Thursday, March 12, 2015

CIP Version 5: The Endgame

Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all conviction, while the worst
Are full of passionate intensity…
…And what rough beast, its hour come round at last,
Slouches towards Bethlehem to be born?
- W.B. Yeats, The Second Coming

It’s been said, “Just because you’re paranoid doesn’t mean everyone isn’t out to get you.”  Since I’m known as somewhat of a Chicken Little, I’ll modify that: “Just because you’re Chicken Little doesn’t mean the sky isn’t falling.”  Folks, the sky isn’t falling quite yet, but I’m beginning to find some suspicious pieces of something in my front yard (now that the snow is finally melting here in Chicago).  I think CIP v5 is now in the endgame, by which I mean there will soon be no more possibility that, starting 4/1/16, the v5.5 standards will be enforceable standards.   Either the compliance date will be pushed back, or the Registered Entities will be given a “holiday” – either intentionally or unintentionally – from being assessed Potential Violations, as long as they’ve made a good faith effort to comply.

Here are some of those pieces, in no particular order[i]:

Item:  I heard last week that some of the NERC regions are now encouraging entities not to choose to be audited on CIP v5 if they have an audit scheduled this year; instead, they are telling them to stick with v3.  This is not a good sign; the auditors in these regions clearly don’t think they understand v5 well enough to audit it yet.  But this means these regions won’t get v5 audit experience, and their entities won’t get experience trying to comply with v5, until the date when they have to be fully compliant, April 1, 2016.  The whole idea of the transition program was that entities and auditors were going to get valuable experience with v5 before the compliance date.

Item:  I heard about another region that was doing just the opposite: strongly encouraging some entities to be audited on v5 this year, even if they can’t also maintain their v3 compliance program (which they are supposed to do, according to NERC’s v3-v5 Transition Plan).  Since v5 is now only being audited on a “just for fun” basis (and since v3 will effectively be as well, given what the region is telling the entity), this may indicate that this region just wants to focus on having their auditors and entities learn about v5 compliance together, without gumming that up with an adversary auditing experience.  To be honest, I like that approach a lot; however, it doesn’t give much encouragement to the idea that CIPs v5 will be an enforceable set of standards next year.

Item:  I participate in one of the CIPC working groups that is working on compliance issues.  They have been working on a Lesson Learned having to do with whether communications equipment should be considered as BES Cyber Systems, where there is no ESP in a substation.  However, as we pursued the discussion, it became clear there can be no resolution to this issue until larger issues with CIP-002-5.1 R1 are addressed – specifically , the question of how you are supposed to identify BES Cyber Systems in general (which I just addressed in a post this past weekend).

Everyone pretty quickly agreed with this conclusion, but the question is what to do next.  As you may know, I think the only way to fix CIP-002-5.1 R1 is to send it to meet its Maker and start over again with a SAR for a new standard (which of course will probably take three years to come to be developed).  The group clearly wasn’t quite ready to agree with that, although they also couldn’t come up with any other way to actually fix the requirement (hint: There is none.  The only other binding option is to do a Request for Interpretation.  But those take almost as long to bear fruit as rewriting CIP-002 will.  The same goes for all the other issues that are tied to the meaning of CIP-002-5.1 R1 – including more fundamental ones like how one identifies a BES Cyber System; none of these will be properly addressed for years, until the requirement is rewritten from scratch.  Therefore, entities have to identify their cyber assets in scope for v5 pretty much using their own interpretations of R1, which is probably the most confusing and contradictory requirement ever written by NERC.

Item:  I just said above that NERC hasn’t come out with a Lesson Learned on BCS identification.  That isn’t quite true, because they did include a lot of discussion of BCS identification in their recent filing with FERC on the results of the BES Cyber Asset survey.  While I think that overall this is a good document, it is quite clear to me that the people that wrote it didn’t understand what CIP-002-5.1 R1 and Attachment 1 say about BCS identification; this isn’t good, considering that NERC is supposed to be teaching everyone else about this fundamental process - not wandering around in the same wilderness that everyone else is in.  I will put out a post on this in the near future, God willing and the creek don’t rise.

Item:  At the WECC CIP User Group meeting in Anaheim that I attended in January, Tobias Whitney of NERC announced there would be 15 Lessons Learned developed by April 1.  However, I listened (remotely) to a good[ii] presentation by Kevin Perry of SPP this week, delivered at SPP’s Spring Compliance Workshop in Little Rock, AK.  In it, he pointed out that, while there would be about 15 LL’s posted by 4/1, there will be only two that are final: Generation Segmentation and Far-End Relay.  All of the others are in various stages of initial post for comment, etc.

So think about it.  There are literally hundreds of issues in CIP v5 (especially in the bright-line criteria) that need to be addressed by NERC.  And by April 1, exactly a year before the compliance date (and about 6 or 7 months after the Lessons Learned effort was initiated), NERC will have “definitively” addressed only two.[iii]  I’m sure they’ll step up that pace soon, but there are two big problems:

  • Many if not most of the big issues with CIP v5 have to do with determining what’s in scope (i.e. CIP-002-5.1 R1 and Attachment 1, as well as CIP-005-5 R1).  But these are precisely the issues that entities need addressed before they can fully move ahead with their CIP v5 compliance programs.  They really needed these issues to be settled last year, so for NERC to say now that they won’t even be addressed by April 1 is simply a cruel joke.[iv] 
  • As NERC entities finally start to seriously move forward on v5 (and some of them are, of course, having no choice in the matter), more and more interpretation issues will come up.  So if there are say 300 issues now, there will easily be 600 in six months (I publicly suggested to Tobias Whitney at the WECC CIPUG in January that NERC at least needs to collect a database of all known issues.  Of course, he rejected that idea, and also said that NERC entities should put aside their confusion about what the requirements mean and just forge ahead on compliance.  I presume he said that to show he has a great sense of humor).  No matter how many Lessons Learned and FAQs NERC puts out between now and 4/1/16, it is inevitable that there will be more unaddressed issues on that day than there are today. 

Item:  At the WECC meeting, Tobias also proudly announced “CIP University” – kind of an online course catalog showing you different teaching events provided by the regions.  I was skeptical of that because a) there really hasn’t been a huge amount of CIP v5 outreach by the regions (at least not compared to the need for it); b) most entity compliance staff members don’t have the travel budgets to go flying around to every regional meeting; and c) most people are going to be fairly skeptical about the relevance of compliance advice given by a different region than theirs (perhaps unfairly.  I have attended a lot of regional meetings and have seen very little in the way of local “parochial” content – at least when they devote a day or two just to CIP).

Well, at the SPP meeting yesterday, Kevin Perry announced that CIP U has been replaced by the “CIP Workshops and Curriculum Calendar”.  To find that, you go to the NERC v5 Transition Program site and look for these words.  The page linked does give you a calendar of regional workshops.  But to be honest, I don’t think it's likely that many NERC entities will rack up frequent flyer miles as they try to slake their thirst for CIP v5 understanding by drinking at all these regional founts of knowledge.  There is also a Resources tab that lists a grand total of two webinar recordings[v] given in early 2014; excuse me for not cheering about that.

Most importantly, I can assure you there is a lot of inconsistency among regional discussions of CIP v5 (which is probably why there have been so few such discussions – the regions decided to lay low until they fully understood v5.  Unfortunately, most Registered Entities can’t wait ‘til 2030 for their region to finally understand v5; they have to comply next year).   Even if a compliance person had a lot of time and money to spend, what good would it do him or her to keep flitting from meeting to meeting, hearing different things in each one?

My last item is one I discussed in a post last week: the Small Group Advisory Sessions (SGAS) that NERC is now holding in Atlanta.  In Kevin Perry’s presentation this week, he touted these as something that SPP entities should take advantage of ; he went on to specifically point out that I had waxed “apoplectic” about these in my post, saying they were illegal and immoral.

Now, I know Kevin quite well and have lots of respect for him; he has taught me a lot of what I know about CIP v5.  But I have to give him a PV for his statement, since he just didn’t read my post carefully enough.  In the post, I pointed out that the SGAS were definitely illegal (according to the NERC Rules of Procedure, which say nothing about NERC having private meetings with entities to answer compliance questions) and probably immoral (since the information provided to one entity wouldn’t be provided to others); but I said I could get over both of those hurdles.  In fact, there are no longer any completely “legal” ways that NERC can provide guidance on CIP v5 before the 2016 compliance date[vi].  I’ve been advocating since last year that NERC needs to forget about legality and provide guidance in any way they can.
No, my objection to the SGAS is that in these sessions NERC staff members are almost certainly going to provide interpretations of the standards, of some sort, for particular entities – and more importantly, that these aren’t going to be made public to the NERC community.  IMHO, this undermines the whole foundation for CIP v5 as an enforceable set of standards. 

In his presentation, Kevin said NERC would provide “advice” to entities on compliance – he was of course very careful not to say “interpretations”.  Is there a real difference between these terms?

If you mean by “interpretation” a long, philosophical discussion of the meaning of a particular requirement (such as you get in this blog, or in the Lessons Learned –although I’ve easily got the LL’s beat for length), I’m sure the SGAS won’t provide that; but I don’t mean “interpretations” in that sense.  What you will see in the SGAS is “advice” on complying with particular requirements, as Kevin said.  He actually used the example (in a later email to me) of an entity telling NERC how they intend to comply with a particular requirement, and NERC telling them whether that was a good idea or not.  How is that different from NERC’s “interpreting” the requirement for the entity?

For example, suppose an entity mentions that they considered the fire suppression system in a Medium substation not to be a BES Cyber System, since it doesn’t fulfill a BES Reliability Operating Service – and it doesn’t, since fire suppression isn’t listed as a BROS.  The NERC person will helpfully point out that, even though it doesn’t fulfill a BROS, the system (or the cyber assets within it) does meet the definition of a BES Cyber Asset. This is because, if the system isn’t available when needed to fight a fire, the substation will burn down, probably in well under 15 minutes; that will have a big impact on the BES.  Therefore, the system needs to be a BCS, and a Medium one at that.

March 17:  Kevin emailed today to point out that people might think that the above example was the one he'd mentioned in his email.  It isn't - I chose this example because I thought it was a good illustration of what I'm trying to say here.  Kevin's example would have probably worked just as well.

So what about an entity that didn’t have an SGAS – or maybe they had one, but the fire suppression system was never brought up?  The NERC people therefore never were able to give them the same advice they gave the first entity (remember, the SGAS are only 60-90 minutes long.  An entity of any size will never be able to get every single question answered in that time).  The second entity may pay a big price come audit time, due entirely to the fact that they weren’t lucky enough to bring up the fire suppression system in their SGAS, while the first entity was.  

Kevin calls this "advice", but “advice” vs. “interpretation” is a distinction without a difference, in my book.  Any time NERC talks directly with an entity about a compliance question, what they say is in some way an interpretation (just as the Lessons Learned are interpretations); NERC should share these interpretations with all other entities (of course, the document would have to be properly “sanitized” so that the entity that brought up the question initially can’t be identified.  This isn’t hard to do).   But NERC hasn’t stated any intention to publicly release the advice they provide in the SGAS.[vii] 

Of course, there’s a very good explanation for why NERC has come up with the SGAS – and you can find it in what I’ve already written in this post: There are far too many interpretation issues with CIP v5 for NERC to be able to address them through Lessons Learned or other semi-official means.  If CIP v5 is going to be enforceable on 4/1/16, NERC has to take extraordinary measures.  They’re certainly doing that, but the measures they’re taking – especially the SGAS – are rapidly making the standard unenforceable [viii], on 4/1/16 or any subsequent date.  Kind of ironic, don't you think?

I plan to elaborate on this – and discuss what I think will ultimately happen to CIP v5 – in my next two or three posts (or maybe 10-20 posts.  This is probably one of those tip-of-the-iceberg issues).

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] Since I’m getting tired of referencing the same posts over and over, I won’t be including as many links to previous posts as I normally do.  If I mention that I’ve said something before and you don’t know which post to look for, email me at

[ii] With the exception of one thing he said, which I’ll discuss below.

[iii] And to call the Lessons Learned “definitive” is a real stretch.  I will have a new post on this soon.

[iv] I was interested to note in Kevin Perry’s presentation today that the Lesson Learned on the meaning of “programmable” isn’t one of the two LL’s that will be finalized as of 4/1.  So a year before the compliance date, entities still don’t have a firm guidance on how they identify Cyber Assets (whose definition depends almost entirely on the meaning of “programmable”).  If they can’t properly identify Cyber Assets, they can’t properly identify BES Cyber Assets.  If they can’t properly identify BCAs, they can’t properly identify BES Cyber Systems.  And if they can’t properly identify BCS, they can never be sure they’re properly complying with CIP v5 at all; nor can their auditors.  There’s an awful lot riding on the definition of one word.  Entities have no choice but to “roll your own” definition.  However, this just goes to show the folly of pushing ahead with the 4/1/16 compliance date.

[v] Kevin said yesterday that the webinar he’d done in February 2014 (which was good) would be available, but it’s not – at least not yet.

[vi] Even the Lessons Learned live in a kind of shadowland of legality.  They’re based on an obscure section of an obscure appendix to the NERC Rules of Procedure, which simply says that any “entity” can prepare “documents that may be developed to enhance stakeholder understanding and implementation of a Reliability Standard.”  If the NERC Standards Committee approves, these can be posted.  Does this sound like a statement that these “documents” will be almost as valid as actual Interpretations?  Yet some at NERC are clearly trying to have people believe that.  I’ll have a post out on this issue soon.

[vii] Kevin also defended the SGAS by pointing out that compliance staff from the entity’s region will usually be present, and they give advice all the time to their entities.  This is certainly true, but if the purpose of the meetings is just to give the regions a place to meet with their entities (and the announcement says nothing about the regions being present), why hold them at NERC’s headquarters in the first place?  NERC develops the standards.  It isn’t supposed to be giving compliance advice to particular entities that it doesn’t share with all others, period.

[viii] Certainly, SGAS isn’t the only “extraordinary” means that NERC is employing nowadays.  Staff members have given opinions on standards, both in public presentations and informal conversations (such as the one I recount in this post); these opinions have sometimes had to be taken back as further thought was given to the matter.  But I’d rather have NERC staff members spouting off their opinions in open forums than in closed meetings with one entity.

No comments:

Post a Comment