It isn’t my
intention from now on to only use titles for my posts that sound like they come
from bad movies. But this post is a follow up to a post
that described what I believe is a genuine horror: the fact that there isn’t
now and never will be any guidance published on NERC CIP that is in any
meaningful way binding on the auditors. NERC entities are truly on their own
when it comes to deciding how to interpret CIP v5/v6, given the ambiguities,
missing definitions and inconsistencies that are found in those standards as
written. I’m sure most NERC entities understand this already, even though they
may not have articulated it so far (however, I’m not at all sure most people at
NERC understand this).
But I regret
to say that the horror I described in the previous post is only the lesser of
two horrors, and the second horror is a lot scarier than the first. In other
words, this post is one sequel that may actually be scarier than the original.
Parental discretion advised.
This summer,
I was in Montreal for the meeting of the CIP Modifications Standards Drafting
Team (the team that’s working on all CIP changes except the new Supply Chain
Security Management standard, CIP-013. That one has its own SDT). This was the
first meeting of this team that I’d been able to attend in six months, and I’m
very glad I did attend.
I wanted to
come to this meeting primarily to get updated on what this team is doing. But I
also came because I wanted to see if they felt the same sense of alarm about
their mission as I do. As I pointed out in this
post in January, I have come to doubt that there is any way for this team ever
to accomplish everything that is in their Standards
Authorization Request (SAR).
So I have
good news and bad news. The good news is that I no longer have any doubts about
whether this team can accomplish everything in their SAR. The bad news is I’m
now certain they can’t ever do this. This is due to no fault of their own; it
just turns out their marching orders came from Mission: Impossible.
So – since
I’m just a helpful guy by nature - I came to Montreal prepared to bring up to
the team the fact that they really need to think now about what they can and
can’t accomplish; after all, I don’t think any of them joined the drafting team
with the expectation that they’d serve on it until retirement! One conversation
I’d had with a team member at the NERC CIPC meeting two weeks previous had led
me to believe it would be difficult for the team members to even have this
conversation.
However, I
was glad to see that one of the first items discussed at the meeting was the
question whether they need to revisit their SAR now. Of course, doing this will
be no small deal. A NERC drafting team doesn’t get to decide for themselves
which parts of their SAR they’ll be able to fulfill; if they want to change it,
they need to somehow get NERC to modify it, which may require ballots (and I
don’t know whether this has ever happened in NERC’s history, and certainly not
with any of the CIP drafting teams).
So what is
in this team’s SAR? I described the SAR in this
post in early 2016. I’ll now list each of the items in the SAR and discuss its
status (although I’ll group them differently than I did in the previous post):
- The team has finished with the FERC directive to clarify
the meaning of LERC. This was approved by the NERC ballot body – although
it proved much more contentious among the NERC membership than I ever
imagined it would – and sent to FERC in early March (FERC, of course,
hasn’t had a quorum since then, but now they do again. Given that there
are a number of urgent projects like pipelines that need to be approved,
my guess is they won’t get to this for six months or more).
- Similarly, the team has finished with the FERC directive
to develop requirements for Transient Electronic Devices for Low impact
BES Cyber Systems. This was also sent to FERC in March, thus saving NERC
the cost of another postage stamp.
- The FERC directive to protect “communications network
components” between Control Centers is being addressed in the new CIP-012.
This has been drafted and is now out for a first ballot.
These were
the three items that were ordered by FERC, meaning neither NERC nor the
drafting team has any choice but to fulfill them. Even though the last of these
isn’t yet put to bed, it’s well on its way, and there’s no question that the
SDT will fulfill it. But what about the items in the SAR that weren’t ordered
by FERC?
First, the
Transmission Operator Control Centers (TOCC) issue – which I admit I understand
only on a fairly superficial level – has been the subject of a lot of debate
and comment (I referred to it as the “TO/TOP Issue” in my 2016 post). I’m sure
it will be resolved, since it is a very contentious issue for a large number of
(relatively small) NERC entities. This one doesn’t pose any philosophical
issues: Everyone seems to agree on what needs to happen, but they haven’t yet
agreed on the wording that will make it happen. I’m sure they will agree in the
near future, though.
What about
the other items in the SDT’s SAR? As discussed in depth in the previous post, these
include
a) Clarifying
the definition of Cyber Asset (especially the meaning of “Programmable”);
b) Preventing
the BES Cyber Asset definition from “subsuming” all other asset types (and here
we have another potential horror movie title: “The Definition that ate all the
Assets!”);
c) Determining
how to set a “lower bound” for “impact on the BES” in the BCA definition;
d) The
question of “double impact” and preventing this from leading to the N-1
criterion raising its ugly head to exempt lots of assets from the scope of CIP
v5 (as discussed in the previous post, I thought the way this question was
phrased was wrong, but I was also surprised that the N-1 criterion was still
the bugaboo it had been in the CIP v1 days. I thought it had been laid to rest
with a stake through its heart then);
e) The
“Network and externally accessible devices” question; and
f)
Virtualization (i.e. trying to fix the problem
that CIP is now completely silent on virtualization, meaning that – strictly
technically speaking – any virtualized cyber assets are completely out of
scope).
These might
seem like very different issues, but items a) through e) all have to do with
asset identification – that is, CIP-002 R1. And in the Montreal meeting, one of
the SDT members pointed out one very important reason - which I hadn’t thought
of - why it would be better to leave these items alone (in other words, to ask
NERC to remove them from the SAR): If one or more of these were changed, NERC
entities with Medium or High impact assets would probably have to re-run their
entire asset identification process. Whether or not this resulted in a lot of
new cyber assets coming into scope for CIP v5/v6 or maybe a lot of existing
ones being removed from scope, just having to go through this exercise again
would require a huge investment of staff time and money, especially on the part
of large entities that have hundreds or thousands of BES Cyber Assets.
Of course
(and here I’m going beyond what was discussed in Montreal; the discussion of
this issue ended after the above point was raised, when one of the team leaders
noted that at the moment there was still one item on the SDT’s plate that had
to be dealt with due to a FERC order, so the question of their SAR didn’t need
to be settled right away), the fact that a huge investment would be required
doesn’t itself mean the effort shouldn’t happen; after all, we’re talking about
protecting the US electric grid! But what would this effort accomplish? Even
with all the ambiguities and missing definitions in CIP-002 R1, Attachment 1,
and the Cyber Asset and BCA definitions – and there are a lot more that never
made it into the SAR - there has been a remarkable consensus among entities and
the NERC Regions as to how cyber assets should be evaluated to identify BCAs.
As proof of
this consensus, I haven’t heard of a single NERC entity that has been told they
were way off the mark on how they identified BCAs, and they’re now in deep
doo-doo because they have a bunch of – say – relays that now need to be brought
into compliance with all of the requirements in CIP-003 through -011. In other
words, if there were even one sizable entity that had woefully under-identified
its BCAs and had therefore put the security of the BES at risk, my guess is I
would have heard something about that by now. In still other words, if there’s
no problem to fix, why require entities to go through this huge effort?
Those of you
(both of you, I think) that read this blog in 2014 and 2015 may perhaps
remember that I was very worried about the fact that there was so much
ambiguity, contradiction, and missing definitions in the CIP v5 asset
identification process. In fact, I’m sure I wrote at least 50 posts on various
aspects of this problem. As I recounted in my previous Horror
post, I had at first hoped the CIP v6 drafting team would be charged with
fixing these problems, then I hoped that some sort of guidance could be put out
to do this.
When it
became clear in 2016 that neither of these would happen, I went through all the
stages of grief, and I finally came to realize
there would be no true fix for these problems. NERC entities would simply have
to in effect write their own CIP v5 standards, following whatever unofficial
(and almost always unwritten)
guidance their regions will give them. And I began to realize that NERC could
ask Mahatma Gandhi, Mother Theresa, Alexander Hamilton, James Madison, Solon, and the Buddha to sit
down at a table and hammer out a final solution to these problems, and these
august personages still wouldn’t be able to do so, any more than the members of
the original CIP v5 SDT (who I know were aware there were a number of serious
issues in v5, but were under enormous pressure to finally deliver FERC a
response to the directives in Order 706,
issued in 2008) were able to do so. Indeed, I came to realize that only a
wholesale rewriting of the CIP standards (and, as I’ve also come to realize
more recently, NERC’s CMEP and maybe even the Rules of Procedure) will “solve”
these problems for good.
So I totally
agree with the sentiment among at least some of the CIP Modifications SDT that
all of the “asset identification” issues in their SAR should be removed from it
(and I also believe item f above -virtualization - should be removed, although
for a very different reason. I will discuss that in a separate post soon). What
does this mean? It means I believe we’ve come to the end of the line for
further developments in NERC CIP, unless FERC orders a new standard.
Specifically,
there will be no further efforts to rewrite CIP v5 or v6 requirements and
definitions to clarify the many wording problems, including the efforts in the
current SDT’s SAR. How could it be otherwise? If the current SDT succeeds in
getting these items removed from their SAR, who will ever even suggest in the
future that a new SDT be constituted to try to fix problems with CIP v5? We are
truly at the end of the line for any further refinement of the current CIP
standards.
The lesson
of the first Horror post was that there is not now and will never be any
guidance on NERC CIP – published by NERC, the Regions, or any other
organization or individual (which includes, I hate to say, my blog posts) –
that can be considered in any way binding on CIP auditors. Entities need to
decide for themselves how to address each interpretation issue, and document
why they think that way.
And the
lesson of this second Horror post is that the only possible means of resolving these
issues – writing a new SAR and revising the existing CIP requirements and
definitions (or developing new requirements or definitions to fix issues like
the meaning of Programmable) is now closed. Thus, the CIP v5 and v6 standards
will always be ambiguous and inconsistent, until they are replaced with new
standards that take a very different approach.
From now on,
I plan to mostly write about what kind of standards (or maybe just one
standard) could replace the current CIP standards and eliminate these
ambiguities (more specifically, the new standards would make ambiguities, like
the ones in CIP-002 R1 and Attachment 1, irrelevant). And I will also write a
lot about CIP-013, which – despite its many flaws
– moves a long way toward what I think all of the CIP standards should be (and
this creates a lot of interesting problems, since of course CIP-013 will be
enforced using the same prescriptive CMEP as all the other NERC standards).
However, I
don’t intend to ignore CIP v5 and v6 from now on; after all, they will remain
the law of the land for at least 2-3 more years. But at every possible occasion
I’ll let my inner snark appear and point out that whatever problem I’m discussing
at the moment can only be finally resolved when the CIP standards are
rewritten. During the turbulent 60’s, I and my radical friends had a running
joke that every problem – no matter how pedestrian – would be resolved “come
the Revolution”. But now I’m not joking: I hope I’ve demonstrated to your
satisfaction in these two Horror posts that there will be no resolution to the
problems of CIP v5 and v6 until the standards are replaced with ones that take
a very different approach.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
No comments:
Post a Comment