An Auditor Responds on Phone Systems, XML Listeners, and More!

After my recent post discussing why phone systems (as well as fire suppression and HVAC systems) aren’t BES Cyber Assets, an auditor emailed to add the following points. I’m reproducing his words verbatim, although I’ve put some comments of my own in in italics.

Auditor: A quick note on redundancy.  Redundancy as envisioned by the CIP standards is redundancy of functionality, not necessarily redundancy of physical Cyber Assets.  For example, many market systems use XML as a backup to ICCP to send generation deployment instructions.  If the ISO/RTO market rules require a primary and a backup method and XML happens to be the backup to ICCP, then both are considered BCS.

Tom: The auditor is referring to my discussion where I implied that redundant systems are usually identically configured. He makes a good point that systems can be quite different but still be “redundant” for purposes of the BCA definition – meaning they both could potentially be BES Cyber Systems. You might now ask, “OK, if the ICCP and XML systems can be considered redundant for the purpose of the BCA definition, why aren’t the ICCP and IP phone systems also redundant?” The answer is that the XML system is in place specifically to provide backup to ICCP, whereas the phone system obviously wasn’t put in place for that purpose, and does much more than back up ICCP.

Auditor: But, I also call your attention to the NERC CIP V5 FAQs.  For all of the complaining about NERC guidance, this issue is squarely addressed in the FAQ.  See FAQ 3-2014, found here. The question asked was “Some of the systems not previously covered under the CIP Standards before may fall under the assessment process under CIP V5. Do we assess the systems that could cause the EMS (BES Cyber Assets) to fail such as UPS, HVAC (building power control system and cooling for computer room)?

The response was “If a device meets the definition of a Cyber Asset, as defined in the NERC Glossary of Terms, then it is subject to consideration as a BES Cyber Asset as defined in the NERC Glossary of Terms.  HVAC, UPS, and other support systems are not the focus of the CIP Standards and will not be the focus of compliance monitoring, unless any such support systems, including HVAC and UPS, are within an ESP. If such support systems are within an ESP, these systems would be a PCA inheriting the highest impact rating within the ESP.

While not explicitly calling out phone systems, the reference to “other support systems” quite properly includes telephone communication systems as being excluded.  The only exception, as noted, is if the phone system is, for some unknown reason, connected to a network segment inside an Electronic Security Perimeter, making the phone system a Protected Cyber Asset.

Tom: I discussed this FAQ in this post from April. I frankly find it quite disappointing. Of course, I agree with the conclusion that “HVAC and UPS” aren’t BCAs. However, I don’t understand NERC’s reasoning. They seem to be saying simply that “support systems” aren’t BES Cyber Assets, notwithstanding the wording of the BCA definition.

I feel there are two problems with that. One is that “support systems” isn’t a NERC defined term. Someone might argue that their EMS is a support system, since it obviously supports the BES. So an EMS isn’t a BES Cyber Asset? And how about substation relays? They support the BES. Are they also out of scope? There won’t be much left in scope in CIP v5 if anything that seems like it might be a “support system” is ruled out.

Second, even if this were a defined term (really a phrase), NERC isn’t saying here that the BCA definition – as it currently reads – excludes support systems; to do that, they would have to first define the term, then show why these systems don’t adversely impact the reliable operation of the BES within fifteen minutes when needed if they are misused, etc. In other words, they would have to do what I did for phone systems and HVAC in my previous post – although I wasn’t grouping these under a general term like “support systems”.

In other words, they seem to have implicitly added a sentence to the end of the BCA definition, reading something like “Support systems are not BES Cyber Assets.” Now, I have said repeatedly that somebody – be it NERC, FERC, the Regions, President Obama, the United Nations – needs to go beyond the wording of the standards to clarify issues that can’t be addressed in pure Lessons Learned, so the fact that NERC is modifying the BCA definition doesn’t itself upset me. What does upset me is that NERC isn’t acknowledging that this is what they’re doing – in fact, I don’t think whoever wrote this FAQ was even aware of it.

But in this case I don’t think it was necessary to go beyond what the standards say. As I showed in the post from April linked above (and in the follow-on post on phone systems as well as the post just previous to this one, also on phone systems), the BCA definition as it currently stands seems to exclude phone systems, HVAC and fire suppression systems as BCAs. There was no reason for NERC to have to amend the BCA definition and invent a new – but undefined – class of “support systems”, just so they could eliminate HVAC and UPS from being considered BCAs. There was a completely “by the book” way to do this.

Auditor: Were I to make a case at all for including a phone system in my list of BES Cyber Systems, it would be on the basis that the phone system was the primary and only means to conduct reliability operations and that inability to conduct reliability operations resulted in a sub-15 minute reliability impact.  I have not found too many registered entities so configured, certainly not enough to justify such a sweeping “in scope” declaration proffered by the other Region.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.