To be
honest, I thought the issue of whether or not IP phone systems would be BES
Cyber Systems was dead. I wrote a post
on this question in April; it gave my reasoning (although a full account of the
reasoning needs to include the two previous posts in that “series”. This
was the first, and this
was the second), which had been developed through email discussions with an
auditor. I thought the issue was pretty settled, not because I’d written a post
on it; but because I assumed that all of the auditors would be of more or less
the same opinion (an auditor in another region had also confirmed my
reasoning).
However, I
was surprised to hear from at least three entities in one region that they had
been told that IP phone systems were in scope as BCS (in one case, it was a
25-year-old general communications system that combined radio, phone, pagers,
etc. It obviously wasn’t an IP phone system, but the entity was told it was in
scope because it had a microprocessor – an 80286, no less! – and was thus
technically a programmable electronic device). So this idea is evidently not
quite dead. Let me try to drive a stake through its heart now.[i]
I’ve reread
the original post, and I don’t have new arguments to add to that. However, in
retrospect I see my emphasis should have been different. Here’s my new
argument:
Of course,
the issue is whether the phone system meets the definition of a BES Cyber
Asset. That definition states that a Cyber Asset’s loss, misuse, etc. must
“adversely impact” the Bulk Electric System within 15 minutes, for it to be a
BES Cyber Asset.
Before I
started the actual argument in the post, I pointed out that, strictly speaking,
almost no cyber assets directly affect the BES. Most have their impact through
their control of either an asset (e.g. the Distributed Control System
controlling a generating station) or a Facility (e.g. a relay controlling a
circuit breaker, whose operation impacts one or more lines). There are almost
no instances I can think of where a cyber asset impacts the BES on its own;[ii] almost
all of them first impact a BES asset or Facility, which in turn impacts the BES
itself. This fact makes it hard to understand what the BCA definition means
when it talks about the BCS impacting the BES.
In the post
(actually, in my second post in the “series”, linked above), I suggested that
the way the BCA definition could be interpreted was by looking at both steps of
the process: the impact of the Cyber Asset on the asset or Facility it’s
associated with, and the impact of the asset or Facility on the BES. You need
to ask whether there is an impact at either step. If there is an impact at both
steps, and the BES impact is within 15 minutes of the loss, misuse, etc. of the
Cyber Asset,[iii]
then the Cyber Asset is a BES Cyber Asset. If there is no impact at either of
the steps, or impact at one step but not the other, then the Cyber Asset isn’t
a BCA.
A generating
plant’s Distributed Control System is unambiguously a BES Cyber Asset, since a)
its failure will immediately shut down either the entire plant or one or a few
units; and b) the shutdown of the plant (or its units) will have an immediate
BES impact. How about the phone system?
Typically,
an IP phone system that might be considered to be a BCA would be the system in
a control center, which was used for various purposes including dispatching
generation. There will often be an Automated Generation Control system that
does the dispatching, and I don’t think there’s any dispute that this should be
a BCA. But if the AGC goes down, the phone system may become the primary means
of dispatching.
What happens
if the RTO signals to the control center that a plant needs to be dispatched,
but AGC is down? Obviously, the dispatcher will pick up a phone. But what
happens if the phone system is down? Will the entity not be able to dispatch
the plant? It’s certainly possible that could happen, but I would think someone
would realize they have a cell phone in their pocket or purse that can achieve
the same purpose. Wouldn’t they use that? So it’s hard to say that not having
the phone system will have a 15-minute BES impact.
At this
point, I know some will jump in to point out that the BCA definition states “Redundancy
of affected Facilities, systems, and equipment shall not be considered when
determining adverse impact.” Does this mean the phone system has to be a BES
Cyber Asset, since it’s the alternative dispatching method to the AGC system (I
hate to say the two systems are “redundant”, since an AGC system and a phone
system are very different)? From what I’m told, this is in fact the argument
that at least one Regional Entity is using.
What are we
usually talking about when we say two systems are redundant? Typically, they
will be identically configured servers, so one can take over if the other stops
for some reason. More importantly, if both of the servers are down at the same
time, no other system can step up to perform the tasks they were doing (and if
another system can step up, then it should be considered a third redundant
system and thus in scope for CIP v5). In other words, for redundant systems, if
both systems go down, the task they performed will necessarily go undone; this will almost certainly impact the asset
or Facility (since we’re talking about control systems here. If the loss of the
systems doesn’t impact an asset or Facility, then they’re probably not control
systems in the first place).
How about
with the AGC and the phone system? As I’ve just said, if they are both down,
the dispatcher will presumably pull out his cell phone to make the dispatch
call. Or he might walk over to another office where the phones are still
working. Or he might go to a phone booth (that’s just a joke. I’m not sure I’ve
even seen a phone booth in years). Or if the plant is just a couple minutes
away, he might get in his car and drive there. Or he could use a carrier pigeon
or smoke signals. The point is that the loss of AGC and the IP phone system
won’t necessarily mean the dispatch
instruction won’t get through, causing an adverse impact on the BES. That is
the big difference between the redundant servers and the AGC/phone system.[iv]
This is why
I said in the April post – and I’m reiterating here – that it’s important to
insert the word “necessarily” (or “inevitably”) into the BCA definition, i.e.
“…would, within 15 minutes of its required operation, misoperation, or
non-operation, necessarily adversely
impact one or more Facilities, systems, or equipment…” In other words, only
Cyber Assets whose loss or misuse will necessarily impact the BES within 15
minutes when needed are BES Cyber Assets. And phone systems just don’t make the
cut.
There are a
couple other systems people have brought up, for which the same argument
applies as for phone systems. First, there’s one that I previously thought had
to be a BCS: a fire suppression system in a substation. I thought, “Surely this
is a system that, if not able to function when needed (i.e. during a fire),
would adversely impact the BES”.
However, the
same auditor referred to at the beginning of this post pointed out to me that,
just because a fire breaks out in a substation and the fire suppression system
isn’t there to extinguish it, this doesn’t necessarily mean there’s a BES
impact. For example, someone who’s there could grab a fire extinguisher and put
the fire out before it causes damage. Or the wind might be blowing in a
direction that takes the fire away from the lines and equipment, so there is
still no BES impact. Just as with the phone system, the fact that there isn’t a
necessary impact means the fire suppression system isn’t a BCS.
Another
system that comes up often is HVAC systems in control centers or in generating
plants. Let’s say the heating fails in the control room of a plant in Grand
Forks, ND in January. Obviously, one way of dealing with that could be shutting
the plant down, but there are certainly other ways. Maybe everyone can put on
coats while the system is being fixed. Maybe they can have shifts of people
alternating one hour off and one on to keep the plant running. Again, there
isn’t necessarily a BES impact.
The moral of
this story: If you think IP phone systems have to be BCS, you should take a cue
from the character Sportin’ Life in Gershwin’s Porgy and Bess: “It ain’t necessarily so…”
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
I may additionally have to bury it at midnight in a lead-lined coffin with its
head pointed downward. You can never be too careful with these things!
[ii]
At one of the meetings of the CSO 706 Standards Drafting Team (which drafted
CIPs v2, 3, 4 and 5), I asked if someone could give me an example of a cyber
asset that did impact the BES without
the mediation of an asset or Facility. The only example I was given was that of
a leak detector, which I hadn’t heard of but evidently sits in the middle of a line and alerts the control center of current
leaks – thus potentially fulfilling the Situational Awareness BROS. I’ll
stipulate this may be true, but of course this wouldn’t be in scope for CIP v5
anyway. The only BCS that are in scope are those a) “used by and located at”
one of the six asset types listed in CIP-002-5.1 R1 that is High impact; b)
“associated with” an asset or Facility that is Medium impact; or c) “contained”
by a Low impact asset. And of course, Low impact BCS aren’t themselves in scope
for CIP v5; only the assets that contain them are.
[iii]
“When needed”, of course.
[iv]
Of course, this assumes that all of these alternative systems – cell phones,
your car, etc. – wouldn’t be considered redundant systems, and themselves wouldn’t
have to be declared BCS. Yet if they aren’t BCS, then the phone system
shouldn’t be, either.
No comments:
Post a Comment