  It seems so – everybody but me.  Because I insist on asking a silly question: Is this “ruling” actually in compliance with the wording of CIP-002-5.1 R1, Attachment 1, and Criterion 2.6?  The answer to that is “no”.  I do agree with the outcome of our discussion (and the second email from ISO NE), but it is clear to me that this outcome was achieved in a completely ad hoc manner, without any close attention to how the standard is written.  And as I mentioned above, I fear this method of determining questions about the bright-line criteria will become the rule, not the exception.

Let’s go back to the discussion between the entity, me and the NERC staff member.  The entity started out by saying they thought the original ISO NE email (neither I nor the NERC staff member had heard of the second email at this point) meant that only the AVR system and the RTU were Medium impact – and that they were Medium impact BES Cyber Systems.

The NERC staff member’s initial reaction was that either the whole plant or a single unit was Medium impact.  I believe he said that because he subscribes to the mistaken (but widely held) belief that the Attachment 1 criteria refer to assets of the six types listed in R1 (control centers, Transmission substations, etc).  Needless to say, “AVR systems” isn’t one of those six asset types.  Moreover, the email said “ISO New England has determined that Generation Facilities represented by your company have an AVR…”  Whatever “Generation Facilities” means, it can’t be the same as the AVR system; otherwise, the email wouldn’t talk about Generation Facilities having an AVR.  Therefore, the NERC staffer said what he did: the plant (or the unit) is what is Medium impact.

This was met by a horrified reaction from the entity, since if that “ruling” had stood, it might have easily added $1MM or more to their CIP compliance costs (and to those of every other generator that received the email).  At this point, I helpfully piped up to say that, since Criteria 2.3 – 2.8 all refer to “Facilities”, and since AVR might meet the NERC definition of Facility[ii], then the email made sense.  In essence, the email was saying “You have a generation Facility – AVR – that is subject to Criterion 2.6 since it is essential to our derivation of IROLs.”

But how would this lead ISO NE to conclude that the AVR system is a Medium impact BES Cyber Asset?  Presumably because Criterion 2.6 would make it so.  But how does it do that?

Let’s look at the context of all of the Medium impact criteria (i.e. all the 2.X ones).  They are all prefaced with the somewhat mysterious phrase “Each BES Cyber System, not included in Section 1 above, associated with any of the following:”  This phrase is logically preceded by requirement part 1.2, which reads “Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset.”  In other words, this whole chain means “The entity has to identify and classify BES Cyber Systems that are associated with..” (whatever Criterion 2.6 talks about).  What does 2.6 talk about, anyway?

As I mentioned above, a lot of people – including, unfortunately, many in the NERC regions and in NERC itself[iii] – will tell you that the Attachment 1 criteria apply to BES “assets”[iv] that correspond to one of the six types listed in CIP-002-5.1 R1: control centers, Transmission substations, etc.  This is absolutely not true (I have discussed why this is so in a few posts, including this one under the heading “Have an Apple, Adam?”  I hope to devote an entire post to this fallacy in the future).  The only definitive statement that can be made about what the bright-line criteria refer to is that they refer to their subjects.[v]  A less definitive - but more instructive - statement would be that the criteria refer to a) “assets” (including but not necessarily limited to the six types in R1); b) “Facilities” (a NERC defined term); or c) subjects of some of the Medium criteria that meet the definition of Facilities (like SPS, RAS or load-shedding systems) without using that word (I’m referring most specifically to Criteria 2.9 and 2.10).  Even better, just don’t worry about what the criteria refer to.  They refer to what they refer to, period.  But they definitely refer to a lot more than the six asset types; if you don’t believe me, read them and see for yourself.

To return to our discussion, the “subject” of 2.6 is “Generation at a single plant location or Transmission Facilities...”  Since we’re not talking about Transmission Facilities here, ISO NE must have been considering “Generation at a single plant location” to be the operable part of 2.6 for the purpose of their email notification.  What does this phrase mean?

The word “generation” is used in two other criteria: 2.3, where it appears as “Each generation Facility” and 2.1, where it appears as “Commissioned generation, by each group of generating units at a single plant location…”  Given this, it seems pretty clear that the above phrase in 2.6 means either the whole plant or at least a single unit - i.e. the interpretation the NERC staffer originally gave.  If he was right that the email referred to the whole plant or at least one unit, this would mean that every BES Cyber System associated with the plant or unit would be Medium impact; this of course might be quite a lot.

But since I was convinced (not having the criterion in front of me at the time, but having read it a few times before) that  Criterion 2.6 referred only to “Facilities”, and since I knew that a single system could be a Facility (as in the case of some SPS and RAS systems), I thought that the AVR “system” (meaning the hardware that actually implements its purpose, as well as the cyber assets that control and/or monitor the hardware) was what was Medium impact – i.e. the system was a “generation Facility”.  Of course, my position was supported by the fact that the email referred to “Generation Facilities”[vi].  All three parties agreed this was the right conclusion, and we returned to the NERC meeting, happy[vii] that we had made our own small contribution to the jurisprudence of NERC CIP Version 5.

However, when I actually reread Criterion 2.6 afterwards, I realized I had been wrong.  I had been thinking it read something like “generation and Transmission Facilities” – in other words, “generation Facilities and Transmission Facilities”.  However, it reads “Generation at a single plant location or Transmission Facilities…(my emphasis)”  If the SDT had wanted the first part to mean “Generation Facilities” they would have used those words.[viii]  On the other hand, “Generation at a single plant location” almost certainly means the whole plant or at least a unit (and of course, the AVR system can’t be considered “generation”.  By itself, it doesn’t generate anything, except perhaps compliance uncertainty). 

So the NERC staffer had been right in the first place, and shouldn’t have changed his mind, at least as far as the wording of the criterion is concerned.  However, given that the two employees of the registered entity that had received the email were quite passionate that this was the wrong answer – and given that they were both fairly big guys – it is understandable that he changed his mind (especially when I chimed in with my opinion supporting the two guys.  NERC staff members always defer to what I say without questionJ).

I was going to deliver this bad news to the entity the week after the CIPUG.  That is, I was going to say I had been wrong and the NERC staffer should have stuck with his first interpretation: either the whole plant or at least one unit would be Medium impact.  However, one of the entity employees forwarded me the second email from ISO NE – which said unequivocally that the AVR system (with its RTU) was a Medium impact BCS[ix], and this was the only system that would have to be so designated.  That settled the matter, as far as I was concerned.  This also saved me the embarrassment of having to tell this entity I was wrong (which rarely happens, of course).

But the fact is that I was wrong, and the NERC staff member was right in his original “ruling”: the whole unit is Medium impact if you go by the actual wording of Criterion 2.6.  Yet is this staff member going to raise a stink and insist to ISO NE and to the generation entities that this is the case?  I highly doubt it, not because he’s a coward but because a) ISO NE has issued their “ruling” in the second email; and b) the ISO clearly made the right decision from a purely practical point of view:  What needs to be protected to solve this IROL issue is the AVR system, nothing more.[x] 

At Long Last, the Conclusion
So what is the point of this long and seemingly pointless narrative?  After all, I’ve said I agree that the final “decision” – made in our informal meeting at WECC as well as in the ISO NE email – was a good one.  What’s my beef?

My beef is that this was such an arbitrary process, and one that is totally unsupported by the wording of CIP-002-5.1.  It is clear that none of the Attachment 1 criteria apply to BES Cyber Systems directly; rather they apply to Facilities and assets, as I said above.  Once you’ve identified the asset/Facility as Medium impact (using the criteria), then you find the BCS “associated” with it and classify those as Medium BCS.  For ISO NE to say that the generation entity is required to identify particular Cyber Assets (the AVR system and its RTU) as Medium BES Cyber Assets betrays – frankly – a lack of understanding about perhaps the fundamental component[xi] of the asset identification and classification process in CIP Version 5.[xii]  As for the fact that NPCC – who presumably approved of the second email, since they were one of the three parties at this meeting – also showed this lack of understanding…well, I can only say I don’t ultimately blame them either.  I do blame CIP-002-5.1, because its many inconsistencies and contradictions are at the heart of this problem. And I blame NERC for continuing to forge ahead with implementing this standard as these problems become more and more evident (see "programmable", "adversely impact", "reliability purposes", etc).

Moreover, it was obviously very arbitrary for the NERC staff member (a very prominent member of the CIP team) to first state the correct answer in our conversation in Anaheim, then back off when he got opposition.[xiii]  To be politically correct, I should reprimand him for even trying to give an answer; instead, he should have said he’d take this issue back to the NERC Transition Advisory Group, so they can put it on their list of Lessons Learned they intend to write. 

But I certainly understand why he wouldn’t want to do that, either.  It would be many months – if not longer – before the TAG could get to this issue, and then it would take months to draft the Lessons Learned document, post it for comment, and finalize it.  Given all of this, there will probably only be a few months between when it’s finalized and April 1, 2016; what good does it do anyone to release it then?[xiv]  In fact, except for a few questions for which Lessons Learned will soon be finalized, it’s probably now better for NERC to put off any new Lessons Learned (or other general “rulings”) on CIP-002-5.1 R1 and Attachment 1, and just issue individual rulings on particular issues (even applying to single entities, if that’s needed).

In other words, given that NERC has this deeply flawed standard, and that it is now too late to change it without a huge upheaval[xv], probably the only way it can be implemented – given the many problems with the Attachment 1 criteria – is to do exactly what NERC and the regions seem to be doing, and will do more and more in the near future: make individual ad hoc “rulings” to resolve particular issues.  These rulings may sometimes be for the entities in a particular ISO footprint; they may sometimes be for entities in a certain region; and I’m sure they’ll sometimes be for particular entities all by themselves.  This is going to happen more and more, and is already starting to happen.  Of course, I’ll document those instances when I find them; I’m sure I won’t have to look too hard (I already have one other example that will appear in one of the next posts in this series).

Of course, it’s kind of hard to call CIP a “standard” when its interpretation is done in an ad hoc manner.  Maybe NERC can figure out another name.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] I have no idea how applicable this “ruling” will be in other NERC regions or other ISO footprints.  Such a discussion is above my pay grade.

[ii] Whether it does or not would be an interesting question, since I think a Facility would have to be operated at high voltage and have terminals on it.  I’ve never seen an AVR system, so I don’t know whether or not that is the case.  Fortunately, the answer doesn’t matter for this post.

[iii] And myself, up until around this time last year.

[iv] With “assets” being an undefined term, commonly used in the industry to refer to “big iron”: substations, generating stations, control centers, etc.

[v] Although someone pointed out to me that the Attachment 1 criteria don’t have subjects, since they aren’t sentences in the first place.  However, even I have to draw the line somewhere.  I say they have subjects, and I won’t attempt to justify this.  If you want to fight about this, just name the time and place and I’ll be sure (not) to be there.  Of course, the ultimate arbiter of intellectual disputes used to be the dueling pistol.  Fortunately, I don’t believe they make those anymore.

[vi] Of course, ISO NE shouldn’t have capitalized “Generation”, since it isn’t a NERC defined term.

[vii] As I said in my previous post, there was a lot of fantasy going on at that meeting, including by yours truly.  These fantasies allowed people – NERC entities, NERC and WECC staff members, and consultants like me - to go away feeling they’d made a lot of progress at the meeting.  Whatever gets you through the day is OK with me (with some exceptions)…

[viii] This is supported by the fact that Criterion 2.3 refers to “Each generation Facility”.  The SDT could have easily used exactly the same phrase in 2.6, had they wanted to mean that.

It was pointed out to me that the Guidance and Technical Basis for CIP-002-5.1 does pretty clearly imply that the SDT meant to say “generation Facilities”, when it says “Criterion 2.6 includes BES Cyber Systems for those Generation Facilities…”  Of course, the SDT shouldn’t have capitalized “Generation” here.  Leaving that quibble aside, it is quite distressing that they would state so clearly in the Guidance that they meant “generation Facilities” in 2.6, and then quite deliberately use a different phrase in the Criterion itself.  

And since I’m in a conspiratorial mindset at the moment, and I’m in a footnote that nobody who has anything better to do will read (this means you, by the way), I’ll expand on my theory about why the SDT might have made this “error”.  The NERC definition of Facility reads “A set of electrical equipment that operates as a single Bulk Electric system Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)”  Since “generator” is the only one of those terms that applies to a generating plant, this could easily be taken to indicate that, in the context of a generating station, “Facility” would refer to at least a unit of the plant (since a unit is the smallest part of the plant that could be called a “generator”).  Thus, had the SDT used the words “generation Facility” in Criterion 2.6, this might have been taken to mean simply “generation unit”.  This means that notices like the one from ISO NE might have been taken to mean a whole unit was in scope, thus substantially increasing compliance costs for generation entities; ergo the SDT didn’t want to use the term “generation Facilities” in 2.6.

While I’m on a roll, I’ll continue.  I think it’s quite unfortunate that the SDT used the non-defined term “generation” three times in Attachment 1, each time to mean something different.  In Criterion 2.1, the term definitely means an entire generating plant.  In 2.3, it is part of the term “generation Facility”, and clearly means one or more individual units in a plant.  Yet in 2.6, the SDT seems to have wanted to say “generation Facility” (and did say that in the Guidance), but, perhaps because of the consideration just mentioned, they didn’t.  I think this is because they wanted to make the phrase “Generation at a single plant location” in 2.6 apply to other generation Facilities (like AVR), not just the units themselves.  I don’t know whether the SDT thought it was being pretty cool by using the same term in three different ways, but it certainly introduced even more confusion into the bright-line criteria (I’ve already complained several times about the fact that the SDT tried to be far too parsimonious with words, and ended up making CIP-002-5.1 R1 essentially unenforceable).

[ix] Both the first and second notes actually said that the AVR “system” was a BES Cyber Asset.  They should really have said BES Cyber System, since the AVR system includes the AVR computer itself and the RTU.

[x] Of course, some argue that the bright-line criteria are way too lenient on generating plants, since the only plants that are clearly Mediums are those over 1500MW.  Whether or not that’s true, it’s a different issue.

[xi] The ISO NE email provides an even more egregious demonstration of lack of understanding of CIP v5.  The last paragraph contains this sentence: “If an entity receives a notification that a generator is critical to the derivation of IROLs and that notification does not specify any particular component that is critical, then entities would have to consider CIP protection for the entire station as a Medium Impact BES Cyber System.”  So they’re saying that an entire generating station could be a BES Cyber System!  Let’s see…a BCS is made up of BCAs, which are themselves Cyber Assets.  Where do the turbines or the boiler fit into this?  I never thought of them as cyber assets before.  Again, I don’t particularly blame ISO NE; it simply shows the magnitude of misunderstanding that’s out there about the v5 asset identification/classification process, including at some entities that play key roles in the process of implementing v5.

[xii] I will admit there is a chance that the assertion in the email that the AVR should be a Medium BCS under 2.6 doesn’t mean that ISO NE misunderstood how CIP-002-5.1 R1 is supposed to work.  It may mean they have realized that the general understanding of the word “generation” in 2.6 meant that the AVR system couldn’t fall under that criterion – and the whole plant or unit would have to be Medium impact; so designating the AVR a Medium BCS, however “illegal” given the wording of the standard, was the only way to achieve the result they wanted (and as I’ve said, even I agree that this is the best result).  I would give this possibility more credence if ISO NE hadn’t also made the error described in the previous footnote.

[xiii] It may seem odd that I’m reprimanding this NERC staffer for changing his opinion to the one I was advocating in Anaheim – and which I still say is the best decision from a reliability and resource efficiency point of view.  But hey...I don’t want NERC to change its “rulings” based on something I or anybody else says (and because of this staffer’s position in NERC, what he said will definitely be taken by the entity as definitive and will probably be proudly recounted by the entity in the future, should how they handled the AVR issue be questioned in an audit).  I want NERC to rule based on what the standard says.  And if the standard is too poorly written for them to be able to properly address the issue at stake, I want them to admit that and write a SAR for a new standard.

[xiv] In fact, I would argue that NERC needs to stop producing all Lessons Learned (at least on CIP-002-5.1) at some point in time before the compliance date.  This is because it can be literally counterproductive for these documents to come out too late.  For example, I’ve written about the need for clarification on the meaning of “affect the BES” in the definition of BES Cyber Asset.  NERC doesn’t even have this on their list of planned Lessons Learned, and at this point I’d tell them not to bother putting it on.  An entity with High or Medium impact assets needs to be working now on identifying their BES Cyber Assets; since NERC hasn’t come out with any guidance on this issue, entities need to “roll their own” now – as I’ve been saying in a number of posts.  Were NERC to come out with a Lessons Learned in say November, what good would that do – except to call into question the whole asset identification process at the entity, long after it is too late for the entity to make any changes to the list of BES Cyber Assets/Systems?  It’s now better to just wait until after 4/1/16 to start more Lessons Learned on CIP-002, unless they can be finalized by this summer.  Even better, NERC should take up my suggestion to push the compliance date back by a year, so that more LL’s can be developed in time for them to actually do some good.

[xv] I continue to assert that CIP-002-5.1 needs to be rewritten.  This will require an admission of a huge failure on NERC’s part.  Organizations in general – and NERC is certainly no exception – are always very reluctant to take such a step.  But I’m willing to bet that in six to nine months’ time, the situation may have changed to the point that this doesn’t look like such a crazy suggestion.