After my
recent post
discussing why phone systems (as well as fire suppression and HVAC systems)
aren’t BES Cyber Assets, an auditor emailed to add the following points. I’m
reproducing his words verbatim, although I’ve put some comments of my own in in
italics.
Auditor: A
quick note on redundancy. Redundancy as
envisioned by the CIP standards is redundancy of functionality, not necessarily
redundancy of physical Cyber Assets. For
example, many market systems use XML as a backup to ICCP to send generation
deployment instructions. If the ISO/RTO
market rules require a primary and a backup method and XML happens to be the
backup to ICCP, then both are considered BCS.
Tom: The auditor is referring to my
discussion where I implied that redundant systems are usually identically
configured. He makes a good point that systems can be quite different but still
be “redundant” for purposes of the BCA definition – meaning they both could
potentially be BES Cyber Systems. You might now ask, “OK, if the ICCP and XML
systems can be considered redundant for the purpose of the BCA definition, why
aren’t the ICCP and IP phone systems also redundant?” The answer is that the
XML system is in place specifically to provide backup to ICCP, whereas the
phone system obviously wasn’t put in place for that purpose, and does much more
than back up ICCP.
Auditor: But,
I also call your attention to the NERC CIP V5 FAQs. For all of the complaining about NERC
guidance, this issue is squarely addressed in the FAQ. See FAQ 3-2014, found here.
The question asked was “Some of the systems not previously covered under the
CIP Standards before may fall under the assessment process under CIP V5. Do we
assess the systems that could cause the EMS (BES Cyber Assets) to fail such as
UPS, HVAC (building power control system and cooling for computer room)?
The response
was “If a device meets the definition of a Cyber Asset, as defined in the NERC
Glossary of Terms, then it is subject to consideration as a BES Cyber Asset as
defined in the NERC Glossary of Terms.
HVAC, UPS, and other support systems are not the focus of the CIP
Standards and will not be the focus of compliance monitoring, unless any such
support systems, including HVAC and UPS, are within an ESP. If such support
systems are within an ESP, these systems would be a PCA inheriting the highest impact
rating within the ESP.
While not
explicitly calling out phone systems, the reference to “other support systems”
quite properly includes telephone communication systems as being excluded. The only exception, as noted, is if the phone
system is, for some unknown reason, connected to a network segment inside an
Electronic Security Perimeter, making the phone system a Protected Cyber Asset.
Tom: I discussed this FAQ in this post
from April. I frankly find it quite disappointing. Of course, I agree with the
conclusion that “HVAC and UPS” aren’t BCAs. However, I don’t understand NERC’s
reasoning. They seem to be saying simply that “support systems” aren’t BES
Cyber Assets, notwithstanding the wording of the BCA definition.
I feel there are two problems with that. One is
that “support systems” isn’t a NERC defined term. Someone might argue that
their EMS is a support system, since it obviously supports the BES. So an EMS
isn’t a BES Cyber Asset? And how about substation relays? They support the BES.
Are they also out of scope? There won’t be much left in scope in CIP v5 if anything
that seems like it might be a “support system” is ruled out.
Second, even if this were a defined term
(really a phrase), NERC isn’t saying here that the BCA definition – as it
currently reads – excludes support systems; to do that, they would have to
first define the term, then show why these systems don’t adversely impact the
reliable operation of the BES within fifteen minutes when needed if they are misused,
etc. In other words, they would have to do what I did for phone systems and
HVAC in my previous post – although I wasn’t grouping these under a general
term like “support systems”.
In other words, they seem to have implicitly
added a sentence to the end of the BCA definition, reading something like “Support
systems are not BES Cyber Assets.” Now, I have said repeatedly that somebody
– be it NERC, FERC, the Regions, President Obama, the United Nations – needs to
go beyond the wording of the standards to clarify issues that can’t be
addressed in pure Lessons Learned, so the fact that NERC is modifying the BCA
definition doesn’t itself upset me. What does upset me is that NERC isn’t
acknowledging that this is what they’re doing – in fact, I don’t think whoever
wrote this FAQ was even aware of it.
But in this case I don’t think it was
necessary to go beyond what the standards say. As I showed in the post from
April linked above (and in the follow-on post on phone
systems as well as the post just previous to this one, also on phone
systems), the BCA definition as it currently stands seems to exclude phone
systems, HVAC and fire suppression systems as BCAs. There was no reason for
NERC to have to amend the BCA definition and invent a new – but undefined –
class of “support systems”, just so they could eliminate HVAC and UPS from
being considered BCAs. There was a completely “by the book” way to do this.
Auditor: Were
I to make a case at all for including a phone system in my list of BES Cyber
Systems, it would be on the basis that the phone system was the primary and
only means to conduct reliability operations and that inability to conduct
reliability operations resulted in a sub-15 minute reliability impact. I have not found too many registered entities
so configured, certainly not enough to justify such a sweeping “in scope”
declaration proffered by the other Region.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
A conference call is a telephone call in which someone talks to several people at the same time. The conference calls may be designed to allow the called party to participate during the call, or the call may be set up so that the called party merely listens into the call and cannot speak. It is sometimes called ATC (audio tele-conference).
ReplyDeleteConference Call
I am definitely enjoying your website. You definitely have some great insight and great stories.
ReplyDeleteNational Air Warehouse
It is very obvious that phone system cannot be redundant from the real world as it fulfills the requirement of small and medium sized business. I’ve read the argument above on behalf of Tom and Author, I totally agree with you. However, office telephone systems are essential for any enterprises that can never be eliminated.
ReplyDelete