Friday, February 20, 2015

Episode 4: ISO New England and the Emails of Doom

This is my fourth and (probably) final post in a series of posts (starting with this one) about two emails that ISO New England sent out to generators in their area.  The emails stated that generators need to protect…well, what they have to protect is the issue, let’s just say they need to protect something….as Medium impact under Criterion 2.6 in Attachment 1 of CIP-002-5.1.

I’m interested in these emails primarily because they have created a big stir among the generators that received them (including a customer of mine); at least some of the generators are very concerned that they may end up with entire units or even plants becoming Medium impact - when they hadn’t even considered that could happen, and when there are just about 13 months left before the compliance date.  However, I’m also interested because these emails illustrate the very serious problems that are going to keep coming up with CIP-002-5.1 R1 and Attachment 1 as entities get down to the nuts and bolts of actually complying. 

To save you the time required to read my first post about this topic, I will summarize what in it was relevant for this post (it is still worth reading, and will undoubtedly take its place among the great blog posts of all time):

In December, ISO New England sent to a number of generators in their area an email that read “In accordance with Criterion 2.6 of NERC Standard CIP-002-5, ISO New England has determined that Generation Facilities represented by your company have an AVR and/or PSS (if equipped) that is critical to the derivation of IROLs and their associated contingencies, as specified by FAC‐014‐2, Establish and Communicate System Operating Limits, R5.1.1 and R5.1.3.”  Criterion 2.6 reads “Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

I had three entities contact me about this, in a state of great confusion.  “WTF?”, one asked (I assume he was referring to the Western Transmission Forum).  What is going to be in scope?  Just the AVR system?  The unit it’s part of?  The entire plant?

There were evidently a lot of questions raised about this email, since a new, longer one followed a few weeks later.  Its heart was this sentence: “NPCC indicated that its expectation is that because AVR/PSS status is the specific component of a generator that is critical to the derivation of IROLs, Generator Operators must protect the generator’s primary means of transmitting AVR/PSS status to ISO-NE under CIP-02-5.1 as a Medium Impact BES Cyber Asset.”

This email was more comforting.  It said that NPCC (the NERC Regional Entity that includes New England) “expected” that AVR/PSS would have to be a Medium BES Cyber Asset.  The implication was that neither the whole plant, nor even just a unit, would be Medium impact; just the AVR/PSS system(s) themselves.[i] 

The post linked above recounts in great detail a discussion I had at the WECC CIP User Group meeting at the end of January about this issue – with a senior NERC staff member and two gentlemen from one of the generation entities that received this email – as well as my own conclusions later on.  To summarize these (actually, to go beyond what I said in the post):

  1. None of the bright-line criteria actually apply to BES Cyber Systems.  Rather, they apply to either assets or Facilities.  The preamble to Section 2 of Attachment 1 says that BCS “associated with any of the following” – meaning BCS associated with the assets or Facilities referred to in the 2.X criteria – are Medium impact.   This shows that ISO NE was wrong in asserting that the AVR/PSS systems would be Medium BCS under 2.6.  Criterion 2.6 itself (as well as all the other High and Medium criteria) just tells the entity that an asset or Facility is Medium impact; it is up to the entity to identify the BCS associated with that asset/Facility, which will then be Medium BCS.  So we need to look at the subject of 2.6 to find out what assets or Facilities that criterion is actually designating as Medium impact.  If an asset or Facility doesn’t meet one of the Medium criteria, then none of the BES Cyber Systems associated with it will be Mediums, unless they happen to be associated with another asset/Facility that does meet one of the Medium criteria.
  2. Unfortunately, the Standards Drafting Team didn’t do anybody a favor by simply using the word “Generation” in the subject of 2.6.  This isn’t a NERC defined term, but comparing 2.6 to the use of “Generation” in criterion 2.1 leads me to conclude that only the entire plant can be designated Medium when you simply use that word (without “Facilities” following it). Yet it was also quite clear from the second email that ISO NE and NPCC weren’t trying to designate the entire plant as Medium impact. 
  3. But let’s move on.  Since the emails clearly weren’t considering “Generation” in 2.6 to mean the whole plant (which is of course an “asset”), this means they were considering it to mean “Generation Facilities”.  This sounds somewhat plausible, given that the second part of the subject of 2.6 is “Transmission Facilities”, and because the SDT actually said in the Guidance section that 2.6 refers to “Generation Facilities”[ii].   On the other hand, if the SDT meant for 2.6 to refer to “Generation Facilities”, why doesn’t it SAY that?  In any case, I’m willing to stipulate that “Generation” in 2.6 is really shorthand for “Generation Facilities”.
  4. If 2.6 really applies to Generation Facilities, there is a clear way for the ISO NE emails to be legitimate: if the AVR is really a Facility, not a system.  Then the AVR is Medium impact by 2.6, and the BCS associated with it are Medium BCS.  This is what I was thinking when I wrote the post linked above.
  5. However, a very experienced NERC compliance manager from a large electric utility (whom I have known for a long time, and who I believe suffered through one of the first – and most chaotic - CIP audits in the country – a very interesting experience, as he recounted to me at the time) disabused me of this notion in an email.  He made quite clear that AVR is a system, not a Facility.  If you’re having trouble thinking of an example of a case where a system would be separate from a Facility, think of a relay controlling a line in a substation.  The line is the Facility, while the relay is the BES Cyber System.  If the Facility is a Medium (say, it’s a 500+kV line at a Criterion 2.4 substation), then the relay is a Medium BCS.  In the case of AVR, there is no Facility (as I had thought); AVR is just a cyber system that is associated with a Facility called a generating unit, and also with a generating plant.  AVR can only be Medium impact if the entire plant or the unit becomes Medium impact under Criterion 2.6.
  6. Because the AVR system doesn’t have any “status” of its own in Criterion 2.6 (i.e. it can’t itself be the subject of the criterion, as ISO NE seems to want it to be), ISO NE’s emails don’t comply with the wording of R1 and Attachment 1; they are meaningless as a guide to compliance for the entities that received them.
So what does this all mean for the question of what – if anything – has been designated Medium impact by the two ISO NE emails?  There are just three “legal” outcomes to this analysis – meaning outcomes that comply with the wording of CIP-002-5.1 R1 and Attachment 1.  They all involve ISO NE rewriting or rescinding its emails:

  1. Since the best interpretation of 2.6 is that “Generation” refers to the entire plant, if ISO NE is so concerned about protecting AVR, they need to resend the email and tell the generators their AVR’s will be Medium BCS since they’re associated with a plant that meets Criterion 2.6.  Therefore, all the BCS associated with the plant need to also be treated as Medium impact as well (hey, don’t blame me for saying this.  I’m trying to state what Attachment 1 says).
  2. Since the second best interpretation of 2.6 is that “Generation” really is shorthand for “Generation Facilities”, if ISO NE is so concerned about protecting AVR but doesn’t want to make the whole plant Medium, they need to resend the email and tell the generators their AVR’s will be Medium BCS since they’re associated with a Facility (i.e. the unit[iii]) that meets Criterion 2.6.  Therefore, all the BCS associated with the unit need to also be treated as Medium impact.
  3. If ISO NE decides that protecting the AVR systems isn’t important enough to require entire plants or units to be declared Medium impact, they need to send out an email saying the two previous emails are null and void.  Thus, unless the plants or units in question have another reason to be considered Medium impact, they will remain Lows, and the AVR systems will be Low BCS.
But I can almost guarantee you that none of these three outcomes will actually come to pass.  ISO NE is determined to protect the AVR systems, but I’m sure they’re also determined not to force most of the plants in their footprint to be declared Medium impact.  How can this problem possibly be solved legally?

It can’t be solved legally.  Either NERC will make some sort of “ruling” that ISO NE and NPCC are right, and just the AVR systems are Medium BCS, or (and I’m sure this is the preferred course of action) none of the parties will say anything at all beyond the emails in question (I understand there were one or two further emails, but I think they just supported ISO NE’s position). 

Which outcome do I hope for?  The second option is very bad because it leaves so much uncertainty for the generators.  I hope NERC simply makes a “ruling” that the AVR systems in this case are BES Cyber Systems, for no reason having to do with the wording of Criterion 2.6 (since there is no way that 2.6 could be made to fit this ruling).  As I’ve said repeatedly, we’re well beyond the point where we need to think of CIP-002-R1 and Attachment 1 as being fixed “Requirements” that have a right and wrong interpretation – and for which entities can be assessed PVs for making the wrong interpretation.  That idea is soooo 2014.  Until CIP-002-5.1 R1 and Attachment 1 are rewritten (a three-year process at least),  I am sure there will be no PV’s assessed for good faith efforts to comply.

NERC, go ahead and issue your ruling, fatwa, Papal encyclical, whatever you want to call it.  You can base it on the Teachings of Don Juan, the Tibetan Book of the Dead, the Kabbalah, I am the Walrus, or any other sacred text you want.  Or you can not base it on any text at all – just say “This is so because we said it’s so.”  This last is my personal favorite, since it’s much closer to the truth than trying to come up with some spurious textual justification for your ruling.  The justification for doing this is that ISO New England feels strongly that the AVR systems need to be Medium impact BES Cyber Systems, but they don’t want to have the plants or units themselves be Mediums.  What further justification do you need?

However, NERC, please don’t pretend that what you’re doing in this ruling is somehow in line with CIP-002-5.1 R1 and the Rules of Procedure; it violates both of them.  But you know what?  Before long, you’ll be issuing these Attachment 1 rulings weekly or even daily – and they’ll all violate R1 and the ROP.  The bright-line criteria are a black hole, with each criterion leading to ten questions, those ten questions each leading to ten more, etc; each of these questions will require its own “ruling”, and Attachment 1 will provide guidance for almost none of them.  The good news, of course, is that you’ll all have job security until you retire.  Just keep those rulings coming!

I’m finished with this post, but there is a sequel coming soon.  In my email discussion with the NERC compliance manager I mentioned above as well as another entity, I began to see how this discussion fits into a Larger Picture; that Larger Picture perhaps points a way for the Attachment 1 criteria to be written in a more sustainable fashion (if the entire CIP-002 is rewritten).  And since I’m a Larger Picture kind of guy (that’s why you’re paying me, of course), I’m not going to let this thought drop.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] However, for some of the generators, this “clarification” was anything but comforting.  A couple paragraphs down in the same email, ISO NE said they expected the “Responsible Entity to implement a process that considers the circuitry associated with the generator’s primary means of transmitting AVR/PSS status to ISO-NE as a Medium Impact BES Cyber System…”  This seems to say that all of the cabling associated with the AVR system, including the maze of cabling that connects it to the DCS, is Medium impact.  I know one entity that is tearing their hair out over this, since they have several plants that received these emails and protecting all of that cabling would be a nightmare.  But of course, cabling itself can’t be a BCS anyway – so technically this sentence is meaningless; but when you have ISO NE and NPCC making this meaningless statement, and you’re on the receiving end of the email, you need to make sure you deal with this now, rather than four years from now in an audit.

[ii] Of course, the SDT shouldn’t have capitalized “Generation” since it isn’t a defined term. It’s hard to understand how they could make a mistake like that.

[iii] A unit can be a Facility, but the entire plant can’t.  If you read the definitions of Facility and Element (which is included in the “Facility” definition), you’ll see that a Facility has to have terminals on it.  Multi-unit plants don’t have terminals, but the single units do.

No comments:

Post a Comment