This is my
fourth and (probably) final post in a series of posts (starting with this
one) about two emails that ISO New England sent out to generators in their area. The emails stated that generators need to
protect…well, what they have to
protect is the issue, let’s just say they need to protect something….as Medium impact under Criterion 2.6 in Attachment 1 of
CIP-002-5.1.
I’m
interested in these emails primarily because they have created a big stir among
the generators that received them (including a customer of mine); at least some
of the generators are very concerned that they may end up with entire units or
even plants becoming Medium impact - when they hadn’t even considered that could
happen, and when there are just about 13 months left before the compliance date. However, I’m also interested because these
emails illustrate the very serious problems that are going to keep coming up
with CIP-002-5.1 R1 and Attachment 1 as entities get down to the nuts and bolts
of actually complying.
To save you
the time required to read my first post about this topic, I will summarize what
in it was relevant for this post (it is still worth reading, and will
undoubtedly take its place among the great blog posts of all time):
In December,
ISO New England sent to a number of generators in their area an email that read
“In accordance with Criterion 2.6 of NERC Standard CIP-002-5, ISO New England
has determined that Generation Facilities represented by your company have an
AVR and/or PSS (if equipped) that is critical to the derivation of IROLs and
their associated contingencies, as specified by FAC‐014‐2, Establish
and Communicate System Operating Limits, R5.1.1 and R5.1.3.” Criterion 2.6 reads “Generation at a single
plant location or Transmission Facilities at a single station or substation
location that are identified by its Reliability Coordinator, Planning Coordinator,
or Transmission Planner as critical to the derivation of Interconnection
Reliability Operating Limits (IROLs) and their associated contingencies.”
I had three
entities contact me about this, in a state of great confusion. “WTF?”, one asked (I assume he was referring
to the Western Transmission Forum). What
is going to be in scope? Just the AVR
system? The unit it’s part of? The entire plant?
There were
evidently a lot of questions raised about this email, since a new, longer one
followed a few weeks later. Its heart
was this sentence: “NPCC indicated that its expectation is that because AVR/PSS
status is the specific component of a generator that is critical to the
derivation of IROLs, Generator Operators must protect the generator’s primary
means of transmitting AVR/PSS status to ISO-NE under CIP-02-5.1 as a Medium
Impact BES Cyber Asset.”
This email
was more comforting. It said that NPCC
(the NERC Regional Entity that includes New England) “expected” that AVR/PSS
would have to be a Medium BES Cyber Asset.
The implication was that neither the whole plant, nor even just a unit,
would be Medium impact; just the AVR/PSS system(s) themselves.[i]
The post
linked above recounts in great detail a discussion I had at the WECC CIP User
Group meeting at the end of January about this issue – with a senior NERC staff
member and two gentlemen from one of the generation entities that received this
email – as well as my own conclusions later on.
To summarize these (actually, to go beyond what I said in the post):
- None of the bright-line criteria actually apply to BES Cyber Systems. Rather, they apply to either assets or Facilities. The preamble to Section 2 of Attachment 1 says that BCS “associated with any of the following” – meaning BCS associated with the assets or Facilities referred to in the 2.X criteria – are Medium impact. This shows that ISO NE was wrong in asserting that the AVR/PSS systems would be Medium BCS under 2.6. Criterion 2.6 itself (as well as all the other High and Medium criteria) just tells the entity that an asset or Facility is Medium impact; it is up to the entity to identify the BCS associated with that asset/Facility, which will then be Medium BCS. So we need to look at the subject of 2.6 to find out what assets or Facilities that criterion is actually designating as Medium impact. If an asset or Facility doesn’t meet one of the Medium criteria, then none of the BES Cyber Systems associated with it will be Mediums, unless they happen to be associated with another asset/Facility that does meet one of the Medium criteria.
- Unfortunately, the Standards Drafting Team didn’t do anybody a favor by simply using the word “Generation” in the subject of 2.6. This isn’t a NERC defined term, but comparing 2.6 to the use of “Generation” in criterion 2.1 leads me to conclude that only the entire plant can be designated Medium when you simply use that word (without “Facilities” following it). Yet it was also quite clear from the second email that ISO NE and NPCC weren’t trying to designate the entire plant as Medium impact.
- But let’s move on. Since the emails clearly weren’t considering “Generation” in 2.6 to mean the whole plant (which is of course an “asset”), this means they were considering it to mean “Generation Facilities”. This sounds somewhat plausible, given that the second part of the subject of 2.6 is “Transmission Facilities”, and because the SDT actually said in the Guidance section that 2.6 refers to “Generation Facilities”[ii]. On the other hand, if the SDT meant for 2.6 to refer to “Generation Facilities”, why doesn’t it SAY that? In any case, I’m willing to stipulate that “Generation” in 2.6 is really shorthand for “Generation Facilities”.
- If 2.6 really applies to Generation Facilities, there is a clear way for the ISO NE emails to be legitimate: if the AVR is really a Facility, not a system. Then the AVR is Medium impact by 2.6, and the BCS associated with it are Medium BCS. This is what I was thinking when I wrote the post linked above.
- However, a very experienced NERC compliance manager from a large electric utility (whom I have known for a long time, and who I believe suffered through one of the first – and most chaotic - CIP audits in the country – a very interesting experience, as he recounted to me at the time) disabused me of this notion in an email. He made quite clear that AVR is a system, not a Facility. If you’re having trouble thinking of an example of a case where a system would be separate from a Facility, think of a relay controlling a line in a substation. The line is the Facility, while the relay is the BES Cyber System. If the Facility is a Medium (say, it’s a 500+kV line at a Criterion 2.4 substation), then the relay is a Medium BCS. In the case of AVR, there is no Facility (as I had thought); AVR is just a cyber system that is associated with a Facility called a generating unit, and also with a generating plant. AVR can only be Medium impact if the entire plant or the unit becomes Medium impact under Criterion 2.6.
- Because the AVR system doesn’t have any “status” of its own in Criterion 2.6 (i.e. it can’t itself be the subject of the criterion, as ISO NE seems to want it to be), ISO NE’s emails don’t comply with the wording of R1 and Attachment 1; they are meaningless as a guide to compliance for the entities that received them.
So what does
this all mean for the question of what – if anything – has been designated
Medium impact by the two ISO NE emails? There
are just three “legal” outcomes to this analysis – meaning outcomes that comply
with the wording of CIP-002-5.1 R1 and Attachment 1. They all involve ISO NE rewriting or rescinding
its emails:
- Since the best interpretation of 2.6 is that “Generation” refers to the entire plant, if ISO NE is so concerned about protecting AVR, they need to resend the email and tell the generators their AVR’s will be Medium BCS since they’re associated with a plant that meets Criterion 2.6. Therefore, all the BCS associated with the plant need to also be treated as Medium impact as well (hey, don’t blame me for saying this. I’m trying to state what Attachment 1 says).
- Since the second best interpretation of 2.6 is that “Generation” really is shorthand for “Generation Facilities”, if ISO NE is so concerned about protecting AVR but doesn’t want to make the whole plant Medium, they need to resend the email and tell the generators their AVR’s will be Medium BCS since they’re associated with a Facility (i.e. the unit[iii]) that meets Criterion 2.6. Therefore, all the BCS associated with the unit need to also be treated as Medium impact.
- If ISO NE decides that protecting the AVR systems isn’t important enough to require entire plants or units to be declared Medium impact, they need to send out an email saying the two previous emails are null and void. Thus, unless the plants or units in question have another reason to be considered Medium impact, they will remain Lows, and the AVR systems will be Low BCS.
But I can
almost guarantee you that none of these three outcomes will actually come to
pass. ISO NE is determined to protect
the AVR systems, but I’m sure they’re also determined not to force most of the
plants in their footprint to be declared Medium impact. How can this problem possibly be solved
legally?
It can’t be
solved legally. Either NERC will make
some sort of “ruling” that ISO NE and NPCC are right, and just the AVR systems
are Medium BCS, or (and I’m sure this is the preferred course of action) none
of the parties will say anything at all beyond the emails in question (I
understand there were one or two further emails, but I think they just
supported ISO NE’s position).
Which
outcome do I hope for? The second option
is very bad because it leaves so much uncertainty for the generators. I hope NERC simply makes a “ruling” that the
AVR systems in this case are BES Cyber Systems, for no reason having to do with
the wording of Criterion 2.6 (since there is no way that 2.6 could be made to
fit this ruling). As
I’ve said repeatedly, we’re well beyond the point where we need to think of
CIP-002-R1 and Attachment 1 as being fixed “Requirements” that have a right and
wrong interpretation – and for which entities can be assessed PVs for making
the wrong interpretation. That idea is
soooo 2014. Until CIP-002-5.1 R1 and
Attachment 1 are rewritten (a three-year process at least), I am sure there will be no PV’s
assessed for good faith efforts to
comply.
NERC, go
ahead and issue your ruling, fatwa,
Papal encyclical, whatever you want to call it.
You can base it on the Teachings of Don
Juan, the Tibetan Book of the Dead,
the Kabbalah, I am the Walrus, or
any other sacred text you want. Or you
can not base it on any text at all – just say “This is so because we said it’s
so.” This last is my personal favorite,
since it’s much closer to the truth than trying to come up with some spurious
textual justification for your ruling.
The justification for doing this is that ISO New England feels strongly
that the AVR systems need to be Medium impact BES Cyber Systems, but they don’t
want to have the plants or units themselves be Mediums. What further justification do you need?
However,
NERC, please don’t pretend that what
you’re doing in this ruling is somehow in line with CIP-002-5.1 R1 and the
Rules of Procedure; it violates both of them.
But you know what? Before long,
you’ll be issuing these Attachment 1 rulings weekly or even daily – and they’ll
all violate R1 and the ROP. The bright-line criteria are a black hole,
with each criterion leading to ten questions, those ten questions each leading
to ten more, etc; each of these questions will require its own “ruling”, and
Attachment 1 will provide guidance for almost none of them. The good news, of course, is that you’ll all
have job security until you retire. Just
keep those rulings coming!
I’m finished
with this post, but there is a sequel coming soon. In my email discussion with the NERC compliance
manager I mentioned above as well as another entity, I began to see how this
discussion fits into a Larger Picture; that Larger Picture perhaps points a way
for the Attachment 1 criteria to be written in a more sustainable fashion (if
the entire CIP-002 is rewritten). And
since I’m a Larger Picture kind of guy (that’s why you’re paying me, of
course), I’m not going to let this thought drop.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
However, for some of the generators, this “clarification” was anything but
comforting. A couple paragraphs down in
the same email, ISO NE said they expected the “Responsible Entity to implement
a process that considers the circuitry associated with the generator’s primary
means of transmitting AVR/PSS status to ISO-NE as a Medium Impact BES
Cyber System…” This seems to say that
all of the cabling associated with the AVR system, including the maze of
cabling that connects it to the DCS, is Medium impact. I know one entity that is tearing their hair
out over this, since they have several plants that received these emails and
protecting all of that cabling would be a nightmare. But of course, cabling itself can’t be a BCS
anyway – so technically this sentence is meaningless; but when you have ISO NE
and NPCC making this meaningless statement, and you’re on the receiving end of
the email, you need to make sure you deal with this now, rather than four years
from now in an audit.
[ii]
Of course, the SDT shouldn’t have capitalized “Generation” since it isn’t a
defined term. It’s hard to understand how they could make a mistake like that.
[iii]
A unit can be a Facility, but the entire plant can’t. If you read the definitions of Facility and
Element (which is included in the “Facility” definition), you’ll see that a
Facility has to have terminals on it.
Multi-unit plants don’t have terminals, but the single units do.
No comments:
Post a Comment