I had an
email conversation two days ago with a knowledgeable person about my post
on the emails sent to generators by ISO New England. The post pointed out that the emails advised the
generators that their AVR systems and associated RTUs would be Medium impact
BES Cyber Assets according to Criterion 2.6 in Attachment 1 of CIP-002-5.1. However, the wording of 2.6 doesn’t support
this assertion – rather, 2.6 seems to require the entire unit be Medium impact
(and perhaps the entire plant).[i]
I implied in
the post that ISO NE (and probably NPCC, who participated in this discussion)
didn’t really understand how R1 and Attachment 1 work. The criteria don’t tell you what BCS are
Medium impact; they tell you what assets or Facilities are Medium impact. The entity then classifies BCS associated
with those assets/Facilities as Mediums.
This party –
who understands the nuances of CIP-002-5.1 R1 very well - tried to convince me
in his email that in fact ISO NE’s position could be correct if you first attach
the preamble to the criteria in Section 2 of Attachment 1 to Criterion 2.6
itself. Criterion 2.6 will now read “Each
BES Cyber System associated with generation at a single plant location or
Transmission Facilities at a single station or substation location that are
identified…”
He then made
several transformations to this “sentence” (adding a couple commas, assuming “are”
should really be “is”, making a change due to how NE ISO calculates IROLs, etc),
and voila! He came out with “Each BES
Cyber System associated with generation at a single plant location or
Transmission Facilities at a single station or substation location that are
identified by its Reliability Coordinator, Planning Coordinator, or Transmission
Planner as critical to the derivation of Interconnection Reliability Operating
Limits (IROLs) and their associated contingencies.”
In other
words, he’s saying the NE ISO analysis – designating two particular cyber
assets as Medium BCS, but nothing else at the plant - makes sense if you just
do this “simple” little manipulation of the wording of Criterion 2.6. I told him that he deserved a medal from NERC
for “Extraordinary Effort in Defense of the Wording of CIP-002-5.1”, but that
he still hadn’t convinced me – for reasons which I won’t bother to put down
here (since I’m determined to keep this post short, for a change).
But even if
I didn’t have any objection to his logic, I would still have rejected it as a
defense of ISO NE. If they had really
been thinking in the same lines as my friend, they would have put everything he
said in their email; however, they didn’t.
The email didn’t even think to provide a justification for the designation
of the two cyber assets as BES Cyber Assets; it was clear ISO NE didn’t
understand CIP-002-5.1 R1 well enough to know they were wrong.
My point
here isn’t to bash ISO NE. In fact, a
post I’ll do very soon will point out that not understanding CIP-002-5.1 R1 is
by far the rule among all parties – NERC, the regions, the NERC entities – not the
exception. My point is that any standard
that forces people to go through such contortions in order to identify its true
meaning – requiring at least a Masters in Linguistics, a double E degree, and
an intimate knowledge of how different ISO’s operate - is clearly not a “standard”
at all. NERC entities can’t apply it
with any sort of certainty that they’re doing the right thing, and auditors can’t
assess penalties for “violations” of wording that is as transparent as
mud.
Of course,
other than that, I have no issues with CIP-002-5.1. I think the font it’s written in is
wonderful.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
As I said in the other post, I actually agree that the only option that makes
sense is the one that ISO NE chose – just designating the two devices as Medium
impact BCAs; however, this can’t be done while following the wording of
Criterion 2.6. The point of the post was
that more and more decisions are being made by NERC and the regions (NPCC seems
to have participated in this decision) in a purely ad hoc manner, because frankly that’s the only way that most
decisions on the bright-line criteria will have to be made. And probably a lot
of the decisions on other parts of CIP v5 as well (in fact, of course, the
whole idea that NERC or the regions are making “decisions” on v5 is not in
accordance with NERC’s rules. Lessons
Learned at least have some semblance of legitimacy in the Rules of Procedure; “decisions”
have none).
No comments:
Post a Comment