Location, Location, Location
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The best lack all conviction, while the worst
Are full of passionate intensity.
And what rough beast, its hour come round at last,
Slouches towards Bethlehem to be born?
W. B. Yeats, The Second Coming (1919)
Let me start by admitting the above quotation has nothing to do with this post. I was just struck by the remarkable fact that Yeats eerily foreshadowed the 2016 US election campaign almost a hundred years ago!
Now to my topic: I’ve realized for a while that one of the biggest sources of confusion in CIP v5 and v6 is the concept of Location. As with other sources of confusion in v5, the cause of this isn’t that people are stupid, but that there are contradictions and missing definitions in CIP-002-5.1 R1 and Attachment 1. I can’t do anything about those contradictions and missing definitions, but perhaps the Standards Drafting Team can. In this post, I’ll try to describe the following:
- How almost all NERC entities, regions, and NERC itself are interpreting the concept of location in CIP-002 R1;
- What I (aided by one or two Interested Parties) interpret the words regarding location to really mean; and
- How I think the words of R1 and Attachment 1 might be rewritten to make CIP-002 R1 both more understandable and (perhaps) more enforceable than it now is.
I. The Prevailing Understanding
As I discussed in this post, the general understanding of how Location works in CIP-002-5.1 R1 is that the entity needs to start with the list of six asset types in R1, then “run” this list through the Attachment 1 criteria to identify High, Medium and Low impact assets. Once this has been done, the entity needs to identify BES Cyber Systems located at High or Medium assets. These BCS become subject to the High or Medium impact requirements of CIP-003-6 through CIP-011-2. Meanwhile, Low impact assets (aka “assets containing Low impact BCS”) are subject to CIP-003-6 R1.2 and R2. I can count to ten and include all of the individuals – whether employees of NERC entities, NERC regions, or NERC itself – who have stated within my hearing that this isn’t actually how R1 and Attachment 1 are written.
Of course, this isn’t how R1 and Attachment 1 are written, as I discussed in the above-linked post. But I also pointed out that this isn’t necessarily a bad thing. In fact, I don’t see any other way that entities can reasonably be expected to comply with R1 except by taking this approach. And I certainly don’t think they should receive PVs because they didn’t follow the exact meaning of the words of R1, since that meaning is very difficult to ascertain, as I’ll describe next. The problem this causes is that it makes R1 (and perhaps all of the other CIP requirements) unenforceable in the strict sense that a fine for violating it is unlikely to be upheld if appealed to the court system.
II. How I Interpret the Words
There are two main problems with the Prevailing Understanding of Location. The first is that Attachment 1 explicitly states that the High and Medium impact criteria are for classifying BES Cyber Systems, not assets, so the six asset types listed in R1 must serve another purpose than the one assumed in the PU. The second is that the “preamble” to Section 2 of Attachment 1 states that the entity needs to identify BES Cyber Systems “associated with” the Medium impact criteria in that section. In practice, this means that a BCS doesn’t have to be physically located at the asset in order to be Medium impact due to that asset.[i]
Let’s deal with the first problem first (although you’ll see that in dealing with that problem we’ll also end up dealing with the second one). Why is the list of six assets in R1, since it isn’t there to do what the Prevailing Understanding thinks it does – furnish the set of assets that is run though the Attachment 1 criteria? An Interested Party explained this mystery to me a couple of years ago, pointing out that this list is actually the six types of locations where BES Cyber Systems that are subject to the requirements of CIP v5 can be found; if they are located anywhere else, they aren’t in scope for v5.[ii]
Here’s an example. Suppose someone uses a remote computer system to make changes to settings of physical systems in a generating plant that has been designated as “necessary to avoid an Adverse Reliability Impact…” as described in Criterion 2.3. Since the loss, misuse, etc. of this computer could “adversely impact” the BES within 15 minutes, this means this system is a BCS. But is it a Medium impact BCS?
Let’s say this system is located at a generating plant, which is otherwise Low impact. Since that plant falls under one of the six asset types in R1, this means the system would be a Medium BCS, because it is located at one of the six asset types and because it is associated with an asset meeting criterion 2.3.
As an aside, you might or might not consider the entire plant a “Medium” one. If you could physically and logically protect the single Medium BCS in the plant so that it complied with all of the appropriate v5 requirements, without involving any other systems that might be in the plant, then you might still consider the plant simply a Low one with one Medium BCS. Otherwise, you’d have to say the plant is both Medium and Low impact – and if your Regional Entity is requiring a list of Medium assets, you would need to include the plant on that list, as well as the list of Low assets. In either case, you would need to include the one Medium BCS on the list of Medium BCS.
Now suppose that the system is located in somebody’s living room. Since a living room (or the house that contains it) isn’t one of the six asset types, that system won’t be a Medium BCS. In fact, it won’t be a Low BCS either, since Low BCS also have to be located at one of the six asset types. It might theoretically still be a BCS, but that is a purely academic question; you don’t have to deal with this computer in CIP v5. Of course, since it is being used for Interactive Remote Access, its use will be subject to CIP-005 R2 and the systems in the ESP located at the Medium plant will presumably be protected that way.
In practice, I believe that the only serious cases of BCS at Low impact assets, that might have become Medium impact, were “far-end relays”. This became a big issue in 2014. I wrote this post describing the problem, and this post describing an Interested Party’s solution to the problem. In fact, the IP’s solution was so good that NERC later adopted it wholesale for their Lesson Learned on this issue.
The IP’s argument was very specific: This problem only comes up in the case of substations subject to criterion 2.5. Since there is very specific language in 2.5 that protects against exactly this situation, it isn’t a problem. In this case, the words “associated with” don’t reach out to BCS located at Low impact assets and make them Medium impact. But can it happen elsewhere? That is, are there cases where the “associated with” wording will lead to BCS at Low assets becoming Medium impact? To be honest, I haven’t found any cases where that will happen, although I admit I haven’t conducted a survey to identify if there are such cases.[iii]
III. How I Would Rewrite the Words
How would I rewrite the wording of CIP-002-5.1 R1 and Attachment 1 to address these two issues? To address the first issue – regarding the six asset types – I would rewrite that section of R1 so that it made clear that the six asset types are only locations at which BCS can be found, not the “raw material” that gets fed into the Attachment 1 process in an effort to classify Medium or High impact assets (or BCS).[iv]
Regarding the second problem of “associated with”, it seems to me that, even though there may be a few BCS at Low assets that could become Medium impact due to that wording, it isn’t worthwhile requiring entities to do the extra work needed to identify these BCS (they will still be protected at a Low level where they are). I think Medium BCS should be identified just like High ones are: they are BCS located at a High or Medium asset (or Facility). Of course, to do this would require v5 purists to admit that there are actually such things as High and Medium impact assets – even though the strict wording of CIP-002-5.1 doesn’t countenance such things.
However, as I’ve said many times, virtually all NERC entities and regions are acting as if High and Medium assets (or Facilities) are real – so I suggest the purists get over this. Similarly, if I thought that unicorns were very important to help lots of people get through their day, I’d be the first to suggest we simply say they’re real and move on. Life is too short to worry about finer points of wording when everyone agrees on what it means – even if everyone is wrong.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] You may notice that there is a direct contradiction here. I just got through pointing out that Attachment 1 says the High and Medium criteria are for classifying BCS. Yet by saying that a BCS is Medium because it is “associated with” one of the Medium criteria, the original SDT was admitting that the criteria really apply to assets in some way! This is because R1 and Attachment 1 were written at different times from two different viewpoints, and they were never reconciled with a set of consistent wording. This clash of contradictory viewpoints is what I have called the fundamental problem of CIP-002; it manifests itself in a number of places in the wording.
As a further note, this issue doesn’t appear for High impact BCS. The preamble to Section 1 of Attachment 1 says that High BCS are those “used by and located at” a Control Center that meets one of the four High criteria. So High BCS can only be located at a Control Center that meets one of criteria 2.1 to 2.4.
[ii] I won’t take the time to try to prove this to you, but I’m sure it’s right – even though the wording of R1 seems to go out of its way to obscure this point. I will point out that you can get a good clue that this is the case by considering the fact that the wording of 1.2 would contradict the words “associated with” in Section 2 of Attachment 1, if the word “asset” in 1.2 referred to the asset that meets one of the Medium criteria. So “asset” in 1.2 must refer to one of the six asset types, thus making 1.2 (and 1.1 and 1.3) refer to the locations where Medium BCS can be found. This resembles the word puzzles I used to enjoy doing as a boy; unfortunately, it’s not a wonderful practice to build a regulatory framework with potential million-dollar-a-day penalties on a foundation of word puzzles, as seems to have been done in the case of CIP version 5.
[iii] I initially thought that Automated Generating Control (AGC) systems that controlled Medium generating plants might be located at Low impact plants or at substations, and thus be themselves Medium impact. But nobody has told me they know of an example where this actually is the case.
[iv] In stating this, I’m conveniently (for me) leaving out the much bigger problem – the fact that Attachment 1 (and parts of R1) is written assuming that BCS themselves are first identified, then run through the criteria to classify them High or Medium, while almost every NERC entity and auditor – from what I have seen – approaches R1 in the same way they did CIP-002 in version 3. That is, they first classify the “big iron” (High, Medium or Low assets in v5; Critical vs. non-critical Assets under v3), then they classify the Cyber Assets that are critical to the asset with the same classification as the asset itself (H/M/L BCS in v5, and Critical vs. non-critical Cyber Assets under v3). Fixing this problem will require a complete rewrite of CIP-002-5.1, and from what I’ve seen there is no appetite on NERC’s part to do this. And as I’ve recently said, I no longer think it’s worthwhile trying to come up with a comprehensive fix for the problems of CIP versions 5 and 6. I think CIP needs to move in a different direction, a sustainable one.