Tuesday, December 8, 2015

Back to the Phones

To be honest, I thought the issue of whether or not IP phone systems would be BES Cyber Systems was dead. I wrote a post on this question in April; it gave my reasoning (although a full account of the reasoning needs to include the two previous posts in that “series”. This was the first, and this was the second), which had been developed through email discussions with an auditor. I thought the issue was pretty settled, not because I’d written a post on it; but because I assumed that all of the auditors would be of more or less the same opinion (an auditor in another region had also confirmed my reasoning).

However, I was surprised to hear from at least three entities in one region that they had been told that IP phone systems were in scope as BCS (in one case, it was a 25-year-old general communications system that combined radio, phone, pagers, etc. It obviously wasn’t an IP phone system, but the entity was told it was in scope because it had a microprocessor – an 80286, no less! – and was thus technically a programmable electronic device). So this idea is evidently not quite dead. Let me try to drive a stake through its heart now.[i]

I’ve reread the original post, and I don’t have new arguments to add to that. However, in retrospect I see my emphasis should have been different. Here’s my new argument:

Of course, the issue is whether the phone system meets the definition of a BES Cyber Asset. That definition states that a Cyber Asset’s loss, misuse, etc. must “adversely impact” the Bulk Electric System within 15 minutes, for it to be a BES Cyber Asset.

Before I started the actual argument in the post, I pointed out that, strictly speaking, almost no cyber assets directly affect the BES. Most have their impact through their control of either an asset (e.g. the Distributed Control System controlling a generating station) or a Facility (e.g. a relay controlling a circuit breaker, whose operation impacts one or more lines). There are almost no instances I can think of where a cyber asset impacts the BES on its own;[ii] almost all of them first impact a BES asset or Facility, which in turn impacts the BES itself. This fact makes it hard to understand what the BCA definition means when it talks about the BCS impacting the BES.

In the post (actually, in my second post in the “series”, linked above), I suggested that the way the BCA definition could be interpreted was by looking at both steps of the process: the impact of the Cyber Asset on the asset or Facility it’s associated with, and the impact of the asset or Facility on the BES. You need to ask whether there is an impact at either step. If there is an impact at both steps, and the BES impact is within 15 minutes of the loss, misuse, etc. of the Cyber Asset,[iii] then the Cyber Asset is a BES Cyber Asset. If there is no impact at either of the steps, or impact at one step but not the other, then the Cyber Asset isn’t a BCA.

A generating plant’s Distributed Control System is unambiguously a BES Cyber Asset, since a) its failure will immediately shut down either the entire plant or one or a few units; and b) the shutdown of the plant (or its units) will have an immediate BES impact. How about the phone system?

Typically, an IP phone system that might be considered to be a BCA would be the system in a control center, which was used for various purposes including dispatching generation. There will often be an Automated Generation Control system that does the dispatching, and I don’t think there’s any dispute that this should be a BCA. But if the AGC goes down, the phone system may become the primary means of dispatching.

What happens if the RTO signals to the control center that a plant needs to be dispatched, but AGC is down? Obviously, the dispatcher will pick up a phone. But what happens if the phone system is down? Will the entity not be able to dispatch the plant? It’s certainly possible that could happen, but I would think someone would realize they have a cell phone in their pocket or purse that can achieve the same purpose. Wouldn’t they use that? So it’s hard to say that not having the phone system will have a 15-minute BES impact.

At this point, I know some will jump in to point out that the BCA definition states “Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact.” Does this mean the phone system has to be a BES Cyber Asset, since it’s the alternative dispatching method to the AGC system (I hate to say the two systems are “redundant”, since an AGC system and a phone system are very different)? From what I’m told, this is in fact the argument that at least one Regional Entity is using.

What are we usually talking about when we say two systems are redundant? Typically, they will be identically configured servers, so one can take over if the other stops for some reason. More importantly, if both of the servers are down at the same time, no other system can step up to perform the tasks they were doing (and if another system can step up, then it should be considered a third redundant system and thus in scope for CIP v5). In other words, for redundant systems, if both systems go down, the task they performed will necessarily go undone; this will almost certainly impact the asset or Facility (since we’re talking about control systems here. If the loss of the systems doesn’t impact an asset or Facility, then they’re probably not control systems in the first place).

How about with the AGC and the phone system? As I’ve just said, if they are both down, the dispatcher will presumably pull out his cell phone to make the dispatch call. Or he might walk over to another office where the phones are still working. Or he might go to a phone booth (that’s just a joke. I’m not sure I’ve even seen a phone booth in years). Or if the plant is just a couple minutes away, he might get in his car and drive there. Or he could use a carrier pigeon or smoke signals. The point is that the loss of AGC and the IP phone system won’t necessarily mean the dispatch instruction won’t get through, causing an adverse impact on the BES. That is the big difference between the redundant servers and the AGC/phone system.[iv]

This is why I said in the April post – and I’m reiterating here – that it’s important to insert the word “necessarily” (or “inevitably”) into the BCA definition, i.e. “…would, within 15 minutes of its required operation, misoperation, or non-operation, necessarily adversely impact one or more Facilities, systems, or equipment…” In other words, only Cyber Assets whose loss or misuse will necessarily impact the BES within 15 minutes when needed are BES Cyber Assets. And phone systems just don’t make the cut.

There are a couple other systems people have brought up, for which the same argument applies as for phone systems. First, there’s one that I previously thought had to be a BCS: a fire suppression system in a substation. I thought, “Surely this is a system that, if not able to function when needed (i.e. during a fire), would adversely impact the BES”.

However, the same auditor referred to at the beginning of this post pointed out to me that, just because a fire breaks out in a substation and the fire suppression system isn’t there to extinguish it, this doesn’t necessarily mean there’s a BES impact. For example, someone who’s there could grab a fire extinguisher and put the fire out before it causes damage. Or the wind might be blowing in a direction that takes the fire away from the lines and equipment, so there is still no BES impact. Just as with the phone system, the fact that there isn’t a necessary impact means the fire suppression system isn’t a BCS.

Another system that comes up often is HVAC systems in control centers or in generating plants. Let’s say the heating fails in the control room of a plant in Grand Forks, ND in January. Obviously, one way of dealing with that could be shutting the plant down, but there are certainly other ways. Maybe everyone can put on coats while the system is being fixed. Maybe they can have shifts of people alternating one hour off and one on to keep the plant running. Again, there isn’t necessarily a BES impact.

The moral of this story: If you think IP phone systems have to be BCS, you should take a cue from the character Sportin’ Life in Gershwin’s Porgy and Bess: “It ain’t necessarily so…”

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] I may additionally have to bury it at midnight in a lead-lined coffin with its head pointed downward. You can never be too careful with these things!

[ii] At one of the meetings of the CSO 706 Standards Drafting Team (which drafted CIPs v2, 3, 4 and 5), I asked if someone could give me an example of a cyber asset that did impact the BES without the mediation of an asset or Facility. The only example I was given was that of a leak detector, which I hadn’t heard of but evidently sits in the middle of a line  and alerts the control center of current leaks – thus potentially fulfilling the Situational Awareness BROS. I’ll stipulate this may be true, but of course this wouldn’t be in scope for CIP v5 anyway. The only BCS that are in scope are those a) “used by and located at” one of the six asset types listed in CIP-002-5.1 R1 that is High impact; b) “associated with” an asset or Facility that is Medium impact; or c) “contained” by a Low impact asset. And of course, Low impact BCS aren’t themselves in scope for CIP v5; only the assets that contain them are.

[iii] “When needed”, of course.

[iv] Of course, this assumes that all of these alternative systems – cell phones, your car, etc. – wouldn’t be considered redundant systems, and themselves wouldn’t have to be declared BCS. Yet if they aren’t BCS, then the phone system shouldn’t be, either.

No comments:

Post a Comment