Anyone who
was involved with NERC CIP during the period from say mid-2014 through mid-2016
(i.e. the two years leading up to the CIP v5 compliance date) will remember
that for a while it seemed that the fate of the universe hinged on the word
“programmable”. This is because the v5 definition of Cyber Asset was “Programmable
electronic device…”, and programmable wasn’t defined. Yet it was essential to
properly identify Cyber Assets, since BES Cyber Assets, hence BES Cyber
Systems, could never be properly identified unless the entity had properly
identified their Cyber Assets.
It has
always been clear what an “electronic device” is, but there was never a
definition of “programmable” – and certainly not from a major dictionary – that
NERC entities felt would properly identify Cyber Assets at a generating plant
or substation. The problem at these assets is that there can be all sorts of
weird devices that don’t run Windows, Linux, or any other operating system
you’ve ever heard of – and often don’t run any operating system at all. Yet
they still could conceivably be programmable, depending on how you define it.
In
2014-2016, billions, and probably quintillions, of electrons were utilized by
the various online discussions of the meaning of programmable (I myself made a
modest contribution to the discussion with this
post and this
one, as well as mentions in other posts that I’ve forgotten). More importantly,
NERC made several concerted efforts to try to explain what the word really
meant. The first was a well-received Lesson Learned in January 2015, which many
NERC entities thought provided a very reasonable definition.
However,
this LL was both withdrawn from the website (although I still have a copy if you
want to email me for it. I may have to deliver it to you by hand in the dark of
night in a city far away from Atlanta or Washington, DC, but I promise I’ll get
it to you!) and also directly repudiated in one of the six infamous Memoranda
that NERC issued in April of 2015. That Memorandum (this of course was itself
later withdrawn from the website, along with the other Memoranda. I also still
have a copy of this. Since it is even more sensitive, I may have to arrange to
meet you in a foreign country to exchange it with you, and I’ll probably have
to wear a wig and fake mustache, and talk with an impenetrable accent) took a
very harsh line, insisting that even devices that could only be “programmed” by
physically changing DIP switches were programmable. Moreover, like the other
five Memoranda, it claimed some sort of absolute authority – i.e. it wasn’t
subject to any industry review or correction. I discussed the controversy while
it was still going on, in the second post linked in the paragraph above this
one.
This and the
other five Memoranda produced a huge firestorm in the NERC community, which
culminated in what must have been a very interesting meeting
on July 1, 2015. In that meeting, it seems there was a big revolt staged by the
industry trade associations. NERC not only withdrew the Memoranda, they all but
admitted there would never be any definitive guidance on the subjects of those
Memoranda, including of course the definition of “Programmable”.
Finally, at
the beginning of 2016 NERC turned this question, as well as a number of others,
over to the drafting team that was formed to address FERC’s directive in Order 822,
the Order where FERC approved CIP v6 but ordered further changes to CIP.
Throughout all of this process, entities couldn’t wait for the question of the meaning
of programmable to be settled (and they would have been disappointed had they
waited!). I recommended that they “roll
their own” definition, and many did that. I also recommended that entities follow
the same approach for any other area of ambiguity in the CIP standards, of
which there are many. My guess is all of the larger entities did that (not
because I said it, just because it was really the only logical thing to do in
this situation), although I also think the smaller entities (with Medium and/or
High assets) simply muddled through without doing anything in particular.
I admit I
haven’t heard (or thought) very much about this question until this week, when
I attended a meeting of the Order 822 drafting team (known as “Modifications to
CIP Standards) in Montreal. Yet on the first day of the meeting, there was a
discussion of “Programmable”! I think the topic came up because this team is
now discussing how virtualization can be incorporated into the CIP standards
(one of the items on their very ambitious agenda – I will have a post on that
topic shortly), and the definition of Cyber Asset will have to be changed for
that.
The reason
the Cyber Asset definition needs to be changed to accommodate virtualization is
the word “device”. There is no getting around the fact that this word means something
hard, not something that is just software (my operational definition is that if
you drop a device on your foot, it will hurt. If you drop a virtual device on
your foot, it won’t hurt – if you can even figure out how to do anything physical
with a virtual device!).
The drafting
team will definitely propose a change to allow virtual devices, but it seemed
pretty obvious that they don’t have the stomach to deal with the Programmable
issue. One person mentioned that issuing a definition of Programmable at this
point would probably require all NERC entities with Medium and/or High impact
assets to go back and re-run their entire asset identification methodologies.
This would almost certainly require a huge expenditure of time and money on the
part of NERC entities, and I can understand why this isn’t exactly right at the
top of everyone’s wish list. They did mention possibly including a discussion
of Programmable in the Guidance (it isn’t there in the current Guidance and
Technical Basis for CIP-002-5.1, where it would logically be found), but the
issue of standards guidance in general – which was extensively discussed – brings
up a whole host of issues, which I hope to discuss in one of my next posts.
Meanwhile, I
was reminded that a Lesson
Learned approved in 2015 included a discussion of this issue (pages 3-4,
under “Capability”). I just reread it, and found it a pretty good effort. Of
course, it doesn’t say what NERC will consider to be programmable vs. not, but
it does list some devices that entities in the CIP v5 Transition Study considered
to be non-programmable, and the fact that this isn’t disputed obviously means
at least some staff at NERC and the regions consider this OK. Obviously, this
isn’t the sort of evidence that would stand up in a court of law, but in the
world of CIP v5 this is about as good as it gets!
So I need to
tell you that I don’t think there will ever be any more certainty as to the
meaning of “Programmable” in the Cyber Asset definition than there is now.
While this certainly isn’t a great situation, it’s nowhere near as bad as some
of the other areas of ambiguity, missing definitions, or outright contradiction
in CIP v5 (and if you want a discussion of some of these, just read almost any
of my posts from the end of April 2013 through say the end of 2016. I did
compile a partial list of these areas in this
post).
And, as I
intend to discuss in one of my next posts, the prospects of getting final
answers to any of these CIP v5 interpretation questions are fast approaching
zero, if they haven’t already passed zero and gone into negative territory.
Have a nice day!
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
No comments:
Post a Comment