Referring to yesterday's post on ISO New England's emails to generators, it turns out the second ISO NE email may not have settled the matter of what's in scope at the plants in question. One of the entities that I'd discussed this issue with told me today they are very concerned about the following wording in that email:
"If ISO-NE identifies a generator for which its AVR/PSS status is critical to the derivation of IROLs, this triggers an obligation under CIP-002-5.1 for the Responsible Entity to implement a process that considers the circuitry associated with the generator’s primary means of transmitting AVR/PSS status to ISO-NE as a Medium Impact BES Cyber System..."
If "circuitry" means the wiring that connects the AVR system to the DCS, that is a big deal - I guess that wiring is quite complex. If the entity needs to put special physical protections on that wiring, it would be expensive and a big effort.
To be honest, when I read this at first, I thought "circuitry" referred to the RTU, which - along with the AVR computer itself - is definitely part of the BES Cyber System that needs to be protected. But the next paragraph in the email addresses the RTU, so I was wrong about this.
As with a couple other statements in the email, the reference to circuitry being a BCS doesn't make sense. Wiring isn't a cyber asset; it therefore can't be part of a BES Cyber System. It would receive physical protection if it were part of an ESP - i.e. connecting two or more Cyber Assets within the ESP. However, if just the AVR system and the RTU are BCS (or they're part of one BCS), the ESP will just enclose them - so the PSP would presumably just enclose them as well (I know one entity that is literally discussing putting a box around the AVR and the RTU).
Thus, in order for physical protection of the wiring between the AVR system and the DCS to be required, both the DCS and the AVR would need to be Medium impact BES Cyber Systems. And since the DCS is the heart of the control systems in the plant, if you're making that a Medium, you're essentially making everything in the plant Medium impact - either as a BCS or a Protected Cyber Asset. Yet this clearly isn't what ISO NE intended.
It would have been nice if they'd left the "circuitry" word out of the email. As it is, the entity I mentioned is now investing a lot of effort into getting this issue resolved with NERC.
And of course, this will lead to another ad hoc ruling, as discussed in yesterday's post. Problems with the bright-line criteria are like the Hydra: you cut off one head and two more grow back. Except I think it's more than two when you're dealing with the BLC. The BLC have the Hydra licked, hands down.