In early
2014, soon after FERC had approved CIP version 5, a lot of people in the
industry (including me) started taking a serious look at the v5 standards,
since they were now on their way to becoming the law of the land. One thing we
noticed was this important discrepancy in CIP-002 Attachment 1: In Section 1,
which discusses classification of High impact BES Cyber Systems, the criterion
for deciding whether a system is High impact is if it is “used by and located
at” one of the four types of control centers listed in that section. This makes
it clear that no system that isn’t physically located at one of those four
types of control centers can be High impact. So the BES Cyber Systems located
at Medium or Low impact substations and generating stations that are controlled
by the High Control Center will be Medium or Low impact respectively, not High
impact.
However, in
Section 2, which discusses classification of Medium impact BCS, the criterion
for deciding whether a system is Medium impact is whether it is “associated with”
one of the 13 criteria for assets listed in that section; two of these criteria
(2.11 and 2.12) are for Control Centers. This means that, in the case of Medium
Control Centers, a system doesn’t have to be physically located at the Control
Center in order to be designated Medium impact.
Why is this
a problem? Because Control Centers control lots of Cyber Assets (e.g. relays)
“in the field” – i.e. located at transmission substations and generating
stations. It would be very hard to argue that these field assets aren’t “associated
with” the Control Center that controls them, meaning that any system that is
located at one of these assets, that meets the definition of BES Cyber System[1], will be
Medium impact. And as anyone who has had to comply with CIP v5/v6 for High or
Medium assets knows, even if there is only one Medium Cyber Asset located at
the asset, there are a number of CIP requirements that automatically become
applicable to the asset itself, or to other Cyber Assets located there.
Of course,
if the auditors actually interpreted the wording this way (which clearly seems
to me to be the right interpretation), there would have been a huge hue and cry
from NERC entities with Low impact assets and a Medium impact Control Center,
since a large number (perhaps all) of
those Low assets would now be effectively Medium assets. However, they haven’t
been interpreting it that way, and the main reason they haven’t has probably
been the fact that in the Guidance and Technical Basis for CIP-002-5.1 (page
16), there is the following wording: “Criterion 2.12 categorizes as medium
impact those BES Cyber Systems used by
and at Control Centers and associated data centers performing the
functional obligations of a Transmission Operator and that have not already
been categorized as high impact. (my emphasis)”
Of course, this
sentence seems to indicate that remote BCS controlled by a Control Center that meets
Criterion 2.12 (these will most often be relays in substations) will not take
the Medium impact rating of the Control Center. This certainly seems to
contradict the language of Attachment 1, but I haven’t heard of any entity
being dinged for not declaring those BCS to be Mediums (see this
post from early 2014, which provides a different set of reasoning for why
Criterion 2.12 should be interpreted to mean that the remote BCS aren’t
Mediums. It is a pretty subtle argument, and I haven’t heard it put forth
anywhere else).
However,
things are changing. As you may know, NERC has decided that the Guidance and
Technical Basis in each of the CIP v5 and v6 standards goes beyond what is
permitted for NERC guidance. Some of it becomes an “interpretation” of the CIP
requirements (and the passage I just quoted seems to be a good example of that.
It not only interprets the wording of Attachment 1, it seems to contradict it).
Therefore, NERC will remove the G&TB from the standards.
In theory,
this shouldn’t make a difference. It has always been said that the G&TB’s
aren’t auditable. However, in practice the auditors have paid a lot of
attention to them. What will happen when the G&TB for CIP-002 is removed?
My guess is
nothing will happen, although I know some people in NERC-land are very fearful
of this. Whatever the strict wording of the standard is, this is a case where
the consequences of following that wording would be too harmful. I can’t
imagine any of the regions would want to do this, especially since they’ve so
far all allowed the entities to follow the “interpretation” in the Guidance and
Technical Basis; there would be an uprising if they tried to take that away.
So why am I
bringing this up? Because this is just one example of the fact that there is a
lot of “interpretation” of the CIP standards going on, both by the entities who
have to comply and the auditors who have to audit. It’s the grease that allows
the wheels to turn, in the creaky engine of NERC CIP.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[1]
Of course, a BCS is just a set of BCAs that are grouped together, so BES Cyber
Asset is really the operational definition.
No comments:
Post a Comment