I have now done two posts (both of which I’m calling Tom’s Lessons Learned) about the meaning of “adversely impact” in the definition of BES Cyber Asset. The second post went further to show how my “definition” (really a procedure for determining whether or not a Cyber Asset can adversely impact the BES) could clear up the question whether HVAC and UPS systems need to be considered as BCA/BCS. I also gave two other examples of systems where my “definition” provides a way to answer this question: the SEMS system in a power plant and the fire suppression system in a substation.
The day after this post, an auditor emailed me to say that phone systems should be included in this analysis as well (we’re talking about electronic phone systems here, since others wouldn’t be Cyber Assets in the first place. If your current phone system requires you to ring up the operator and ask for “Ravenswood 4229”, you’re already off the hook – so to speak[i]).
Of course, the reason that phone systems would even be an issue in the first place is that they are sometimes a backup for system-to-system communications, e.g. when a control center dispatches a generating station. And some have wondered to me whether, in cases where the communications needs to happen within 15 minutes and the SCADA system could fail, the phone system might have to be declared a BCA/BCS (since as we well know, redundancy isn’t in itself an argument against declaring it such).
So let’s apply the analysis from the previous post, which at its heart consists of two questions. Both of these questions need to be answered affirmatively in order for the Cyber Asset to be considered to have adverse impact on the BES, if lost or misused.
1. Does the loss or misuse of the Cyber Asset adversely impact the asset/Facility?
2. Does this adverse impact on the asset/Facility necessarily[ii] translate into an adverse impact on the BES within 15 minutes?
To answer the first question, I think it can be said there would be some sort of adverse impact on the control center if the phone system were down. But what about the second question?
Let’s say the SCADA system in a control center is down (and the backup SCADA has failed to kick in for whatever reason); meanwhile, the ICCP system (which isn’t down) shows that the ISO needs a peaker plant dispatched immediately. If the control center’s phone system happens to be down as well, are they simply SOL? Will there be an inevitable BES impact? That’s hard for me to believe, since probably everybody in the control room has a cell phone in their pocket or purse. My guess is the message will get through to the peaker plant, even if it requires smoke signals or carrier pigeon.[iii]
So the answer to the second question is no, there won’t inevitably be a BES impact. Ergo, phone systems don’t need to be considered as BES Cyber Assets/Systems.
The auditor did make another good point about the previous post. He pointed to the place where I’d essentially restated the two questions. In discussing what an entity would need to prove in order to show that a Cyber Asset wouldn't have an adverse impact on the BES if lost or misused, I had said they would need to show that this loss or misuse
- Won’t impact the asset/Facility (i.e. question 1 above)
- in a way that would cause the asset/Facility to fail to fulfill one or more of the BROS that it normally fulfills (question 2).
He noted that making total failure to fulfill one or more BROS the criterion determining whether or not the second condition had been met would eliminate cases where misuse of a Cyber Asset had caused the asset/Facility to partially fulfill its BROS. He gave the hypothetical example of an entity that argued (using the SEMS example from the previous post) that while the plant may have had to reduce its generation output below a certain threshold in the event of the SEMS failure, as opposed to tripping the plant offline, it was still producing energy, doing voltage control, etc. - all of the BROS functions it normally performs; it just wasn't completely fulfilling all of those BROS to the same degree as previously. His point was that even a partial failure to fulfill BROS constitutes adverse impact on the BES. I have changed the second item to read “in a way that would cause the asset/Facility to fail to fully fulfill one or more of the BROS that it normally fulfills..”
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] I won’t say there aren’t any of these systems out there. There may still be a few utilities that haven’t gotten permission from the PUC to update the phone system they bought in the 1930’s. Of course, I can’t imagine there are too many operators out there nowadays, ready to plug the long black thingy into the proper hole on their switchboard.
[ii] The word “necessarily” wasn’t in the previous post, but I think it is really crucial (I’ve updated that post now). As I said in the previous post, it seems to me axiomatic that a control system could have an adverse impact on the asset or Facility it’s associated with or located at (question 1); it wouldn’t be a control system if that weren’t the case. But it isn’t axiomatic that the impact on the asset/Facility will translate into an impact on the BES (question 2). In the case of the fire suppression system in the previous post, even though that system had been disabled by a hacker, someone might be at the substation and pick up a fire extinguisher to put out the fire; or the wind might be blowing in a direction where there was no harm to a BES Facility. It is only if the BES impact is inevitable (question 2) that the Cyber Asset can be said to have an adverse impact if lost, misused, etc. – and therefore be a BES Cyber Asset.
[iii] The fact that I’m even considering this question may seem to violate the statement in the BCA definition that redundancy “shall not be considered when determining adverse impact.” Remember, since I’m breaking the determination of “adverse impact” into two parts, this statement only needs to be true for one of the two parts (questions). For the second question, I agree that redundancy doesn’t make any difference – if an asset has a BES impact, it has it regardless of whether or not there is redundancy. But for the first question, I think redundancy is sufficient mitigation to make the answer to the first question “no”, and therefore to make the phone system not a BES Cyber Asset/System. Think what you might have to do if redundancy weren’t a mitigation for the first question, in the control center case: every cell phone used in the control center (and actually maybe every cell phone that could be borrowed by an operator, no matter who owned it) would have to be considered as a BES Cyber Asset!