Making It Up as they Go Along, Part II: What the SGAS Mean

Note on April 18, 2016: I put a reference to this post in a post I put up yesterday, so I expect at least a few people will read this. I admit that I would write this more concisely if I had time to do it over, but the points are all still valid. I do want to emphasize that, were I employed by a NERC entity, I would be the first to sign up for my SGAS - I'm not in any way blaming the entities for this misguided policy. And I would support the SGAS if the results were somehow made public - there are a number of ways that they could be sanitized so that no information traceable to a particular entity is disclosed. The whole problem is that the results aren't disclosed, so entities can't take advantage of any information provided to their peers.


Dear Reader: Since 2014, this blog has maintained a proud tradition of annual April Fool’s Day posts.  I can assure you this tradition will continue this year.  However, as I write the post below, I am beginning to worry that people will interpret this as my early entry for April Fool’s.  Let me assure you, this is not the case.  What this post discusses is real; I wish it were otherwise.  I will find it very hard to top this come April 1.

I have started a series of posts documenting how NERC and the regions are simply improvising as they deal with the many serious interpretation issues for CIP Version 5 – issues that keep sprouting out of the ground like weeds on a warm spring day.  Part I was my first post on two emails from ISO New England that were causing generators to wring their hands and explore alternative careers in fast food – anything but NERC CIP; this was followed by four more posts on those emails, although I didn't label them part of this series. 

However, an email from NERC today (and an email conversation with a former auditor whose opinions I greatly respect) reminded me that there is a much more important example of “Making It Up as they Go Along” on the table – and that is from NERC itself.  The email discussed the Small Group Advisory Sessions (SGAS) that NERC has suddenly started advertising.  These are 60-90 minute sessions in which a group of SMEs from a NERC entity sits down with NERC staff to talk about “issues pertinent to that entity’s implementation of the CIP v5 Standards.”  

So what’s wrong with that?  What’s the matter with NERC sitting down to answer people’s questions?  I have no problem with their doing that.  What I do have a problem with – and others do, too – is that these are explicitly stated to be “closed” sessions.

First, what will be the subject of these closed sessions – important enough for critical NERC CIP SMEs to take a couple of days off and fly to Atlanta for a 60-90 minute meeting[i]?  It’s safe to say it won’t be the Braves’ prospects for 2015.  It’s also safe to say the meetings won’t rehash some compliance issues that have already been settled through Lessons Learned, etc. (although there are precious few of those that I would call genuinely “settled”) – or that may be addressed in the public CIP v5 Workshop going on at the same time in Atlanta.

Children, I’m afraid I have some bad news for you: The nice lessons you learned in Civics class about public bodies always dealing with public issues in a public manner don’t necessarily correspond with the reality of this terrible world we live in.  These sessions will be to discuss compliance issues that haven’t been publicly dealt with by NERC – or at least not officially “resolved”[ii]; that’s why entities will probably be lining up to have these meetings.  Whatever NERC says in the meetings will presumably never go beyond the ears of the attendees, as well as some others in their organizations.

Even that may not seem so bad on the face of it.  Given the fact that sensitive cyber security issues are being discussed, could these be anything but closed discussions?  And isn't it true that entities sit down one-on-one with their Regional Entities to discuss compliance issues all the time?  Why is it different if they sit down with NERC?

There is a big difference.  The entities are supposed to be getting all of their guidance on compliance from their regions.  The regions know all of their entities well, and if they have a closed meeting with one entity, they will presumably share anything that has general applicability with other entities who should be notified.  Even if they don’t immediately share these compliance points, they will certainly do so if another entity raises the same issue with them.  NERC isn't the auditor for any of the entities in the US (or Canada, for that matter)[iii]; the Regions[iv] are.

NERC doesn't have the same relationship with the entities as do the regions, and they could never make sure they had shared a particular piece of information with all of the entities in North America to whom it might apply.  Let me correct that: they could certainly share the information with all such entities by putting it out in a public document.  For example, if they end up telling entity X that two of their Transmission assets – that are contiguous but don’t share a common fence – actually constitute two substations for the purposes of Criterion 2.5 (an issue I discussed in this post), they could try to generalize[v] that ruling into a public document like a Lessons Learned.  Yet NERC doesn't seem to have any intention of doing that.

Is this bad?  More specifically, does it meet one or more of the “unholy trinity” by being

1. Illegal,
2. Immoral, or
3. Fattening?

I think we can rule out no. 3, although that depends on the type of snacks NERC has in the room.  As for number one, it is definitely illegal (in the sense that it violates the NERC Rules of Procedure, not that it will result in somebody being thrown in jail).  But that’s not my concern here – I have said repeatedly that the only way CIP v5 (and especially CIP-002-5.1 R1) can be successfully implemented is if a number of illegal interpretations are made – by somebody[vi].  The last chance NERC had to fix the problems with v5 legally was when they wrote the SAR for the CIP v5 Revisions (aka v6) – instead, they kept the scope of the SAR narrowly to the four mandates FERC had made in Order 791.  I’m just glad to see that NERC is finally stepping up even to do these illegal interpretations, since for a while it looked like they weren't going to.

So are the SGAS immoral?  On the surface, they are.  If NERC is making “rulings” for individual entities, then that is unfair to those that can’t set up an SGAS.  According to the latest email from NERC, the SGAS will be offered on nine days in February, March and April.  If you assume they set up six meetings on each of those days (probably an over-estimate), that leads to 54 meetings, and 54 entities (presumably large ones) that have had their biggest v5 interpretation issues addressed by NERC.  What about the other hundred or more[vii]  entities that don’t get to do this?  I suggest there be a new Functional Model classification for these entities: SOL.

But hey, I’m a realistic guy.  NERC has a job to do – successfully implement the v5 standards on April Fool’s Day, 2016.  It may not be fair to some of the other entities that they don’t get an SGAS, but maybe NERC can help them out by setting up individual phone calls, etc.  Strict morality is a nice thing to have, but desperate times call for desperate measures – and make no mistake, with the implementation date 13 months away and about 500 serious v5 issues on the table, these are desperate times indeed.

No, the core of my objection to the SGAS is that they could well destroy the enforceability of CIP version 5 (and I really mean v5.5 here, as well as almost everywhere else where I say “v5” nowadays).  The reason I say that is quite simple: How can you possibly call something a “standard” that doesn't apply in the same way to every entity to which it’s supposed to apply?  Even more importantly, how could any penalty assessed for a CIP v5 violation ever be upheld if the entity challenges it in court?

Now, I have repeatedly suggested that CIP-002-5.1 R1 should be declared an “open” requirement by NERC, meaning no penalties will ever be assessed for “violations” resulting from good-faith efforts to understand what that requirement (and Attachment 1) means.  In fact, I have also said that R1 will be open regardless of whether or not NERC declares it so: there is so much ambiguity and contradiction in the wording that no violation could ever be upheld in a court of law (and of course, NERC CIP v5 is regulatory law because of FERC’s approval of it; penalties can be appealed in the regular court system); I even doubt any auditor would assess a PV in the first place, given that it will result in a huge battle and will most likely end up being deep-sixed.

In making this statement, I did wonder if the “open-ness” of R1 would “spread” to the requirements in the other standards.  After all, R1 is where you identify and classify your BES Cyber Systems.  If there is no ironclad methodology for doing that, then clearly the entity can never be certain it is applying the remaining requirements to the right systems – and the auditors can’t verify that, either.  However, I reasoned to myself that, even though the BCS identification process is fatally flawed, it is still possible to say objectively whether or not the entity has properly complied with the other v5 requirements – if you accept as given the BCS lists that came out of CIP-002-5.1 R1.  And auditors could still issue PVs for entities that missed the boat on these other requirements[viii].

But that reasoning is out the window.  There’s nothing in the SGAS announcement that says the closed discussions between the entities and NERC will be limited to CIP-002-5.1 R1; so potentially any other v5 requirement could be discussed as well – and NERC might well issue private “rulings” for those requirements. 

So what happens – say, five years from now – when an entity has been fined by FERC for violating CIP-007-6 R2, for example?  They appeal it to the courts, and their argument is quite simple: It’s impossible to know whether or not NERC might have given a private “interpretation” of that requirement during one of the SGAS.  It is quite possible that another entity was given advice on complying with this requirement (patch management) that could have applied to the entity that was fined as well.  They would then have done things differently and avoided the violation.  How could the fine possibly be upheld?  On any v5 requirement?

I’m reminded of the early 2000’s, when all companies finally jumped on the Internet.  At first, they just put up static pages; for example, a bank would just show its hours and locations, provide some forms to download, etc.  Then they all started trying to “personalize” the site.  Instead of “bankname.com”, the site became “mybankname.com”.  You would log in and get access to your personal banking information, do transactions online, etc.

It seems that the SGAS are following that same process.  Instead of having just one version of CIP v5 for everybody, now everyone (at least the lucky ones) will have “my CIP v5” – their own CIP v5 custom tailored for their own unique environment.  It’s all about serving the customer. 

Of course, at that point you can’t use the word “standards” for CIP v5; something like “suggestions”, “guidelines”, etc. would be much more appropriate.  And of course, there will be no more talk about fines or nasty stuff like that – how can you issue a fine against someone simply because they didn't take your suggestion?  If FERC is happy with this situation then hey, who am I to complain?

At this point, I have to pause to retrieve my tongue.  It’s so far back in my cheek that I’m in danger of swallowing it.  I told you it’s going to be very hard to top this post on April Fool’s Day.

So what can NERC do to avoid this perhaps fatal blow to all of CIP v5?  I see two overall options.  First, they could:

1. Keep the SGAS – I do like the idea of having NERC meet with entities to discuss v5 – but make it quite clear the meetings are solely for gathering questions the entities have about the meaning of particular wording in CIP v5 (of course, the first SGAS already took place this week.  I hope NERC anticipated this post and followed my advice before I gave it).
2. Once NERC has all these questions in hand (and they should gather them from other sources as well, especially the entities who can’t make an SGAS), they should commit to addressing every one of them in an open manner – presumably through something like the Lessons Learned documents (but I’m even OK if NERC short-circuits the LL process and just issues their “rulings”.  Strictly speaking, they’ll be illegal, but at least they’ll be completely public).
3. However, there’s no way NERC can address all of these questions in time for the answers to be of help for entities trying to comply with the 4/1/16 date.  That has to be pushed back by at least a year.

What’s NERC’s second option?  It’s to continue on their current course and hope everything works out for the better.  And my money’s on their choosing Door Number Two.  CIP v5 has been dealt a potentially fatal blow.  The victim is staggering but still standing.  Will he finally fall for good?  And if he does, when will that happen?

To Be Continued…

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

---

[i] There is a larger meeting – open to all NERC entities – that they will be able to attend while they’re waiting around for their private hour with NERC.  So they don’t just have to go to the bar and watch TV.

[ii] Of course, “resolved” isn't the right word for what NERC is doing.  As I've said repeatedly, NERC has no way to give binding interpretations of standards, except by going through the RFI process – which requires 2-3 years.  The most they can do is put out a document for public comment – which is what the Lessons Learned are – then revise it to incorporate those comments.  They presumably hope this process will build a consensus among the entities and the regions regarding the topics discussed in the Lessons Learned.

[iii] I believe NERC is the auditor for the regions themselves, and perhaps for the ISOs.

[iv] In Canada, it’s not even the Regions.  The entity that enforces the standards is different in each province.

[v] Of course, I’m sure the nature of the issues brought up in these meetings will be quite specific to the particular situation of the entity, so it will be hard to generalize NERC’s “ruling” on an issue to other NERC entities.  On the other hand, these “rulings” will constitute non-public interpretations, regardless of whether or not there is only one entity they could apply to.  Back in 2012 (in a post on another blog that I re-posted here in 2013), I suggested some sort of “Supreme Court of CIP” that would officially resolve the myriad questions that I could see were going to come up about application of the bright-line criteria.  It seems NERC may be taking me up on that suggestion, although I’m sure they don’t remember my making it – and of course, I intended the “court” sessions to be public, not private.  I hope to do a new post soon on the problem of the bright-line criteria.  I would say it is the most serious problem for CIP v5, if I didn't know a couple others that are in pretty close contention for that title.

[vi] And I've suggested at various times that “somebody” could be God, Barack Obama, Judge Judy, Joe DiMaggio, The Tibetan Book of the Dead – basically, any person or thing, alive or dead, that would have enough authority to command the respect of the NERC community.  In practice, of course, NERC is the preferred “somebody”, although for a while it looked like they weren't going to do anything to address the v5 interpretation issues.  Now they’re finally doing something on a fairly large scale (although not sufficiently large) - I'm referring to the Lessons Learned and FAQs; the fact that these don't constitute "legal" interpretations of v5 doesn't bother me in the least.  The SGAS do bother me, although not the fact that they're "illegal", but the fact that their results won't be made public.

[vii] I of course don’t know how many entities are subject to all of CIP v5 – i.e. they have High and/or Medium impact assets with High or Medium BES Cyber Systems.  It may not be more than 200.  In any case, it’s more than 54.

[viii] The only possible exception to this statement would be CIP-005-5 R1, since that also deals with “fundamental” asset classification issues.  For example, it’s the requirement that results in your having to identify Protected Cyber Assets.  If the BCS are identified “incorrectly”, the PCAs will be as well.  And the question of what constitutes External Routable Connectivity is a huge issue that is nowhere close to being resolved.  I guess this falls into 005 R1 as much as it does in any other requirement.