Sunday, August 27, 2017

The Horror, Part 2: The End is Near

It isn’t my intention from now on to only use titles for my posts that sound like they come from bad movies. But this post is a follow up to a post that described what I believe is a genuine horror: the fact that there isn’t now and never will be any guidance published on NERC CIP that is in any meaningful way binding on the auditors. NERC entities are truly on their own when it comes to deciding how to interpret CIP v5/v6, given the ambiguities, missing definitions and inconsistencies that are found in those standards as written. I’m sure most NERC entities understand this already, even though they may not have articulated it so far (however, I’m not at all sure most people at NERC understand this).

But I regret to say that the horror I described in the previous post is only the lesser of two horrors, and the second horror is a lot scarier than the first. In other words, this post is one sequel that may actually be scarier than the original. Parental discretion advised.

This summer, I was in Montreal for the meeting of the CIP Modifications Standards Drafting Team (the team that’s working on all CIP changes except the new Supply Chain Security Management standard, CIP-013. That one has its own SDT). This was the first meeting of this team that I’d been able to attend in six months, and I’m very glad I did attend.

I wanted to come to this meeting primarily to get updated on what this team is doing. But I also came because I wanted to see if they felt the same sense of alarm about their mission as I do. As I pointed out in this post in January, I have come to doubt that there is any way for this team ever to accomplish everything that is in their Standards Authorization Request (SAR).

So I have good news and bad news. The good news is that I no longer have any doubts about whether this team can accomplish everything in their SAR. The bad news is I’m now certain they can’t ever do this. This is due to no fault of their own; it just turns out their marching orders came from Mission: Impossible.

So – since I’m just a helpful guy by nature - I came to Montreal prepared to bring up to the team the fact that they really need to think now about what they can and can’t accomplish; after all, I don’t think any of them joined the drafting team with the expectation that they’d serve on it until retirement! One conversation I’d had with a team member at the NERC CIPC meeting two weeks previous had led me to believe it would be difficult for the team members to even have this conversation.

However, I was glad to see that one of the first items discussed at the meeting was the question whether they need to revisit their SAR now. Of course, doing this will be no small deal. A NERC drafting team doesn’t get to decide for themselves which parts of their SAR they’ll be able to fulfill; if they want to change it, they need to somehow get NERC to modify it, which may require ballots (and I don’t know whether this has ever happened in NERC’s history, and certainly not with any of the CIP drafting teams).

So what is in this team’s SAR? I described the SAR in this post in early 2016. I’ll now list each of the items in the SAR and discuss its status (although I’ll group them differently than I did in the previous post):

  1. The team has finished with the FERC directive to clarify the meaning of LERC. This was approved by the NERC ballot body – although it proved much more contentious among the NERC membership than I ever imagined it would – and sent to FERC in early March (FERC, of course, hasn’t had a quorum since then, but now they do again. Given that there are a number of urgent projects like pipelines that need to be approved, my guess is they won’t get to this for six months or more).
  2. Similarly, the team has finished with the FERC directive to develop requirements for Transient Electronic Devices for Low impact BES Cyber Systems. This was also sent to FERC in March, thus saving NERC the cost of another postage stamp.
  3. The FERC directive to protect “communications network components” between Control Centers is being addressed in the new CIP-012. This has been drafted and is now out for a first ballot.

These were the three items that were ordered by FERC, meaning neither NERC nor the drafting team has any choice but to fulfill them. Even though the last of these isn’t yet put to bed, it’s well on its way, and there’s no question that the SDT will fulfill it. But what about the items in the SAR that weren’t ordered by FERC?

First, the Transmission Operator Control Centers (TOCC) issue – which I admit I understand only on a fairly superficial level – has been the subject of a lot of debate and comment (I referred to it as the “TO/TOP Issue” in my 2016 post). I’m sure it will be resolved, since it is a very contentious issue for a large number of (relatively small) NERC entities. This one doesn’t pose any philosophical issues: Everyone seems to agree on what needs to happen, but they haven’t yet agreed on the wording that will make it happen. I’m sure they will agree in the near future, though.

What about the other items in the SDT’s SAR? As discussed in depth in the previous post, these include

a)       Clarifying the definition of Cyber Asset (especially the meaning of “Programmable”);
b)      Preventing the BES Cyber Asset definition from “subsuming” all other asset types (and here we have another potential horror movie title: “The Definition that ate all the Assets!”);
c)       Determining how to set a “lower bound” for “impact on the BES” in the BCA definition;
d)      The question of “double impact” and preventing this from leading to the N-1 criterion raising its ugly head to exempt lots of assets from the scope of CIP v5 (as discussed in the previous post, I thought the way this question was phrased was wrong, but I was also surprised that the N-1 criterion was still the bugaboo it had been in the CIP v1 days. I thought it had been laid to rest with a stake through its heart then);
e)       The “Network and externally accessible devices” question; and
f)        Virtualization (i.e. trying to fix the problem that CIP is now completely silent on virtualization, meaning that – strictly technically speaking – any virtualized cyber assets are completely out of scope).

These might seem like very different issues, but items a) through e) all have to do with asset identification – that is, CIP-002 R1. And in the Montreal meeting, one of the SDT members pointed out one very important reason - which I hadn’t thought of - why it would be better to leave these items alone (in other words, to ask NERC to remove them from the SAR): If one or more of these were changed, NERC entities with Medium or High impact assets would probably have to re-run their entire asset identification process. Whether or not this resulted in a lot of new cyber assets coming into scope for CIP v5/v6 or maybe a lot of existing ones being removed from scope, just having to go through this exercise again would require a huge investment of staff time and money, especially on the part of large entities that have hundreds or thousands of BES Cyber Assets.

Of course (and here I’m going beyond what was discussed in Montreal; the discussion of this issue ended after the above point was raised, when one of the team leaders noted that at the moment there was still one item on the SDT’s plate that had to be dealt with due to a FERC order, so the question of their SAR didn’t need to be settled right away), the fact that a huge investment would be required doesn’t itself mean the effort shouldn’t happen; after all, we’re talking about protecting the US electric grid! But what would this effort accomplish? Even with all the ambiguities and missing definitions in CIP-002 R1, Attachment 1, and the Cyber Asset and BCA definitions – and there are a lot more that never made it into the SAR - there has been a remarkable consensus among entities and the NERC Regions as to how cyber assets should be evaluated to identify BCAs.

As proof of this consensus, I haven’t heard of a single NERC entity that has been told they were way off the mark on how they identified BCAs, and they’re now in deep doo-doo because they have a bunch of – say – relays that now need to be brought into compliance with all of the requirements in CIP-003 through -011. In other words, if there were even one sizable entity that had woefully under-identified its BCAs and had therefore put the security of the BES at risk, my guess is I would have heard something about that by now. In still other words, if there’s no problem to fix, why require entities to go through this huge effort?

Those of you (both of you, I think) that read this blog in 2014 and 2015 may perhaps remember that I was very worried about the fact that there was so much ambiguity, contradiction, and missing definitions in the CIP v5 asset identification process. In fact, I’m sure I wrote at least 50 posts on various aspects of this problem. As I recounted in my previous Horror post, I had at first hoped the CIP v6 drafting team would be charged with fixing these problems, then I hoped that some sort of guidance could be put out to do this.

When it became clear in 2016 that neither of these would happen, I went through all the stages of grief, and I finally came to realize there would be no true fix for these problems. NERC entities would simply have to in effect write their own CIP v5 standards, following whatever unofficial (and almost always unwritten) guidance their regions will give them. And I began to realize that NERC could ask Mahatma Gandhi, Mother Theresa, Alexander Hamilton, James Madison, Solon, and the Buddha to sit down at a table and hammer out a final solution to these problems, and these august personages still wouldn’t be able to do so, any more than the members of the original CIP v5 SDT (who I know were aware there were a number of serious issues in v5, but were under enormous pressure to finally deliver FERC a response to the directives in Order 706, issued in 2008) were able to do so. Indeed, I came to realize that only a wholesale rewriting of the CIP standards (and, as I’ve also come to realize more recently, NERC’s CMEP and maybe even the Rules of Procedure) will “solve” these problems for good.

So I totally agree with the sentiment among at least some of the CIP Modifications SDT that all of the “asset identification” issues in their SAR should be removed from it (and I also believe item f above -virtualization - should be removed, although for a very different reason. I will discuss that in a separate post soon). What does this mean? It means I believe we’ve come to the end of the line for further developments in NERC CIP, unless FERC orders a new standard.

Specifically, there will be no further efforts to rewrite CIP v5 or v6 requirements and definitions to clarify the many wording problems, including the efforts in the current SDT’s SAR. How could it be otherwise? If the current SDT succeeds in getting these items removed from their SAR, who will ever even suggest in the future that a new SDT be constituted to try to fix problems with CIP v5? We are truly at the end of the line for any further refinement of the current CIP standards.

The lesson of the first Horror post was that there is not now and will never be any guidance on NERC CIP – published by NERC, the Regions, or any other organization or individual (which includes, I hate to say, my blog posts) – that can be considered in any way binding on CIP auditors. Entities need to decide for themselves how to address each interpretation issue, and document why they think that way.

And the lesson of this second Horror post is that the only possible means of resolving these issues – writing a new SAR and revising the existing CIP requirements and definitions (or developing new requirements or definitions to fix issues like the meaning of Programmable) is now closed. Thus, the CIP v5 and v6 standards will always be ambiguous and inconsistent, until they are replaced with new standards that take a very different approach.

From now on, I plan to mostly write about what kind of standards (or maybe just one standard) could replace the current CIP standards and eliminate these ambiguities (more specifically, the new standards would make ambiguities, like the ones in CIP-002 R1 and Attachment 1, irrelevant). And I will also write a lot about CIP-013, which – despite its many flaws – moves a long way toward what I think all of the CIP standards should be (and this creates a lot of interesting problems, since of course CIP-013 will be enforced using the same prescriptive CMEP as all the other NERC standards).

However, I don’t intend to ignore CIP v5 and v6 from now on; after all, they will remain the law of the land for at least 2-3 more years. But at every possible occasion I’ll let my inner snark appear and point out that whatever problem I’m discussing at the moment can only be finally resolved when the CIP standards are rewritten. During the turbulent 60’s, I and my radical friends had a running joke that every problem – no matter how pedestrian – would be resolved “come the Revolution”. But now I’m not joking: I hope I’ve demonstrated to your satisfaction in these two Horror posts that there will be no resolution to the problems of CIP v5 and v6 until the standards are replaced with ones that take a very different approach.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.

No comments:

Post a Comment