Tuesday, June 19, 2018

A must-read for your Lew Folkerth Collection

I’m now getting in the habit of reading Lew Folkerth’s column in the RF newsletter as soon as the newsletter appears. So when I got notice of the May-June newsletter, I didn’t let it sit in my inbox for days, but immediately downloaded it and went to Lew’s column – called, as always, The Lighthouse. As usual, it was very rewarding to read the column, and I think you’ll agree with me when you read it (unless you don’t give a d___ about NERC CIP, but then why are you reading this blog in the first place?).

Lew covered multiple topics in this column, and did a good job on all of them except the last one. Since I’m naturally jealous of anyone who has such a good knowledge of everything having to do with NERC CIP, I will of course make a big point of calling attention to his error. But I’ll start at the beginning:

First, he discusses the compliance date for CIP-003-7. Of course, this agrees completely with what I said about the same topic, at much greater length. But in my opinion, I said it with a lot more flair than he did. So there.

Second, he provides a great analysis of the meaning of something FERC ordered in Order 843 (which approved CIP-003-7), which is a study of how the revised electronic access control requirement in CIP-003-7 is implemented (I had frankly skimmed through that part of the Order). He points out that FERC, in their NOPR on CIP-003-7 last year, had sounded like they were going to order beefed-up electronic access controls when they approved CIP-003-7 (as I had discussed in my post soon after the NOPR appeared).

But FERC was evidently persuaded by the comments received on the NOPR that they should hold off on doing this for now, and instead ordered NERC to conduct the study once audits begin on CIP-003-7 (and since they won’t begin until after 1/1/20, the report probably won’t be out until 2021). Lew points out three expectations FERC has for how entities will comply with the new requirement:

  1. Responsible Entities are expected to be able to provide a technically sound explanation as to how the electronic access controls meet the security objective.
  2. NERC and the Regional Entities will have the ability to assess the effectiveness of the electronic access control plan required by CIP-003-7 R2.
  3. NERC and the Regional Entities will have the ability to assess an entity's adherence to its electronic access control plan.

You can bet the auditors will be looking for these three things as well. So make sure you know how you are going to address them as you’re implementing (or reviewing) your electronic access control program for your Low impact assets. I do want to point out that “effectiveness” is something Lew has emphasized is very important all along: When the requirement just tells you the objective to achieve, not how you are to achieve it, the auditors are going to want to make sure whatever control you do implement is effective. So you can’t say you decided that repeating an ancient chant once a day was the best way to control electronic access to your Low impact assets. Sorry to disappoint you on that.

Lew also pointed out that you can expect that, when you do get audited on this requirement starting in 2020, the auditors will ask more questions than they would normally need to, in order strictly to determine compliance with the requirement. Don’t get upset about this, since they’re doing it mostly because FERC wants this information. But definitely be prepared to answer those questions.

Lew’s third topic is the impact of Criterion 2.4 of Attachment 1 of CIP-002-5.1 on Low impact BCS. He did this in response to a question whether the presence of a single 500kV line at a transmission substation brings “the entire substation” to the Medium impact level. Lew starts his answer by pointing out that criterion 2.4 (and indeed, all of criteria 2.4 through 2.8) applies to “Facilities” with a capital F, meaning it’s a NERC Glossary term.

Lew points out that each line, transformer, bus, etc. in the substation is a Facility. So in the case of a substation with one 500kV line, that line is the only Medium impact Facility at the substation, meaning only the BES Cyber Systems that control that line (primarily relays, of course) will be Medium impact.

Note: An auditor wrote in to me after this appeared and made the following comments on the above paragraph. Of course, I stand corrected and appreciate his pointing this out to me: You stated “Lew points out that each line, transformer, bus, etc. in the substation is a Facility. So in the case of a substation with one 500kV line, that line is the only Medium impact Facility at the substation, meaning only the BES Cyber Systems that control that line (primarily relays, of course) will be Medium impact.”  You are not technically correct in your statement.  The Medium Impact Facilities include the breakers, switches, transformers, etc., that are operated at 500 kV (essentially connected in some fashion to the 500 kV line).  The relays do not “control” the line, they control the equipment connected to the line.  If you are monitoring the line (or more likely the bus), that brings in the relays connected to the CTs and PTs (Current and Potential Transformers).

The rest of the BCS will be Low impact, unless the substation also meets Criterion 2.5. Lew points out that “In order to meet IRC 2.5, a substation must connect at 200kV or higher to three other substations… If this aggregate weighted value exceeds 3000, then the BES Cyber Systems associated with Facilities at that substation receive a medium impact rating (my emphasis).”

I do want to point out a slight infelicity (I won’t call it an error. Heaven forbid!) in the italicized phrase in the last sentence above. This seems to say that, if the substation does meet criterion 2.5 as well as 2.4, then all BCS in the substation will be Medium impact. In fact, criterion 2.5 says that only Facilities operated at 200-499kV will be Medium impact. This means that, if there’s a 138kV line also at the substation, it will be Low impact and the relays associated with it will also be Lows.

During the period in 2014 and 2015 when NERC entities were trying to figure out how to identify and classify BES Cyber Systems, I pointed out a few times – including this post – that, for criteria 2.4 - 2.8, entities don’t have to classify all BCS at the asset in question at the Medium level. But I also talked to some entities about whether any of them were taking advantage of this. The universal answer was no (and I talked to a few very large entities, who would presumably have a lot of BCS that might be reclassified Low rather than Medium impact). The reasons included:

  1. It would be too confusing to require the substation technicians to treat some BCS differently than others at a single substation;
  2. Many, if not most, substations don’t have their networks segregated according to the voltage level of the lines or transformers controlled by the different systems on the network. It would be a lot more expensive and time-consuming to try to separate the networks than to leave them connected. Of course, what this means is that, even though some BCS at the substation might be Low impact, since they’re on the same network as Medium BCS they’ll end up being Medium Protected Cyber Assets anyway – and they’ll be subject to almost all the same requirements as Medium BCS; and
  3. Go away, you’re asking too many questions.

My guess is reason number 2 is probably the most important of these three reasons. But I would be interested in hearing from anybody who did actually take advantage of the “Facilities” language to treat some of their BCS at a “Medium impact substation” as Lows.

Lew’s fourth topic is also quite interesting. Someone asked “Is a list of low impact BES Cyber Systems required?” Of course, a lot of people in the NERC CIP community ask that question. Even though the CIP standards say in two places that such a list isn’t required, some of the regions have given noises otherwise, and all of the regions have made it clear they wouldn’t mind seeing such a list.

Lew’s answer is quite straightforward: No, it isn’t required, as long as you’re willing to have your physical and electronic access controls at the Low asset apply to every Cyber Asset located in the asset. But if you have, say, a firewall that only protects some of the Cyber Assets but not others (and those other assets are connected routably to the outside world), you will need to be able to show that all BCS have been protected by the firewall.

The last question that Lew addresses is “Does the approval of CIP-003-7 alter the required date for the first test of my Cyber Security Incident response plan for low impact BES Cyber Systems?” And here Lew made his mistake. His reply included “Section 4.5 requires a test of the plan every 36 months. Section 4’s effective date was April 1, 2017. Therefore the first test of your incident response plan for low impact BES Cyber Systems must be completed by April 1, 2020.”

However, an auditor from another region read Lew’s column and noted that the initial performance date for the Low impact CSIRP in CIP-003-6 was April 1, 2017; indeed, I had pointed this out in a post two weeks before that date. So Lew changed his response to say “No, the first test of your incident response plan was due on April 1, 2017. This is not changed by CIP-003-7.” If you want to verify this for yourself, go to the NERC spreadsheet that I linked in this recent post (which pointed out that the initial performance date for the initial test of a High impact CSIRP is 7/1/18. In other words, the Lows had to have their CSIRP tested 15 months before the Highs did! How’s that for fair treatment?).

The same auditor pointed out to me that my statement ".. the initial performance date for the initial test of a High impact CSIRP is 7/1/18." is wrong, since the High CSIRP date was 7/1/2017. I was thinking about the initial performance date for the high impact recovery plan test, which I'd written about in the recent post linked above and has an initial performance date of 7/1/18. Again, I stand corrected and thank the auditor for pointing this out.
So it turns out that both Lew and I screwed up here. I just hope the auditor doesn't give me a PNC for these mistakes! I can't afford to pay a $1 million fine.

So Lew screwed up. I suggest he be given a stay of execution for this offense, on the grounds that he has no previous record, he’s a nice guy, he’s a good family man, etc. But don’t let it happen again, Lew! J

Note from Tom 6/26: Lew asked me to point out that anyone who downloaded his article a week ago or more should re-download it, since he has corrected the problem noted.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.          

No comments:

Post a Comment