Monday, June 29, 2015

The News from SPP and WECC: Back to the Far End

June 29 Note: It was recently pointed out to me that the post below is based on the original version of the “Far-End Relay” Lesson Learned (posted for comment last September), not the finalized version that I linked below (which I admit I hadn’t downloaded or read when I originally wrote the post, since I didn’t realize there had been a big change in the LL). When I realized my error, I at first thought it would be easy to just update the post based on the final version. However, when I read the final version it became immediately clear to me that, while NERC’s conclusion didn’t change, their rationale did change –and very substantially. Based on the wording of criterion 2.5, I definitely think the original version had the right rationale, not the final version.

The conclusion of both versions of the LL is straightforward: A “far-end” relay, located in a Low impact substation, that is associated with a 200-499kV line that terminates at a substation that falls under criterion 2.5, is Low impact – not Medium. The original purpose of this post was first to state that I agree with the LL (not a big surprise there), but more importantly to warn against drawing from the LL a conclusion that I believe would be unwarranted – namely, that all BES Cyber Systems at Low impact assets are now automatically Low impact.

Fortunately, both versions of the LL support my warning, even though I don’t agree with the rationale in the final version of the LL; so the conclusions of my original post don’t need to change. I’m therefore leaving the original post as it is below, even though it’s discussing the September draft of the LL, not the final version.  But I do discuss the final version of the LL in the last footnote of this post (BTW, the September version of the LL has been taken down from the NERC website. If you want to see it, you can email me at and I’ll send it to you).

I must say, this is all quite disappointing to me. Here I thought I could for once give a clean endorsement to an important NERC document without any ifs, ands or buts; but now I have to go through an elaborate dance of saying I agree with the conclusion but not the reasoning of the final document, and that the document I do agree with has been officially superseded. I continue to hold out hope that someday I’ll find a NERC document I can agree with entirely. If that ever happens, you’ll be the first to know.

This is the third post in my series on things I learned at the SPP and WECC CIP conferences the first week of June. I would subtitle the series “What I Did on my Summer Vacation”, if I could convince you that a week with more than two days of travel and three days of meetings was a vacation.

I have expressed my displeasure with NERC for its slowness in coming out with guidance on the many issues with CIP v5, as well as in many cases for the content of the guidance it has produced.  But there is at least one guidance document that I consider spot on, in terms of saying exactly what needed to be said about its subject and not causing any “collateral damage” by saying more than it should; this document is the Lesson Learned (LL) on Impact Rating of Relays, aka the “Far-End Relay” LL (it also happens to be one of only two LLs that have been finalized).

So why am I bringing this up? I almost always deal with problems with the rollout of CIP v5, not with things that aren’t problems. The “problem” with this LL isn’t due to its content, but to the fact that almost nobody seems to understand what it means – and this includes people from NERC entities, the regions, and NERC itself. This lack of understanding can and will likely lead to problems with implementing and auditing compliance.

The second paragraph of the LL summarizes the complete argument of the document.  It reads:

“As discussed further below, the language of CIP-002-5 and its support documents limits the application of the medium impact rating to the BES Cyber Systems associated with Transmission Facilities operating between 200kV and 499kV at a single station or substation. The Transmission Facilities must be located ‘at a single station or substation’ that meets certain connection criteria in order for the associated BES Cyber Systems to receive a medium impact rating.”

Of course, this paragraph – indeed the whole LL – refers to criterion 2.5 and only that criterion. To unpack the content of the paragraph, it says the following:

  1. The subject of the criterion – i.e. what gets classified as Medium impact – is Transmission Facilities between 200 and 499kV. This includes lines operated in that voltage range that terminate in the substation. It does not include the substation itself; in fact there is technically no such thing in CIP v5 as a “Medium substation” – all of the criteria that apply to substations actually classify the Facilities at the substations, not the substations themselves (of course, in practice it’s almost impossible to avoid using this language, as I’m about to demonstrate).
  2. Because the “preamble” to Section 2 of Attachment 1 states that BES Cyber Systems are Medium impact if they are “associated with” the subject of one of the Medium criteria, this would normally lead one to conclude that all BCS that are associated with a Medium line at a substation that has Facilities meeting criterion 2.5 (it would be much easier to say “a criterion 2.5 substation”, of course) will themselves be Medium impact.  And this would include “far-end” relays in a transfer-trip scheme, even if these are located at a substation that is otherwise Low impact (and yes, a substation can itself be Low impact. In fact, no Facilities are Lows, just assets are. The wording of CIP-002-5.1 is contradictory on this point, as on others).
  3. When this implication became widely known, there was a great hue and cry that this would lead to huge costs for transmission entities, as they would have to spend lots of money to protect these Medium BCS at Low substations. However, the Lesson Learned (released last September) made it clear this won’t happen. To see NERC’s reasoning, just look at the paragraph quoted above: It points out that in criterion 2.5 the word “Facilities” is modified[i] with the words “at a single station or substation”.
  4. This means that, for this particular criterion[ii], all lines are excluded from being Medium impact Facilities, since they are inherently not limited to a single station or substation. Because the line isn’t a Medium Facility, the far-end relay can’t be considered a Medium BCS, since it isn’t associated with a Medium Facility. About three months before this Lesson Learned was released in its first draft, exactly the same argument had appeared in my blog, contributed by an Interested Party who has often contributed to my posts.[iii]
So what’s the problem? The problem is that many people in the NERC community – I’m willing to bet it’s the majority, although I haven’t conducted a survey – believe that what the LL really says is something like “Location does matter”;[iv] in other words, that all BES Cyber Systems that happen to be located at Low impact assets are therefore Low impact simply because of that fact. This is absolutely not the case; the Lesson Learned only applies to BES Cyber Systems (probably always relays) associated with lines that terminate at a substation that “meets” criterion 2.5. It doesn’t apply to anything else.

Does this have a real-world impact? Yes, it does. Here are examples of two systems, located at a Low asset that might actually be Medium BCS:

  1. Suppose you have a centralized system – located at a Low impact substation - providing access control for cyber assets at substations, including some Medium BCS. Would the access control system be a Medium BCS? I believe it would, since it would presumably be associated with the Medium Facilities (lines, etc) that the Medium BCS it controls are associated with (in other words, “guilt by association”).
  2. Or suppose the Automatic Generation Control (AGC) system for a Medium plant is located at a Low impact plant, substation or control center. Since it’s associated with a Medium plant (perhaps meeting criterion 2.3), it will itself be Medium impact.[v]
Note: An Interested Party pointed out that both of the examples I just gave are fairly unlikely to occur in practice. He pointed out that one very real example is an SPS/RAS system that meets criterion 2.9. The different components of the SPS - each a BES Cyber Asset in its own right - could be located at a number of different substations and/or generating plants that are Low impact. However, since the SPS (now officially called RAS, I believe) is an asset (one of the "magic six") that is Medium impact by 2.9, all of its component BCS will be Mediums as well - regardless of whether they're located at a Low or "Medium" impact asset.

Here's a note on my note: As I wrote the note, I was trying to figure out the implications of calling SPS an "asset", when it is actually really a system, with components spread out among multiple assets. It would be nice to figure out exactly how SPS/RAS fits into the admittedly shaky "system" of asset identification and classification in CIP-002-5.1. I'll put that on my list of posts to work on. If anybody has any particular thoughts on this matter, let me know.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.

[i] And if you don’t remember what “modified” means here, please dig up your sixth-grade textbook on diagramming sentences.

[ii] The same phrase appears in Criterion 2.6, where it would most likely also have the effect of removing Transmission lines from consideration.

[iii] You may wonder what happens to the “near-end” relay – i.e. the one that resides in the “Medium” substation and is associated with the 200-499kV line; is that now also Low impact? This would be true if it were only associated with the line. However, it is also associated (and more closely, too) with the circuit breaker that can trip that line. Since the circuit breaker would be a Facility operated at 200-499kV at a substation that has 3,000 points, then the relay is a Medium BCS. And BTW, if the far-end relay directly controlled that “near-end” breaker, I would say that relay would then be a Medium BCS, in spite of being located at a Low substation. Fortunately, I don’t think this is generally the case with transfer-trip relay schemes.

[iv] These were Tobias Whitney’s words when he “explained” NERC’s position on this issue at the June 2014 CIPC meeting, as described in this post. Those words seem to have taken on a life of their own, even though the Lesson Learned uses a very different argument – both the draft and final versions.

[v] Here’s my footnote on the final version of the Lesson Learned. I must say, this version is an odd document. It seems to make two slightly different arguments, both leading to the same conclusion.  I don’t agree with either argument, but as I said in my note at the top of the post, the good news is that the overall conclusion of the final version of the Lesson Learned is the correct one.  This is also the conclusion of the September draft of the LL – and I agree with that document 100%.

The first argument is in the first paragraph of the LL, which states that relays “located at Transmission stations or substitutions (sic – I’m guessing NERC meant to say ‘substations’ here) described in criterion 2.5” should be Mediums, while those located at substations that don’t meet 2.5 (or any of the other Medium criteria) should be Lows.  My problem with this is it seems to completely ignore the fact that criteria 2.3 – 2.8 apply to Facilities, not to assets. I’ll say this for probably the 15th or 20th time (and the second time in this post): the SDT didn’t put the word “Facilities” in those criteria just because they wanted to break up the monotony – they did it because they wanted Facilities to be what those criteria apply to, not assets. Facilities are lines, breakers, transformers, etc. Assets (with a little “a”) are the substations, generating plants, etc. So the substations don’t technically “meet” criterion 2.5 or any other criterion. This can have consequences for the amount of work the entity has to do to comply, but I’ve also discussed that issue at length, such as in this post.

More specifically, reading this first paragraph of the final version of the LL will lead one to conclude that the entire determinant of whether a BCS is Medium or Low impact is the substation it’s located at. This is simply not true. For example, in a criterion 2.5 substation, a relay associated with a circuit breaker operated at less than 200kV will be Low impact, not Medium.

The last paragraph seems to bring up a different argument, although it also leads to the same wrong conclusion as the first paragraph. I quote that paragraph in full:

“The Guidelines and Technical Basis (Guidelines) section of the Reliability Standard also discusses Transmission Facilities described in Attachment 1 which states: ‘In most cases, the criteria refer to a group of Facilities in a given location that supports the reliable operation of the BES. For example, for Transmission assets, the substation may be designated as the group of Facilities.’ According to the Guidelines, ‘The Transmission Facilities at the station or substation must meet both qualifications [i.e., the connection specifications described above] to be considered as qualified under criterion 2.5.’”

I actually agreed with the SDT when they wrote in the Guidance and Technical Basis that a substation could be considered a “group of Facilities” – that’s about the best definition of “substation” you could come up with (my usual definition is “a bunch of expensive equipment with a fence around it”). It’s hard to say what the above paragraph is saying, but it seems that, instead of moving from this observation to the conclusion that the near-end relays are Medium if and only if they’re associated with a Medium Facility, whoever wrote this LL seems to be falling back on the idea that all the BCS at a “Medium” substation should be classified as Medium impact, regardless of whether or not they’re associated with a Medium Facility. By implication, they’re also implying that all BCS at Low impact assets will be Lows. Neither of these statements is true.

The ironic part is that whoever wrote the draft LL from last September seemed to understand quite clearly that it is the Facility that determines the impact level in criterion 2.5 (and by implication in criteria 2.3 – 2.8). I’d love to know why this understanding has been lost to NERC. It’s kind of like if Apple had suddenly forgotten how to make smart phones.

Saturday, June 27, 2015

New Webinar Recording Posted

I’m pleased to announce that the recording of the webinar I did on June 18 with Steve Parker and Karl Perman of EnergySec has now been posted here; the slides are also linked on that page.  The webinar addressed the issues raised in NERC’s April Memorandum on “Network and Externally Accessible Devices”, including the question whether devices that are serially connected within a substation nevertheless participate in External Routable Connectivity, if a routable protocol is used somewhere along the external communications stream.

You may want to download the slides before you listen to the recording, since the first five or six slides are sometimes hard to read because of a “ghosting” problem.

We announced at the webinar that we’ll have a new webinar in August on issues with Configuration and Change Management in CIP-010-2 (I had stated when I announced this past webinar that we were going to address that topic there. However, we decided that just discussing the ERC Memorandum would take up the whole hour, so we shouldn’t try to do more than that. As you’ll see when you listen to the recording, we certainly made the right decision).  I should have the announcement for the new webinar posted soon.

The views and opinions expressed here are my own and don’t necessarily the views or opinions of Deloitte & Touche LLP.

Friday, June 19, 2015

Grouping BES Cyber Systems on the Fly

Dear Reader:  In April, I wrote a post discussing the fact that NERC entities can group BES Cyber Assets into BES Cyber Systems in multiple ways, specific to each CIP v5 standard or even requirement.  I speculated how taking advantage of this might save entities a lot of time and money in complying with v5 – I call this “Grouping BCS on the Fly”. After the post came out, I had three good conversations (two email, one verbal) on this topic, which opened my eyes a lot to both the possible advantages and drawbacks of taking this approach.  I will start with an email I received from an auditor, which as you can see urges caution but doesn’t say this is illegal or inappropriate.

The Auditor’s Email
“I have always maintained that you can regroup BCS by Standard and Requirement.  Just as a BCA can appear in multiple BCS.  There may be good reasons to do so, although you need to carefully consider (whether taking the approach you discussed will provide you with any advantages, and if so whether those advantages might be outweighed by disadvantages).

“If you define a single set of BCS, you will have an easier time keeping everything straight.  Make a change to the environment and you only have to update one BCS group.  You can have global policies and procedures that cover multiple BCS, and you can have multiple procedures that in total cover all of the Cyber Assets in a BCS. (Both of these considerations minimize the advantage of “grouping on the fly”.) 

“The disadvantages are also as you suggested.  If you have different groupings of BCS for one or more Standards and Requirements, then you have multiple lists of BCS and their component Cyber Assets to keep up with.  Make a change to the environment, and you run the risk of not updating all of the impacted BCS documentation or not properly applying the applicable controls.  You also run the risk of inadvertently excluding a BCA from a BCS for a given Standard and Requirement.  And, your list of High and Medium impact BCS required by CIP-002-5/R1 will be far more complicated because the auditor will expect you to produce all of the various lists and identify their applicability.  And before you look forward to ending up with different impact categorizations (at best, that could occur in a generating plant; certainly not in a Control Center), the benefit to do so might not be worth the effort it takes.

“Here is what I have learned:

“First, pay extremely close attention to the applicability statement for each Standard and Requirement.  Especially the differentiation between Medium Impact BCS, Medium Impact BCS with External Routable Connectivity, and Medium Impact BCS without ERC.  There are huge benefits of segregating your BCA into BCS with ERC and (grouping BCA without ERC into a separate BCS).  Some of the most problematic requirements in the generating plant are not applicable to BCS without ERC - think about all the smart sensors, HART-enabled devices, etc. (This means that it is worthwhile to group as many of these plant floor devices as possible into BCS without ERC, to avoid the difficulty) of providing the necessary physical access controls if they are grouped into a BCS with ERC.

Note from Tom: The auditor’s point about grouping BCS into those with and without ERC is a good one, but I don’t think it has an impact on the question whether or not an entity adopts the “grouping BCS on the fly” approach that I’m discussing here. For example, to comply with the requirements where ERC makes a difference, the entity might want to group BCA with ERC into one BCS, and BCA without ERC into another.  But for other requirements, other groupings might be easier to work with (such as grouping by OS for the patch management requirement).

“Second, the KISS principle really applies here.  The more complicated you make your process, the more error prone it is.  Errors may result in violations.  Violations may result in financial or non-monetary sanctions.  Even if there are no sanctions, you will still have to fix the problem and do so in such a way as to preclude the error from happening again.

“Third, another reason for KISS is that straightforward internal controls are the controls that are most effectively implemented.  And well designed, effective internal controls are how you gain benefit from an Internal Controls Evaluation under the Risk-Based Compliance Monitoring and Enforcement Program.  You want controls that can survive a change in personnel, especially as there is often no overlap period to do a proper handoff and knowledge transfer.

“The auditor will take the time to carefully evaluate whatever the registered entity has done.  Greater complexity brings greater scrutiny because the risk of error is greater.  In the end, it is entirely up to the registered entity to logically group their BCA into BCS.  The auditor should not find a possible violation because he/she disagrees with the grouping unless there is a material deficiency in the lists (such as an overlooked BCA).”
(back to Tom) So this auditor is saying he doesn’t personally see great advantages to grouping BCS on the fly, but that it won’t be held against the entity if they decide to take that approach.

Supporting the Idea
Another email I received the day after the post was from a consultant I’ve known for some time.  He pointed out that he’s working with an entity that has decided to have ten different groupings of BCS!  He agrees that having the proper documentation (which needs to be very flexible) is key.  He has promised to let me know how this works.

I also had a verbal conversation with a compliance person at a large entity, who said she had considered doing this but felt it wouldn’t work well (from a regulatory risk point of view) in their environment.  But she could see one big benefit: it makes the TFE process easier.  Let’s say you had a large set of relays that you were going to have to take a TFE on for a particular requirement.  Instead of having to do a TFE for each, you could group them all together as a single BCS for that requirement, while still being able to group them in other ways for other requirements (say according to the network they’re on, for compliance with CIP-005-5 R1).

I’d be interested in hearing from anyone else who is trying this.  I still think there could be a lot of benefits, and I’m glad NERC and the regions have supported this as an option for those who want to take advantage of it.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.

Tuesday, June 16, 2015

The News from SPP and WECC, Part II: Complying with CIP v6

I have mentioned several times since early 2014 that it is unfortunate the revised standards developed in response to FERC Order 791 were called the “CIP Version 5 Revisions” rather than simply CIP v6, since that is in fact what these are.  And it is even more unfortunate that not all the v5 standards were “revved” to v6, since now entities will have to keep in mind that the “compliance version” of CIP consists of three v5 standards (002, 005 and 008) and seven v6 standards (i.e. all the rest).[i]

This arrangement is obviously causing confusion, and that is unfortunate.  But a question at the WECC meeting on June 4 (and other conversations I’ve had over the past few months) showed me there is a more serious consequence: Entities may put off working on compliance with the changed requirements in v6 longer than they should, due to the mistaken impression that v6 is the “next version” to comply with, and that entities should just focus on v5 for now. 

Let me be clear: You will only comply with one version of each of the standards which are collectively – and informally - called “CIP version 5” (as just described, this is three v5 standards and seven v6 ones).  Most of the v6 requirements have the same compliance dates as their v5 counterparts – April 1, 2016 for Medium and High assets/Facilities and April 1, 2017 for Lows.  The other v6 requirements have different dates; you can find a full list of the compliance dates in this post.  You really need to consider this as one CIP version, not two.[ii]

Specifically, the questioner asked whether his entity should be working on the Transient Electronic Devices requirement (CIP-010-2 R4), given that FERC hasn’t approved v6 yet.  The answer was clear: Just like all of the “CIP v5” standards, you need to look at the compliance date for that requirement and make sure you start your compliance effort early enough to meet that date.  For CIP-010 R4, the compliance date is January 1, 2017.  As with all requirements, you need to start getting ready, so that you can be sure of being compliant on the appropriate date.[iii]

So don’t let the different version numbers fool you: you will have to comply with one CIP “version”, not two.  If it’s easier, you could call the next CIP compliance “version” what I have previously called it: CIP version 5.5.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.

[i] The experience with CIP v2 and v3 is illustrative.  When FERC approved v2, they mandated that NERC develop, within 90 days, a new requirement to provide for escorted access of non-CIP-qualified visitors within the PSP.  NERC actually developed this new requirement on time.  The only substantive change was to CIP-006, but NERC at the same time re-christened all of the other v2 standards as v3 ones.  This is why, since 2010, NERC entities have been complying with “CIP v3” rather than with CIP-006-3 along with CIP-002-2, CIP-003-2, etc.  Unfortunately, that approach wasn’t followed this time.

[ii] I long ago made a ZIP file with the actual compliance versions of the v5 and v6 standards.  If you want to email me at, I’ll send you that file.

[iii] Part of the reason the questioner was holding back on starting compliance with the “transients” requirement was he wasn’t sure FERC would actually approve it.  Scott Saunders of Exelon – who was a member of the CIP v5 Revisions SDT (I should say is a member, since their work may not be over yet) – came up to the microphone to confirm there is little chance FERC won’t approve all of v6. 

Now, it is always possible FERC will require something more be added to the v6 standards – in which case the revised standards would be called v7.  But it is very unlikely they won’t approve all of the v6 standards that NERC submitted to them in February of this year.  Anyone who puts off starting their effort to comply with a v6 standard solely because FERC hasn’t approved v6 risks missing the compliance date.  This is especially true for the Transients requirement, since that will require a lot of completely new procedures be implemented and will therefore require a lot of time to prepare.  It may also be true for the requirement to physically protect all intra-ESP wiring even if it exits the PSP (CIP-006-6 R10), which may require either physical changes like conduit or logical changes like encryption.

Sunday, June 14, 2015

An Auditor's Anguish

In early May, EnergySec released a very important “opinion piece” that I think all people involved with NERC compliance (not just NERC CIP) should study carefully; this includes employees of NERC entities, NERC and FERC, as well as consultants providing compliance services to NERC entities. More generally, it includes anyone who cares about the integrity of the process of auditing NERC standards.

I won’t try to summarize this document, since it speaks very eloquently for itself. You need to read it very carefully, not just for what it says but for the implications of what it says. This means you really have to read it as you read the poems, short stories, etc. you were assigned to read in high school or college English classes (and you did read them, didn’t you?).

Just like in high school or college, I am going to give you an assignment.  I want you to:

  • Read the document carefully.  Twice.
  • Keep in mind that this document was written by ex-auditors (three of the principals of EnergySec are ex-WECC auditors). Try to understand the pain they must be feeling due to the actions described in the document – that is, what they believe those actions are doing to their long-cherished ideals of Auditor Independence.[i]
  • This is a very tightly-written document.  Many of its most-important points are stated only in a single sentence, and may not even be the main subject of the sentence.  Look for those points.
  • Ask yourself the following questions: “What are the implications of EnergySec’s argument for the future of NERC CIP auditing and compliance?”; “What are the implications for the other NERC standards?”; “What are the implications for the ERO itself?”[ii]
Remember, most of your grade for this course will depend on this assignment.  And don’t tell me your dog ate it.

Note on 4/1/16: I have just linked this post in a post I put up today. Please note that EnergySec's conclusion in their opinion piece isn't the same as mine. I am saying the SGAS have most likely made CIP v5 (and v6) unenforceable in the strict sense that violations that are appealed to the Federal courts will never be upheld. EnergySec is saying the SGAS constitute a serious threat to auditor independence, but they don't go as far as my conclusion.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.

[i] Coincidentally, I have been learning a lot about Auditor Independence, in the almost two months since I joined the Advisory arm of a public accounting firm.  There are very strict and thoroughgoing rules that apply not just to the auditors themselves, but to all of the rest of us who couldn’t explain the difference between a credit and a debit to save our lives.  I have to follow some of the same rules described in the EnergySec document.

[ii] The notices for the SGAS now carry disclaimers stating they’re not providing compliance guidance, etc. However, I believe the main thrust of EnergySec’s objections to the SGAS is that the simple fact that the meetings are closed to the wider NERC community, and no record is published of them, constitutes a huge threat to auditor independence, if it doesn’t destroy it altogether. It is quite clear that the SGAS won’t be opened up, and their results won’t be shared with the community.

Friday, June 12, 2015

The News from SPP and WECC, Part I: “Programmable”

This is the first of two or three posts based on my visits to the SPP CIP v5 Workshop in Kansas City and the WECC CIP User Group in Portland during the first week of June.  I learned a lot from the presentations at the meetings and from individual conversations with various parties, which I’d like to share with you.

Without doubt, the biggest concern at both meetings was the six “Memorandums” that NERC put out in April.  And the biggest part of this concern was caused by the impression that the guidance provided in these documents was in some way mandatory for compliance.  The Memorandum that caused the most concern was the one on Programmable Electronic Devices.

On April 22, NERC released a Memorandum on the meaning of “Programmable Electronic Device” (PED).  As we all know by now, this is how “Cyber Asset” is defined in the NERC Glossary.  And since Cyber Asset can be considered the foundational definition of CIP Version 5, getting this right is of vital importance for compliance with v5.  PED was never defined in the drafting process for v5, which is why we’re having this conversation now.

Some background: The Memorandum wasn’t the first time NERC has addressed this issue.  There was a draft Lesson Learned posted on January 9[i].  The argument in this document hinged on the distinction between devices that are “field updateable” and those that are “configurable only”.  According to the Lesson Learned, the former are programmable (and therefore meet the definition of Cyber Asset); the latter are not.  When this draft Lesson Learned appeared in January, most NERC entities I talked to thought it was a fair document – one they could live with.

I had expected the Lesson Learned would be finalized by April, but the April Memorandum made clear that this document now sleeps with the fishes; it will never be finalized. The Memorandum states (page 2) “After further evaluation, NERC determined that the issue related to this topic was not appropriately addressed through a lesson learned or FAQ as it was not consistent with the purpose of those guidance documents.”

What’s the new definition?  NERC wastes no time in setting that out in the Memorandum, it is “any device that is electronic and capable of executing a set of instructions.” In other words, “configurable only” devices are now considered programmable, whereas they weren’t in the Lesson Learned. This new “definition” is based on the SDT’s responses to comments from NERC entities received during the drafting process for CIP v5, which were included in NERC’s 7,000-page (!) CIP v5 filing with FERC in January 2013.

Is the new “definition” much different in practice from the old one?  From what I’ve heard, yes.  There are many devices that would have been excluded as Cyber Assets using the draft Lesson Learned because they are “configurable only”.  According to the Memorandum, these will all now be Cyber Assets, and will have to be considered as possible BES Cyber Assets.  As soon as the Memorandum came out in April, I heard cries of anguish from NERC entities about this.[ii] I heard more at the SPP and WECC meetings.

However, there was total unanimity among the speakers at the two meetings that the Memoranda don’t count as mandatory interpretations.  At the SPP meeting (which occurred on Tuesday June 2), three speakers – Kevin Perry of SPP, Lew Folkerth of RFC, and Tom Hofstetter of NERC – all agreed this was the case (naturally, they were speaking for themselves, not the organizations they work for – the standard disclaimer). However, they all did say that any entities that choose not to follow the “definition” in the Memorandum need to have a pretty good story about why this is the case. 

Lew Folkerth did go beyond that and pointed the audience to an article he wrote for RFC’s newsletter (pp. 8-9) last December, discussing in general how entities can deal with “non-prescriptive” standards[iii] such as some of the CIP v5 ones – i.e. how they can comply when the standard doesn’t provide all of the information needed to fully understand what “comply” means.  Let me go beyond what he said to address this particular problem: If your entity started their CIP v5 compliance program before April (and I would hope almost all entities did), you should point out to the auditor – when he/she questions why you didn’t use the April Memorandum as your “programmable” definition - that you couldn’t have even started your compliance effort without a definition of Programmable, since that is the first step in the process of identifying BES Cyber Systems.  If you started this year, you may have used the Lesson Learned from January. If you started last year, you may have used something like the “definition” provided to me by a Generation compliance person, which I described in this post last September. Whatever you did, you need to document a) how you searched through all guidance on this issue that was available at the time and b) the definition you used and how you arrived at it.

Hearing two regions (and a NERC spokesperson) say the new “definition” of PED wasn’t mandatory was certainly good news, but at the WECC meeting two days later (on Thursday June 4) there was even better news.  First, Brent Castagnetto, Chief CIP Auditor for WECC, said they didn’t consider any of the Memoranda to be mandatory (I’m told Texas Regional Entity also announced this).  Even more significantly, it was announced that, at a meeting in Atlanta held on Tuesday and Wednesday of the week, NERC had decided to withdraw the Memorandum on Programmable Electronic Devices altogether.[iv]

This last statement is quite interesting because of what it doesn’t contain – namely, any reference to what is going to replace the Memorandum.  Should entities try to follow the Lesson Learned?[v]  Or are they truly on their own to come up with the best possible definition?  I’m hoping that the CIP v5 Revisions SDT will address this, as well as the many other issues with CIP-002-5.1 (and the BCA/BCS definitions), by drafting a revised CIP-002 (which would have to include new BCA, BCS and Cyber Asset definitions; these are all intimately linked to the current CIP-002 wording).  This is the only way to settle these questions once and for all.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.

[i] I wanted to include a link to this document, but it seems to have been removed from the NERC web site.  If you want to email me at I’ll send it to you.

[ii] It was stated at the SPP meeting that the biggest reason for pushing through this changed definition was because the definition from the Lesson Learned would probably have been used by many entities to remove all relays, RTUs and some other devices from the scope of CIP v5.  I found this simply incredible, since I had never heard of anyone even considering this possibility – and I confirmed with others in the industry that they had never heard of that either. If that is why NERC developed this Memorandum, it seems to clearly be a solution in search of a problem.

[iii] I prefer the term “ambiguous”.  Just a matter of taste, I suppose.

[iv] I’m publishing this post a week after I wrote it. I regret to say that, at the NERC CIPC meeting in Atlanta June 9-10, Tobias Whitney of NERC made clear that not only does the PED Memorandum remain in effect, but NERC still considers it “auditable”. He said the only recourse that entities have, if they don’t like the Memorandum, is to file an RFI or a SAR for a new definition; of course, this doesn’t help anybody for compliance by next June, since both of these are multi-year processes at best – and I hear that NERC hasn’t even permitted any RFIs to go forward so far.

[v] NERC unfortunately cannot return to advocating that entities follow the Lesson Learned on PED.  They said in the Memorandum that the PED question wasn’t addressable through a Lesson Learned, per the quote in the fifth paragraph of this post. This is probably why the LL has been removed from the NERC web site.

Monday, June 8, 2015

A New Webinar with EnergySec

I’m pleased to announce that I will join Steve Parker and Karl Perman of EnergySec for a second webinar discussing interpretation issues with CIP version 5 and what NERC entities can do about them – given that the compliance date remains April 1, 2016. 

The first webinar, which took place on May 20 at 10 to 11 AM Pacific Time, discussed issues with CIP-002-5.1, including such favorites as the Memorandum on “programmable” and the meaning of “adversely impact” in the BES Cyber Asset definition.  If you couldn’t attend that webinar (or even if you could), you can listen to the recording here.  You can access the slides here and the Q&A document here.

The second webinar will take place on June 18 at 10-11 AM Pacific, and will discuss issues with CIP-003-6 through CIP-011-2.  You can sign up for that webinar here.  As usual, even if you can’t attend at that time, you should still sign up so you will automatically receive the recording link when it’s available. Here’s the story on the new webinar:

NERC entities have many questions regarding interpretation of the requirements and definitions of NERC CIP Version 5.  NERC has provided some guidance on some of these questions, but in very few cases can that be said to be definitive. For the remaining issues, NERC entities need to research whatever guidance is available; but in the end, it is up to each entity to determine and document how it will address the issue.

Three well-known specialists on CIP Version 5, Steve Parker and Karl Perman of EnergySec and Tom Alrich of Deloitte & Touche LLP, will identify certain major issues with CIP v5 and provide recommendations on how NERC entities can address each one.  Topics in this webinar include the meaning of “external routable connectivity” and configuration baselining in CIP-010.
Note: At the SPP and WECC meetings last week, more than a few people asked if I was still doing my blog – they noticed I hadn’t posted in a month.  I’m pleased to say that reports of my death are greatly exaggerated (to quote Mark Twain).  I have been overwhelmed (in a good way) with my first month and a half at Deloitte, but the spigot is back on and you should see a lot of posts in the near future – probably all you can stand!

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.