In my post yesterday, I listed some good takeaways I gathered at SPP’s 2016 CIP Workshop in Little Rock last week. This post describes takeaways from the WECC Low Impact Workshop in Salt Lake City, the day after the SPP event. The presentations are here.
As the title of the workshop states, the subject was entirely Low impact assets – this is actually the fourth such workshop WECC has done, I believe. Attendees were both large entities with High, Medium and Low impact assets, as well as entities that only have Lows, for whom this in many cases is their first experience with CIP compliance. The fact that the “big guys” and “little guys” were both in attendance can be taken as evidence that, no matter how simple the Low requirements might seem, there is nothing simple about them!
While I thought all of the presentations were good, there were two that provided the most takeaways for me. The first (and the leadoff presentation of the workshop) was by the inimitable Dr. Joe Baugh, entitled “Identifying and Auditing Low Impact BES Assets”.[i] This was focused entirely on an important question regarding Low impact assets that I haven’t seen any other region (or NERC) address so far: making sure you’ve identified your Low assets properly in the first place, before you start worrying about how to comply for those assets.
This isn’t too surprising, since Joe has all along been focused on one standard: CIP-002-5.1, and especially on the bright-line criteria in Attachment 1. My biggest takeaway from his presentation was that NERC entities who have High and/or Medium impact assets – and have been scrambling to come into compliance by July 1 – may be making a mistake if they think they have already done all they need to do to identify their Low assets, simply by subtracting their Highs and Mediums from their total BES assets. I think every entity should go back and make sure they haven’t either over- or under-identified their Lows.
Those entities are certainly making a mistake if they think that they don’t have to really worry about asset identification for Lows. Joe made the point – repeatedly – that each entity with Low assets needs to develop and document a methodology for identifying those assets, just like entities with High and Medium BCS need to develop a methodology for identifying those as well.[ii] If your entity explicitly called out the procedures for identifying Low assets in your High/Medium methodology, then you should be fine. But if you kind of glossed it over (on the idea that Lows are just the “leftover” BES assets once you subtract the Highs and Mediums), I recommend you go back and develop an explicit Low impact asset identification methodology – plus document it.
Here are some of the specific points Joe made:
- If you haven’t already done this, it’s a good idea to go back and run all of your assets through the BES definition to make sure you haven’t over-identified BES assets. Of course, since Low assets are simply those BES assets that aren’t Highs or Mediums[iii], the only way you can decrease the number of your Lows is to decrease the number of BES assets altogether.[iv] You can do this either through an Exception Request (which doesn’t go through BESnet) or a Definition Request (which does – see the bottom slide on page 6 of Joe’s presentation).
- On pages 16-19 of his presentation, Joe provides a very good discussion of segmenting generation in plants that meet criterion 2.1.
- On pages 19-21, Joe makes the point that substations can have both Medium and Low impact BCS, at least under criteria 2.4 and 2.5.[v] I have been making this point for a while, although using a slightly different rationale. But I’m glad to hear Joe making it, since it can conceivably save some entities from over-classifying relays and other cyber assets at substations (and it is especially helpful with shared substations, where one owner has higher-voltage lines that are Medium impact, while the other has distribution-level voltage lines that are Low impact).
- Joe pointed out that, for any Critical Assets an entity may have had under CIP v3, they should approach their Transmission Planner, Balancing Authority, or Reliability Coordinator to make sure they won’t be Medium impact under criteria 2.3, 2.6 or 2.7.
- Joe also stated that, for entities that chose to move to v5 during the transition period between CIPs v3 and v5, any Areas of Concern that were identified during an audit in the transition period should be mitigated before the next audit – otherwise, they might receive a PV.
- Joe made the important point that there should be no direct routable connections between BCS at substations, which don’t go through an EACMS (in the case of Medium substations) or a LEAP (in the case of Lows).
The second “presentation” (really consisting of two presentations on two different days) was by Lisa Wood and Eric Weston of WECC; it was entitled “Assets containing Low impact BCS”. It discussed in detail what WECC will be looking for in audits of entities with Low assets. Here are some of the main points from this presentation:
- Logging of physical access is a good thing but isn’t required in v5/v6.
- Managed firewalls are permitted at Lows, as long as you can get the configuration files (evidently, one entity was having trouble getting those files from their vendor. Of course, not being able to track and control the firewall configuration would create a real problem for compliance).[vi]
- Since the definition of LERC is now before the CIP v7 Standards Drafting Team, WECC will follow the SDT’s discussion of that topic, and potentially use it to inform their interpretation of LERC (I hope to have a post specifically discussing this topic very soon). In other words, it’s not a bad idea for entities to keep an eye on the SDT as well.[vii]
- If the entity has a device that functions like an Intermediate System in CIP-005 R2 (although Intermediate Systems aren’t required for Interactive Remote Access to Low BCS, as they are for High and Medium BCS), this can be considered to constitute a “protocol break” for LERC.[viii]
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] You may notice that Joe uses the politically incorrect term “Low impact BES asset”, rather than “asset containing a Low impact BES Cyber System”. He underlined his heresy by also referring to “High impact BES assets” and “Medium impact BES assets”. He’s lucky the church gave up burning heretics at the stake years ago. If not, both he and I might be crispy critters by now!
[ii] Unfortunately, CIP-002 R1 doesn’t say anything about developing such a methodology, as it did for the RBAM in CIP v1-3. But this is implicitly required nevertheless, both for Highs and Mediums as well as for Lows. Of course, for Highs and Mediums, the real point of the methodology is identification of High and Medium BCS. For Lows, it is simply identification of the Low assets, or if you will “assets containing a Low impact BCS”.
[iii] With the exception of BES assets that have no control systems at all. Since a Low asset is defined as an asset “containing a Low impact BCS”, it obviously can’t have any BCS if it doesn’t have any control systems. So these assets aren’t High, Medium or Low impact – they fall outside the CIP standards altogether.
[iv] Joe points out that you can remove assets from the BES list through BESnet.
[v] I would say that there’s no reason that 2.6 – 2.8 shouldn’t also be included in this statement.
[vi] I was quite interested to hear that WECC was condoning managed firewalls for Low impact assets. This makes a lot of sense to me, given the large number of Low assets and the potential savings from having a managed solution. But I also know that managed firewalls (or any sort of managed security services) are pretty much verboten for High or Medium impact assets. This is because of the difficulty of getting a managed services provider to agree to take the fairly onerous steps required to restrict access to the entity’s BCS information on their servers. I’ve been told by an auditor that he knows of no entities at all that are using managed security services for Critical Assets under v3, or Medium impact assets under v5. But, since the Low assets aren’t subject to the same information protection requirements, this shouldn’t apply to them. I’m quite glad to see that WECC is explicitly making this statement.
[vii] The best way to follow the SDT is to get on their mailing list, so that you get announcements of all meetings (both onsite and phone only, although the onsite meetings can be followed by webinar as well), as well as draft documents and comments. To do that, email firstname.lastname@example.org
[viii] Of course, there is currently no official definition of LERC, since FERC wasn’t happy with what NERC came up with in v6 and has ordered a new definition be developed by March 2017. So this can’t be considered the same as an actual Interpretation of a requirement, but it should be encouraging to WECC entities that they can have at least this one island of certainty in the vast sea of uncertainty that is NERC CIP version 5.