In my post
yesterday, I listed some good takeaways I gathered at SPP’s 2016 CIP Workshop
in Little Rock last week. This post describes takeaways from the WECC Low
Impact Workshop in Salt Lake City, the day after the SPP event. The
presentations are here.
As the title
of the workshop states, the subject was entirely Low impact assets – this is
actually the fourth such workshop WECC has done, I believe. Attendees were both
large entities with High, Medium and Low impact assets, as well as entities
that only have Lows, for whom this in many cases is their first experience with
CIP compliance. The fact that the “big guys” and “little guys” were both in
attendance can be taken as evidence that, no matter how simple the Low
requirements might seem, there is nothing simple about them!
While I
thought all of the presentations were good, there were two that provided the
most takeaways for me. The first (and the leadoff presentation of the workshop)
was by the inimitable Dr. Joe Baugh, entitled “Identifying and Auditing Low
Impact BES Assets”.[i]
This was focused entirely on an important question regarding Low impact assets
that I haven’t seen any other region (or NERC) address so far: making sure you’ve
identified your Low assets properly in the first place, before you start
worrying about how to comply for those assets.
This isn’t
too surprising, since Joe has all along been focused on one standard:
CIP-002-5.1, and especially on the bright-line criteria in Attachment 1. My
biggest takeaway from his presentation was that NERC entities who have High
and/or Medium impact assets – and have been scrambling to come into compliance by
July 1 – may be making a mistake if they think they have already done all they
need to do to identify their Low assets, simply by subtracting their Highs and
Mediums from their total BES assets. I think every entity should go back and
make sure they haven’t either over- or under-identified their Lows.
Those
entities are certainly making a mistake if they think that they don’t have to
really worry about asset identification for Lows. Joe made the point –
repeatedly – that each entity with Low assets needs to develop and document a
methodology for identifying those assets, just like entities with High and
Medium BCS need to develop a methodology for identifying those as well.[ii] If your
entity explicitly called out the procedures for identifying Low assets in your
High/Medium methodology, then you should be fine. But if you kind of glossed it
over (on the idea that Lows are just the “leftover” BES assets once you subtract
the Highs and Mediums), I recommend you go back and develop an explicit Low
impact asset identification methodology – plus document it.
Here are
some of the specific points Joe made:
- If you haven’t already done this, it’s a good idea to go
back and run all of your assets through the BES definition to make sure
you haven’t over-identified BES assets. Of course, since Low assets are
simply those BES assets that aren’t Highs or Mediums[iii],
the only way you can decrease the number of your Lows is to decrease the
number of BES assets altogether.[iv]
You can do this either through an Exception Request (which doesn’t go
through BESnet) or a Definition Request (which does – see the bottom slide
on page 6 of Joe’s presentation).
- On pages 16-19 of his presentation, Joe provides a very
good discussion of segmenting generation in plants that meet criterion
2.1.
- On pages 19-21, Joe makes the point that substations can
have both Medium and Low impact BCS, at least under criteria 2.4 and 2.5.[v]
I have been making this point for a
while, although using a slightly different rationale. But I’m glad to
hear Joe making it, since it can conceivably save some entities from
over-classifying relays and other cyber assets at substations (and it is
especially helpful with shared substations, where one owner has
higher-voltage lines that are Medium impact, while the other has
distribution-level voltage lines that are Low impact).
- Joe pointed out that, for any Critical Assets an entity
may have had under CIP v3, they should approach their Transmission
Planner, Balancing Authority, or Reliability Coordinator to make sure they
won’t be Medium impact under criteria 2.3, 2.6 or 2.7.
- Joe also stated that, for entities that chose to move to
v5 during the transition period between CIPs v3 and v5, any Areas of
Concern that were identified during an audit in the transition period should
be mitigated before the next audit – otherwise, they might receive a PV.
- Joe made the important point that there should be no
direct routable connections between BCS at substations, which don’t go through
an EACMS (in the case of Medium substations) or a LEAP (in the case of
Lows).
The second “presentation”
(really consisting of two presentations on two different days) was by Lisa Wood
and Eric Weston of WECC; it was entitled “Assets containing Low impact BCS”. It
discussed in detail what WECC will be looking for in audits of entities with
Low assets. Here are some of the main points from this presentation:
- Logging of physical access is a good thing but isn’t
required in v5/v6.
- Managed firewalls are permitted at Lows, as long as you
can get the configuration files (evidently, one entity was having trouble
getting those files from their vendor. Of course, not being able to track and
control the firewall configuration would create a real problem for
compliance).[vi]
- Since the definition of LERC is now before the CIP v7
Standards Drafting Team, WECC will follow the SDT’s discussion of that
topic, and potentially use it to inform their interpretation of LERC (I
hope to have a post specifically discussing this topic very soon). In
other words, it’s not a bad idea for entities to keep an eye on the SDT as
well.[vii]
- If the entity has a device that functions like an
Intermediate System in CIP-005 R2 (although Intermediate Systems aren’t
required for Interactive Remote Access to Low BCS, as they are for High
and Medium BCS), this can be considered to constitute a “protocol break”
for LERC.[viii]
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
You may notice that Joe uses the politically incorrect term “Low impact BES asset”,
rather than “asset containing a Low impact BES Cyber System”. He underlined his
heresy by also referring to “High impact BES assets” and “Medium impact BES
assets”. He’s lucky the church gave up burning heretics at the stake years ago.
If not, both he and I might be crispy critters by now!
[ii]
Unfortunately, CIP-002 R1 doesn’t say anything about developing such a
methodology, as it did for the RBAM in CIP v1-3. But this is implicitly
required nevertheless, both for Highs and Mediums as well as for Lows. Of
course, for Highs and Mediums, the real point of the methodology is
identification of High and Medium BCS. For Lows, it is simply identification of
the Low assets, or if you will “assets containing a Low impact BCS”.
[iii]
With the exception of BES assets that have no control systems at all. Since a
Low asset is defined as an asset “containing a Low impact BCS”, it obviously
can’t have any BCS if it doesn’t have any control systems. So these assets aren’t
High, Medium or Low impact – they fall outside the CIP standards altogether.
[iv]
Joe points out that you can remove assets from the BES list through BESnet.
[v]
I would say that there’s no reason that 2.6 – 2.8 shouldn’t also be included in
this statement.
[vi]
I was quite interested to hear that WECC was condoning managed firewalls for
Low impact assets. This makes a lot of sense to me, given the large number of
Low assets and the potential savings from having a managed solution. But I also
know that managed firewalls (or any sort of managed security services) are
pretty much verboten for High or
Medium impact assets. This is because of the difficulty of getting a managed services
provider to agree to take the fairly onerous steps required to restrict access
to the entity’s BCS information on their servers. I’ve been told by an auditor
that he knows of no entities at all that are using managed security services
for Critical Assets under v3, or Medium impact assets under v5. But, since the
Low assets aren’t subject to the same information protection requirements, this
shouldn’t apply to them. I’m quite glad to see that WECC is explicitly making
this statement.
[vii]
The best way to follow the SDT is to get on their mailing list, so that you get
announcements of all meetings (both onsite and phone only, although the onsite
meetings can be followed by webinar as well), as well as draft documents and
comments. To do that, email cip_mod_sdt_plus@nerc.com
[viii]
Of course, there is currently no official definition of LERC, since FERC wasn’t
happy with what NERC came up with in v6 and has ordered a new definition be
developed by March 2017. So this can’t be considered the same as an actual
Interpretation of a requirement, but it should be encouraging to WECC entities
that they can have at least this one island of certainty in the vast sea of
uncertainty that is NERC CIP version 5.
No comments:
Post a Comment