I spent most
of the last week travelling to or attending two regional meetings: SPP’s CIP
Workshop in Little Rock and WECC’s Low Impact Workshop in Salt Lake City. Both
meetings were very well run and quite informative. Below are some high points I
took away from the SPP meeting. My next post will do the same for the WECC
meeting.
Before I
start that, I want to point out that you can find all of the presentations from
the SPP meeting here.
They are all in one big file, but it downloads pretty quickly. There will also
be videos of the presentations; you will be able to find them here. The WECC presentations
are here.
While all of
the presentations at SPP were good, I got the most out of Scott Mix’s
presentation on how NERC will audit for compliance with the Low impact
requirements. I had seen him do this presentation at RF’s CIP workshop in
April, but there were a lot of points he made at SPP that I didn’t remember
from then (of course, it’s possible he had made some changes. I highly
recommend watching the video when it’s available).
Scott first
addressed the question whether a list of Low impact BES Cyber Systems is
actually required, even though the requirements practically do back flips to
say it isn’t. This is a huge issue (it was at the WECC workshop as well). I
think Scott did a very good job of addressing this, and rather than try to
summarize what he said, I’ll just refer you to his discussion starting on slide
4.
One of the
main points of Scott’s presentation was that, when it comes to Low impact
assets, the idea of randomly sampling them to decide what to audit goes out the
window. Since Low impact assets vary widely in terms of their impact on the
BES, the focus of Low impact audits will always be on the most important
assets. One example of this has to do with 1500+MW plants that are called out
in criterion 2.1. If the entity is claiming a plant is segmented so that there
are no Medium impact BES Cyber Systems, that plant will definitely be visited during the audit. In a
similar vein, Scott pointed out that a substation that has multiple lines but
doesn’t meet criterion 2.5 will “get more attention” than one with just a
single line.
He discussed
three areas where both Lows and Mediums have requirements (starting on slide
39). For incident response plans and awareness programs, Scott suggested it’s
probably a lot easier for entities that have both Medium and Low impact assets
to just use the Medium procedures. That way, people who aren’t working with CIP
day-to-day can just refer to a single procedure, rather than have to figure out
whether an asset is Medium or Low impact. He also mentioned that “configuration
and management” procedures may be similar for LEAPS (Low impact Electronic
Access Points) as for EACMS containing EAPs (of course, EACMS and EAP only come
into play for Mediums. An EAP is an interface, which is part of an EACMS).
While the
remaining presentations were all good[i]
(although I had to miss the half-day session on Wednesday to get to Salt Lake
City for the WECC meeting), I want to call your attention to the last
presentation of the day by Robert Vaughn and Shon Austin, who are both SPP auditors
(starting on slide 242). It is titled “Observations from our CIP V5 Outreach
Visits”, and it’s based on a set of visits they evidently did to SPP entities
to review their preparedness for v5 compliance.
I’ll let you
read their slides (and see the video when it’s available), but I’ll say now
that their presentation seems to raise some serious questions about how
prepared NERC entities will really be for CIP v5 on July 1 (although, since I
wasn’t there for the presentation, I’ll admit it’s possible that their spoken
words may mitigate what seems to be the purport of their slides – I’m looking
forward to the video!). It looks like I may have to revise my April Fool’s Day post.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
Kevin Perry of SPP gave a presentation (starting on slide 225) entitled “Could
CIP Standards have Prevented the Ukraine Attack?” I missed that, but I will
definitely watch the video when it’s available.
No comments:
Post a Comment