Sunday, February 1, 2015

NERC CIP in Fantasyland

I attended WECC’s CIPUG – CIP User Group – in Anaheim, Calif. last week.  This was the third CIPUG I’ve attended in this location, at a hotel a couple blocks from the gates of Disneyland.  It was as usual an intimate gathering – just me and 350 of my closest friends.  And as usual, it was a very well-organized and well-programmed event.

The first time I heard about a CIPUG being next to Disneyland, I thought, “How appropriate.  There is such a huge amount of unreality in NERC CIP; we’ll all feel right at home there.”  But after attending the meeting last week, I saw this juxtaposition from an almost opposite perspective. 

I have often put myself in the place of the people working in Disneyland, and especially Fantasyland – playing Mickey and Minnie Mouse, the Seven Dwarfs, etc.  I am sure these people have no illusions that they work in a make-believe world.  When they come off work, they don’t have to adjust to our “real” world –they feel they never left it.  The only people who actually believe in the make-believe world of Fantasyland are of course the very young kids who visit there.

Let’s contrast this with the people attending the CIPUG: staff members of NERC, WECC, and the NERC Responsible Entities, as well as consultants like me.  We are all indulging in fantasies about NERC CIP Version 5 and its path to implementation; those fantasies were on display in the CIPUG presentations as well as the conversations at breakfast, lunch and the breaks.  The difference between us and the people who play the Fantasyland characters is that they know they’re in a make-believe world.  Those of us attending the CIPUG, on the other hand, didn’t have a clue that this is the case. We were in the position of the young kids visiting Fantasyland, not the workers putting in their time there and thinking about anything except Mickey Mouse.

In this post, I will list three fantasies that are quite prevalent in the world of NERC CIP and that were on display at the CIPUG (but, of course, that are certainly not limited to the people who attended the CIPUG).  I do wish to point out that I am not singling out any particular individuals as being more prone to these fantasies than anyone else, although I will illustrate the fantasies through their manifestation in the presentations and discussions at the CIPUG.  These are institutional fantasies that have evolved to enable the whole NERC CIP “world” to live with an increasingly impossible situation, and to justify the fact that thousands of people in that world are plodding dutifully ahead, with no clear idea where they’re actually going or whether in fact they are really getting anywhere at all.[i]

Note: The CIPUG was just one of a total of three days of meetings.  The first two days were a combination of the WECC Compliance User Group (or CUG - i.e. the group that manages compliance with the other NERC and WECC standards, collectively known as the “693” or “O & P” standards) and the Western Interconnect Compliance Forum (WICF) – the association of NERC compliance professionals at WECC entities (whose meetings and forums are off-limits to NERC and WECC staff members).  The presentations from the entire three days can be found at this location; you can find the ones relevant to CIP by looking for titles with “CIP” or “Cyber Security”.[ii]

Fantasy Number One: The Foundation of CIP Version 5 is Strong
It’s no surprise when I tell you that NERC and WECC (and the other seven Regional Entities) are moving forward (perhaps not at full speed) on implementing CIP Version 5.  Given that, it should also be no surprise that the NERC and WECC staff members, in their presentations, didn’t bring up any fundamental issues with v5.  They certainly did mention various issues that needed to be resolved, but none of the “hold the presses” variety.  Indeed, how could they stay in their current jobs unless they truly believed this?  NERC is committed to implementing CIP v5 as written; if you don’t think that can really be done, you should seek employment elsewhere.

If you’ve read any of my posts since April 2013, you know that I think the foundation of CIP v5 is rotten.  The foundation consists primarily of CIP-002-5.1.  I recently documented twenty serious problems with that standard, and I’m sure I could add another 15 – 20 problems to that today without much effort (some of these came out directly or inadvertently in the CIPUG presentations).

But the “foundations” of CIP v5 aren’t just in CIP-002; they’re part of other standards as well, especially CIP-005-5.  And this is why I found the presentation by Morgan King of WECC on CIP-005 Lessons Learned to be so interesting.  Morgan did a very good job of discussing four Lessons Learned (none finalized as of yet, and one or two not even released in draft form) that relate to CIP-005.  His presentation provides some good information, although I really wish there were recordings available, since the Q&A was the really interesting part.

The Q&A for Morgan’s presentation clearly revealed something I’d already suspected: as you[iii] start to probe more deeply into any particular question about CIP v5, you’re almost certain to uncover a number of additional questions.  And so it went with Morgan.  He addressed four particular Lessons Learned, but I’d say there were 3 - 5 new questions raised about each one (and if there weren’t five questions raised, it’s only because discussion had to be shut off to move to the next presentation.  There could have easily been at least a whole half day of Q&A just on Morgan’s presentation; this is true for a few of the other presentations as well, especially those of Dr. Joe Baugh on CIP v5 Pilot Study Lessons Learned and Lisa Wood on Low Impact Assets[iv] in v5.  I highly recommend WECC expand the CIPUG to a day and a half, just like the CUG).

I unfortunately didn’t take notes on the different issues that were raised – they came fast and furious, and as I said Morgan (as well as all of the presenters) was under a lot of pressure to finish up so the next presentation could start.   I do remember there were a lot of questions on the External Routable Connectivity discussion at the beginning of the presentation and the Virtualization discussion at the end.  Morgan handled these new questions in the only way he could be expected to: by saying the NERC Transition Advisory Group (of which he’s an active member) hadn’t addressed them yet.[v]

To illustrate what I said about new questions being raised as soon as you try to address one question in CIP v5, I’ll point you to page 18 in Morgan’s presentation.  There, he lists three criteria for the presence of External Routable Connectivity, including “Would the misuse or disruption of those routable protocols or BES Cyber Assets have an adverse impact on the BES within 15 minutes?”  This isn’t a question that was asked at the meeting, but I’ll ask it now: What does adverse BES impact – within 15 minutes or 15 years – have to do with the question whether a cyber asset has ERC?  Adverse BES impact is certainly important for determining whether a Cyber Asset meets the BES Cyber Asset definition (as I discussed in this post), but it has nothing to do with ERC.

Note (Feb. 2):  Morgan emailed me this morning to point out that his slide 18 (the one discussed above) had been unclear; the third bullet point (quoted above) really had to do with the question whether the protocol converter was a BCS (see slide 12), in which case the question about adverse BES impact does make sense.  He said he mentioned this during the presentation, which I don't doubt - there was so much he had to say and he (like the other presenters) was rushing through it so quickly that I couldn't really absorb even half of the things he said. Besides extending the CIPUG to a day and a half (it's really about 6 hours now), WECC should also make the webinar recording publicly available (they webcast the CUG/CIPUG for WECC members, who have to pay to "attend" that, just as they do to attend the live event).

And this brings up another topic.  In his presentation, Tobias Whitney of NERC said that one way NERC plans to get more information out to entities regarding CIP v5 is the new "CIP University". No, CU won't consist of nice Gothic buildings with ivy on them.  It will make CIP meetings hosted by the different regions available to all NERC attendees.  This is nice, but it isn't going to make a huge difference, since I don't believe any of the other regions make their meetings available by webcast like WECC does; requiring people to attend in person, with limited travel budgets, isn't going to greatly increase the learning opportunities.

More importantly, what WECC is doing for CIP v5 education is far beyond what any of the other regions have done.  WECC has had three two-day v5 workshops, and will be having two workshops on Low impact assets (one is this week, although it's sold out).  This is in addition to the three-times-a-year CIPUGs.  I don't know any other region that has had more than 2-3 days worth of CIP v5 workshops so far (a couple have had zero that I know of); this isn't surprising, since WECC is far more than twice the size of any other region.  I have always recommended that people from other regions attend WECC meetings.  This is allowed (although I don't know if the webinars are made available to non-WECC entities), and is encouraged because there really isn't a lot of WECC-specific content in the meetings (there was virtually none in the CIPUG); everyone can benefit from them. Maybe WECC can offer to expand their meetings and make them all available to NERC entities online.

Another issue I had with Morgan’s presentation was at the end, when he said – probably as part of his response to a question – that a network switch would be a BES Cyber Asset.  I recently wrote a post pointing out that another NERC auditor (different region) strongly believes switches should not be BCAs.  I won’t say who is right on this matter (although I lean toward the other auditor’s position).  However, this shows there are some fundamental questions that are being seriously debated now (or should be debated, if they’re not) within NERC – exactly 14 months before the High/Medium compliance date.  Anybody else see a problem with this?

Speaking of getting on to the next topic, it’s time for me to get on to the next fantasy that was revealed at the CIPUG.  Suffice it to say that the primary “lesson learned” I took away from Morgan’s presentation (as well as a couple others) was that there can be no end to the questions raised about CIP v5, at least within a finite time period such as, say, the 14 months between now and April 1, 2016.

Fantasy Number Two: The Interpretation Issues with CIP v5 are Manageable
The previous paragraph is a great lead-in to this fantasy.  I state again that I’m not pointing a finger at any particular individuals as subject to the fantasies discussed in this post, but I will use the presentation by Tobias Whitney of NERC – and his response to a question I asked him in the meeting – as an illustration of this fantasy.

Tobias’ presentation was titled “Version 5 Pilot, RAI Initiative and Transition Guidance”.  It was good, and especially important because he –as the person in charge of all of this – was the one delivering it.  A highlight was his list of 15 (or so) Lessons Learned that he promised would be addressed by April 1 of this year.  He also mentioned that entities should submit any new questions to their regions, who will then submit them to NERC.

My question to Tobias was in essence the following, but it was much shorter: “Tobias, it’s wonderful that you’re addressing 15 questions by April 1.  By the way, you didn’t mention that you’re using FAQs to address some other questions, but you have addressed maybe 30 additional questions that way, and will undoubtedly do more FAQs as well.  However , as we saw in the presentations earlier today – especially Morgan’s – the questions keep metastasizing, so that as you probe deeper into almost any one of them you find a number of further questions, and so on perhaps ad infinitum.[vi]  I’m sure that NERC entities could today come up collectively with over 500 serious questions on CIP v5, with more appearing all the time.

“I’m not asking you to tell me when every v5 question will be addressed.  You obviously can’t tell me that until you have a list of all v5 questions.  But since these questions are clearly growing daily, what can NERC do to at least develop and maintain a comprehensive online list of v5 questions that have been asked to date?  These would be questions that don’t have an easy answer by referring to the wording of the standards, or one of the guidance documents like the Lessons Learned (although those have to be answered as well).  I think this list would provide a big benefit just by itself, even though it wouldn’t actually answer any questions.  Even though NERC entities wouldn’t have answers to most of these questions, they would at least have a rough idea of the size of the elephant as they take bites out of it.”

Tobias’ answer to me was quite interesting, and not at all what I expected.  He didn’t dispute the idea that there were many questions on v5 that NERC hasn’t even thought of yet, or that NERC ultimately will struggle to address every question that comes up[vii].  What he said was that a comprehensive list of questions might be a bad idea because it could cause entities to get discouraged and slow down or even stop their current efforts to come into v5 compliance!  When I expressed my surprise at this answer, he backed away from it, but later seemed to come back to it when he mentioned the danger of “paralysis by analysis”.

Think of what this means.  He seems to be saying NERC entities need to at some point simply charge ahead and do their best to come into compliance with v5, even though they may have all sorts of questions (both officially acknowledged and unacknowledged questions, as well as ones that are unknown at the moment) that could call into question whether portions of their effort are actually in error and need to be re-done or simply abandoned.[viii]

This might be good advice for adventurers heading off to explore new territory.  For them, it’s obviously impossible to know in advance all the obstacles that may lie ahead (otherwise, it wouldn’t be new territory).  But it doesn’t exactly strike me as wonderful advice for organizations that are moving to comply with a new set of standards, where there can potentially be huge fines for non-compliance.  What if Entity A takes his advice, puts aside any questions they have about whether they’re properly identifying BES Cyber Systems, and proceeds to develop an entire v5 compliance program based on a set of “BCS” that, as it turns out, weren’t properly identified in the first place?  Is Tobias saying they won’t get assessed a PV when an auditor – maybe four years from now – realizes they have completely missed the boat?

Maybe he is saying this.  I’ve already said regarding CIP-002-5.1 R1 that, not only should it be declared an “open” requirement with no PV’s assessed for good-faith efforts to comply, but that it will be an open requirement even if not actually “declared” so.  This is because no NERC auditor is going to assess a violation for a requirement that is ambiguously worded, and which the entity has tried their best to understand and comply with.  Maybe this idea really applies to all of the CIP v5 standards, not just CIP-002.[ix]  In other words, maybe the entire set of v5 standards should be declared open; and even if not declared so, they will be anyway because the auditors won’t assess PVs.

If Tobias really means to declare all of the v5 standards to be open ones, he of course needs to first get NERC and FERC on board with that idea; at the moment I think that would be quite a challenge.  So maybe his idea is to either postpone the v5 compliance dates (as I advocated in this post), or to declare just the first year of compliance to be an “open” one (which I didn’t advocate, although I’m not against this as long as it’s stated explicitly by NERC – not just left up to the discretion of the auditors.  There’s far too much auditor discretion already, and nobody is unhappier about that situation than the auditors themselves.  They want clear guidance).[x]

In any case, it should be clear that I’m not satisfied with Tobias’ answer to me.  I certainly agree that entities shouldn’t stop their CIP v5 compliance efforts at this point.  But I don’t see any way they can go ahead with an untroubled mind – as Tobias wants them to do – without the compliance date being moved back or the whole of CIP v5 being declared “open” for a year or so.[xi]

Fantasy No. 3: “We’ve Got it Under Control”
The third fantasy I identified at the CIPUG (and have identified before) is one indulged in by some compliance personnel at Registered Entities.  They believe they have CIP v5 pretty well figured out, and just need to fill in the blanks in order to complete their compliance implementation.

Let me say that I don’t think these people are lying when they say this.  They honestly believe that – while there are admittedly some less-important questions that need to be resolved – the fundamental concepts in CIP v5 are clear.  And why shouldn’t they believe that?  Every NERC presentation, webinar, bulletin, etc. says or implies the same thing.  I have yet to see a presentation by a NERC staff member who says, “Yes, for this important v5 issue we haven’t a clue about what we’re going to do to address it.”  Yet I could name a number of very fundamental issues[xii] for which that is exactly the case (or at least NERC hasn't announced they're addressing them).  

I quoted the physicist Richard Feynman in a recent post, who famously said “If you think you understand quantum mechanics, you don't understand quantum mechanics.”  I’ll paraphrase that: “If you think you understand how NERC CIP v5 works, you don’t understand how NERC CIP v5 works.”  As someone who has spent close to two years trying to understand how CIP v5 works and isn’t much further toward that goal than when I started, I absolutely believe this to be true.  No matter how smart you are, how many people you’ve talked to, or how many conferences you’ve attended, if you think you have CIP v5 down pat conceptually and you can just unthinkingly forge ahead to compliance, you’re living in Fantasyland.  The utmost humility is called for when CIP Version 5 is concerned.

As an example of this, one consultant and I were discussing at CIPUG the entities who say they understand CIP v5, then say that they really just have to identify all of their Critical Cyber Assets from CIP v3 as BES Cyber Systems, and they’ll be done with their BCS identification (one entity said that to me at the CIPUG).  If you’re one of these, I won’t say you’re wrong when you think that your lists of BCS (or BCAs) and CCAs will be the same; you may well be right about this.  However, you are wrong if you think the auditor will be satisfied if you tell him/her you just took your CCA list and made it your BCS list.  CIP-002-5.1 R1 requires you to develop and document a methodology for identifying BES Cyber Systems, and to apply that methodology to identify BCS.  You need to develop the methodology, and then run every Cyber Asset you have through it to develop your BCS list.  If it turns out the result identifies the exact same cyber assets that were on your CCA list, great.  But you can never assume that at the start.

So this is the last of the three fantasies I saw running rampant at the WECC CIPUG last week.  Like the measles, these things seem to spread at Disneyland.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

Feb. 9: I've written a sequel of sorts to this post, which you can find here.

[i] Of course, institutional fantasies are nothing unique to the NERC world.  In fact, there is probably no institution that doesn’t indulge in its own fantasies, since not to do so would make it impossible for the employees to do their work.  Examples (and much more serious ones) include:
·         I’m sure employees of tobacco companies – in the years before the companies finally admitted the documented serious health effects were in fact real – were trained in how to respond when people brought up these effects to them: by denying that there were such effects (and probably believing that what they said was true).  What else could they possibly do?
·         I’m also sure that most US Congressmen/Congresswomen and Senators don’t believe that the vast majority of the work they’ve been doing in recent years has been completely futile, if not outright counterproductive.  How can you possibly stand before the voters and ask to be re-elected, with any other belief in your mind?
·         There are people to this day that assert that the Vietnam War produced some positive good for the people of Vietnam.  Again, if you were closely involved with that effort, how could you say otherwise?

[ii] A few of the CUG presentations will be of interest to CIP compliance professionals, even if they don’t deal with any other NERC standards.  This includes one presentation on the BES definition and about five on RAI – two with “RAI” in the title, as well as presentations labeled “Internal Controls” and “Risk-Based Framework”.

[iii] And by “you” I mean a cyber security professional.  I am not that, but there were of course many of them in the room at the CIPUG.

[iv] I notice now that Lisa’s presentation is shown as being about “Low Impact BES Cyber Systems” on the WECC page, but the actual title on the slides says “Low Impact Assets”.  Of course, the politically correct way to say this is “Assets Containing a Low Impact BCS” (and Lisa did catch herself and use that phrase a few times), which is a nonsensical attempt to bridge the gap between the two completely different points of view from which CIP-002-5.1 was written (without any clear reconciliation).  I’ve written about this sorry mess a number of times, including in this post under the heading “Have an Apple, Adam?”

[v] I much prefer Morgan’s approach to answering hard questions to that of a NERC manager who often addresses industry meetings, and who seems to feel compelled to answer every question that gets raised.  This has led him multiple times to say things that later have to be retracted or reworded by NERC.  Unless you’re going to say that the opinions you’re expressing are entirely your own (as I do in this blog), you shouldn’t be making statements without confirming them with the organization under whose auspices you’re making those statements.

[vi] I have wondered why the situation is so much different with CIP v5 than it was with v1-v3, where there were certainly some questions but they seemed to be much fewer, and much more contained.  I believe the problem is that v5 was much more ambitious, and requires the entity to make judgments about a number of areas that weren’t relevant in CIP v1-3.  The bright-line criteria are one example of this, but the biggest example is probably the concepts of BES Cyber Asset and BES Cyber System.  Just look at my recent post on “methodology” for BCS identification and classification to see how fiendishly complicated – and ill-defined – the concepts of BCA and BCS really are.  I hope to have a post on this topic in the future.

[vii] In fact, I will state unequivocally that there is no way NERC will ever be able to address all of the questions with v5, no matter what time frame you look at.

[viii] In fact, there is a real danger that some entities’ CIP v5 compliance efforts may be entirely for naught if it turns out they guessed the answer to a particular question wrong.  Let’s say your entity has only one Medium impact substation, and that the Attachment 1 criterion it falls under is ambiguous.  You go ahead and spend a million or so (which isn’t a lot for a large entity’s compliance program, but is huge for a small entity’s) implementing compliance with all the requirements, for that substation.  Four years later, you get audited and the auditor casually mentions, “Oh, that criterion was recently clarified by (someone at NERC), and your substation would now be considered Low impact.”  Wouldn’t that make you feel wonderful?

[ix] Of course, by CIP v5 I really mean the combination of v5, v6 and v7 standards that entities will actually have to comply with, which I have otherwise called CIP v6.3940.

[x] Even if CIP v5 is declared “open” for a year or so (I’m sure the idea of making it permanently open wouldn’t fly with FERC or Congress), NERC also needs to write a Standards Authorization Request for a complete rewrite of CIP-002-5.1.  While the other CIP v5 standards can probably be salvaged with enough interpretation effort, CIP-002 is beyond salvation.  It needs to be condemned to the eternal fires and be reborn in a completely new standard. That will take a few years, but at the end CIP v5 will be on a solid foundation.  Without that, there will always be questions about whether an entity has properly identified and classified its BES Cyber Systems in the first place, even if there are no remaining questions about the other v5 standards.  I called for rewriting CIP-002 in this post.

[xi] At one point in his presentation, Tobias asked how many entities had completed their CIP v5 compliance implementation.  He seemed genuinely surprised when nobody – of the 350 people in the room – raised their hand.  I would have been astounded if anyone had.

[xii] Here are five examples of fundamental issues that NERC doesn’t even plan to resolve, as far as I know: a) the use of Facilities vs. assets in the bright-line criteria; b) the meaning of “impact the BES”; c) the status of the term “Group of Facilities” (discussed in the CIP-002 Guidance) as it relates to the Criteria; d) whether connectivity has anything to do with whether a Cyber Asset is a BCA; and e) whether entities are advised to group BCAs into different BCSs depending on the requirement (this is implied to be desirable in the Lessons Learned document on “Grouping BES Cyber Assets”, but strikes me – and others – as a recipe for utter chaos).  These are all quite fundamental questions that NERC hasn’t even said they’ll produce guidance on (I intend to do posts on all of them, not just the first two, which I have already addressed).  I could definitely list a few more, except I’ve already been working on this post all day (fortunately, there’s a huge blizzard going on in Chicago as I write this, and I don’t feel bad that I’m not doing something outside the house).


  1. I'll take the BLUE pill, please.

    Excellent analysis, as always, Tom. You continue to shed light on and bring discussion to important issues facing us all.

    I've got to find my way out of the trenches and partipate in one of these events and engage the broader community.

    In the meantime - back to Fantasy Island (err... I mean, FantasyLand). Those Mickey Mouse ears are around here SOMEwhere...


  2. As we develop our CIP v5+ Training Suite we are constantly amazed at the volume of instances where subjectivity is the basis for compliance.

    Consider the words “or similar” in the definition for “Exceptional Circumstance”. Subjective criteria requires the entity to develop their own list of what they consider to be exceptional circumstances AND develop AND document the reason(s) they believe each circumstance identified meets the inferred criteria in the glossary definition.

    CIP 008 requires an entity to report incidents they have identified as reportable within the timeframes specified for those incident types. Nowhere is there specified within the standard a minimum OR maximum acceptable timeframe for determining whether an incident meets the criteria of reportable. So who becomes – in the words of George Bush - the “decider”? The individual auditor will have free rein unless the entity once again develops a clear process and supportable timeframe for this task.

    The flexibility of subjectivity is fine for “guidelines” or “best practices” – but STANDARDS implies a need to comply with an “established criteria”. How does one comply with “or similar”?

  3. As unaccustomed as I am to defending the wording of the CIP v5 standards, I think you may be overthinking these two issues, Quizzicle.

    The definition of "CIP Exceptional Circumstance" gives the entity the ability to identify more potential exceptional circumstance types than the ones explicitly provided in the definition. It seems reasonable to me that they should have to document - after an exceptional circumstance has been resolved - why this particular circumstance was similar to one of the types listed in the definition. If they abuse this privilege by creating spurious types of exceptional circumstance - e.g. "deer hunting season" - I can see why they might be subject to a PV. But the alternative - spelling out a host of potential exceptional circumstances and not allowing the entity to identify others - strikes me as being more burdensome, not less. If there is reasonable doubt whether or not a type of circumstance is "similar" or not, I would hope there would be no PV assessed - and if there were, I would hope the entity would fight it. But there will always be gray areas in any standard; I'm not saying they can be eliminated.

    Regarding the 008 issue, are you suggesting there also be a requirement that the entity, in the event of a cyber security incident, decide during a set period of time (10 minutes?) whether an event is reportable? Would that really help anybody? I think entities should decide as soon as possible whether an incident is reportable, keeping in mind that if it is reportable, they need to do report it within an hour. I don't think they need a further requirement, and I don't think an auditor will accuse them of not deciding quickly enough, unless they took much longer than an hour to even decide whether the incident was reportable in the first place. Again, there's always going to be some gray in every standard, but trying to eliminate that completely quickly leads to a much larger regulatory burden - that then introduces further regulatory risk.