Anyone who was involved with NERC CIP during the period from say mid-2014 through mid-2016 (i.e. the two years leading up to the CIP v5 compliance date) will remember that for a while it seemed that the fate of the universe hinged on the word “programmable”. This is because the v5 definition of Cyber Asset was “Programmable electronic device…”, and programmable wasn’t defined. Yet it was essential to properly identify Cyber Assets, since BES Cyber Assets, hence BES Cyber Systems, could never be properly identified unless the entity had properly identified their Cyber Assets.
It has always been clear what an “electronic device” is, but there was never a definition of “programmable” – and certainly not from a major dictionary – that NERC entities felt would properly identify Cyber Assets at a generating plant or substation. The problem at these assets is that there can be all sorts of weird devices that don’t run Windows, Linux, or any other operating system you’ve ever heard of – and often don’t run any operating system at all. Yet they still could conceivably be programmable, depending on how you define it.
In 2014-2016, billions, and probably quintillions, of electrons were utilized by the various online discussions of the meaning of programmable (I myself made a modest contribution to the discussion with this post and this one, as well as mentions in other posts that I’ve forgotten). More importantly, NERC made several concerted efforts to try to explain what the word really meant. The first was a well-received Lesson Learned in January 2015, which many NERC entities thought provided a very reasonable definition.
However, this LL was both withdrawn from the website (although I still have a copy if you want to email me for it. I may have to deliver it to you by hand in the dark of night in a city far away from Atlanta or Washington, DC, but I promise I’ll get it to you!) and also directly repudiated in one of the six infamous Memoranda that NERC issued in April of 2015. That Memorandum (this of course was itself later withdrawn from the website, along with the other Memoranda. I also still have a copy of this. Since it is even more sensitive, I may have to arrange to meet you in a foreign country to exchange it with you, and I’ll probably have to wear a wig and fake mustache, and talk with an impenetrable accent) took a very harsh line, insisting that even devices that could only be “programmed” by physically changing DIP switches were programmable. Moreover, like the other five Memoranda, it claimed some sort of absolute authority – i.e. it wasn’t subject to any industry review or correction. I discussed the controversy while it was still going on, in the second post linked in the paragraph above this one.
This and the other five Memoranda produced a huge firestorm in the NERC community, which culminated in what must have been a very interesting meeting on July 1, 2015. In that meeting, it seems there was a big revolt staged by the industry trade associations. NERC not only withdrew the Memoranda, they all but admitted there would never be any definitive guidance on the subjects of those Memoranda, including of course the definition of “Programmable”.
Finally, at the beginning of 2016 NERC turned this question, as well as a number of others, over to the drafting team that was formed to address FERC’s directive in Order 822, the Order where FERC approved CIP v6 but ordered further changes to CIP. Throughout all of this process, entities couldn’t wait for the question of the meaning of programmable to be settled (and they would have been disappointed had they waited!). I recommended that they “roll their own” definition, and many did that. I also recommended that entities follow the same approach for any other area of ambiguity in the CIP standards, of which there are many. My guess is all of the larger entities did that (not because I said it, just because it was really the only logical thing to do in this situation), although I also think the smaller entities (with Medium and/or High assets) simply muddled through without doing anything in particular.
I admit I haven’t heard (or thought) very much about this question until this week, when I attended a meeting of the Order 822 drafting team (known as “Modifications to CIP Standards) in Montreal. Yet on the first day of the meeting, there was a discussion of “Programmable”! I think the topic came up because this team is now discussing how virtualization can be incorporated into the CIP standards (one of the items on their very ambitious agenda – I will have a post on that topic shortly), and the definition of Cyber Asset will have to be changed for that.
The reason the Cyber Asset definition needs to be changed to accommodate virtualization is the word “device”. There is no getting around the fact that this word means something hard, not something that is just software (my operational definition is that if you drop a device on your foot, it will hurt. If you drop a virtual device on your foot, it won’t hurt – if you can even figure out how to do anything physical with a virtual device!).
The drafting team will definitely propose a change to allow virtual devices, but it seemed pretty obvious that they don’t have the stomach to deal with the Programmable issue. One person mentioned that issuing a definition of Programmable at this point would probably require all NERC entities with Medium and/or High impact assets to go back and re-run their entire asset identification methodologies. This would almost certainly require a huge expenditure of time and money on the part of NERC entities, and I can understand why this isn’t exactly right at the top of everyone’s wish list. They did mention possibly including a discussion of Programmable in the Guidance (it isn’t there in the current Guidance and Technical Basis for CIP-002-5.1, where it would logically be found), but the issue of standards guidance in general – which was extensively discussed – brings up a whole host of issues, which I hope to discuss in one of my next posts.
Meanwhile, I was reminded that a Lesson Learned approved in 2015 included a discussion of this issue (pages 3-4, under “Capability”). I just reread it, and found it a pretty good effort. Of course, it doesn’t say what NERC will consider to be programmable vs. not, but it does list some devices that entities in the CIP v5 Transition Study considered to be non-programmable, and the fact that this isn’t disputed obviously means at least some staff at NERC and the regions consider this OK. Obviously, this isn’t the sort of evidence that would stand up in a court of law, but in the world of CIP v5 this is about as good as it gets!
So I need to tell you that I don’t think there will ever be any more certainty as to the meaning of “Programmable” in the Cyber Asset definition than there is now. While this certainly isn’t a great situation, it’s nowhere near as bad as some of the other areas of ambiguity, missing definitions, or outright contradiction in CIP v5 (and if you want a discussion of some of these, just read almost any of my posts from the end of April 2013 through say the end of 2016. I did compile a partial list of these areas in this post).
And, as I intend to discuss in one of my next posts, the prospects of getting final answers to any of these CIP v5 interpretation questions are fast approaching zero, if they haven’t already passed zero and gone into negative territory. Have a nice day!
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.