In early 2014, soon after FERC had approved CIP version 5, a lot of people in the industry (including me) started taking a serious look at the v5 standards, since they were now on their way to becoming the law of the land. One thing we noticed was this important discrepancy in CIP-002 Attachment 1: In Section 1, which discusses classification of High impact BES Cyber Systems, the criterion for deciding whether a system is High impact is if it is “used by and located at” one of the four types of control centers listed in that section. This makes it clear that no system that isn’t physically located at one of those four types of control centers can be High impact. So the BES Cyber Systems located at Medium or Low impact substations and generating stations that are controlled by the High Control Center will be Medium or Low impact respectively, not High impact.
However, in Section 2, which discusses classification of Medium impact BCS, the criterion for deciding whether a system is Medium impact is whether it is “associated with” one of the 13 criteria for assets listed in that section; two of these criteria (2.11 and 2.12) are for Control Centers. This means that, in the case of Medium Control Centers, a system doesn’t have to be physically located at the Control Center in order to be designated Medium impact.
Why is this a problem? Because Control Centers control lots of Cyber Assets (e.g. relays) “in the field” – i.e. located at transmission substations and generating stations. It would be very hard to argue that these field assets aren’t “associated with” the Control Center that controls them, meaning that any system that is located at one of these assets, that meets the definition of BES Cyber System, will be Medium impact. And as anyone who has had to comply with CIP v5/v6 for High or Medium assets knows, even if there is only one Medium Cyber Asset located at the asset, there are a number of CIP requirements that automatically become applicable to the asset itself, or to other Cyber Assets located there.
Of course, if the auditors actually interpreted the wording this way (which clearly seems to me to be the right interpretation), there would have been a huge hue and cry from NERC entities with Low impact assets and a Medium impact Control Center, since a large number (perhaps all) of those Low assets would now be effectively Medium assets. However, they haven’t been interpreting it that way, and the main reason they haven’t has probably been the fact that in the Guidance and Technical Basis for CIP-002-5.1 (page 16), there is the following wording: “Criterion 2.12 categorizes as medium impact those BES Cyber Systems used by and at Control Centers and associated data centers performing the functional obligations of a Transmission Operator and that have not already been categorized as high impact. (my emphasis)”
Of course, this sentence seems to indicate that remote BCS controlled by a Control Center that meets Criterion 2.12 (these will most often be relays in substations) will not take the Medium impact rating of the Control Center. This certainly seems to contradict the language of Attachment 1, but I haven’t heard of any entity being dinged for not declaring those BCS to be Mediums (see this post from early 2014, which provides a different set of reasoning for why Criterion 2.12 should be interpreted to mean that the remote BCS aren’t Mediums. It is a pretty subtle argument, and I haven’t heard it put forth anywhere else).
However, things are changing. As you may know, NERC has decided that the Guidance and Technical Basis in each of the CIP v5 and v6 standards goes beyond what is permitted for NERC guidance. Some of it becomes an “interpretation” of the CIP requirements (and the passage I just quoted seems to be a good example of that. It not only interprets the wording of Attachment 1, it seems to contradict it). Therefore, NERC will remove the G&TB from the standards.
In theory, this shouldn’t make a difference. It has always been said that the G&TB’s aren’t auditable. However, in practice the auditors have paid a lot of attention to them. What will happen when the G&TB for CIP-002 is removed?
My guess is nothing will happen, although I know some people in NERC-land are very fearful of this. Whatever the strict wording of the standard is, this is a case where the consequences of following that wording would be too harmful. I can’t imagine any of the regions would want to do this, especially since they’ve so far all allowed the entities to follow the “interpretation” in the Guidance and Technical Basis; there would be an uprising if they tried to take that away.
So why am I bringing this up? Because this is just one example of the fact that there is a lot of “interpretation” of the CIP standards going on, both by the entities who have to comply and the auditors who have to audit. It’s the grease that allows the wheels to turn, in the creaky engine of NERC CIP.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.