All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
Honeywell
and EnergySec recently put on a very successful webinar on CIP Version 5; you
can view the recording here. My job in that webinar was to discuss
CIP-002-5: specifically, how an entity goes about identifying its assets in
scope for Version 5 (both the “big iron” aka facilities like control centers,
and the “little iron” aka cyber assets).
In putting
together my presentation, this wasn’t the first time I’d set out to describe
the V5 asset identification process. My
first time was after FERC’s NOPR in April, when I set out to write a series of
posts on how an entity actually complies with Version 5. I started with CIP-002-5 (of course), but as
I began to write my post,
I started to realize something pretty disturbing: There is no way an entity
could sit down with this standard and learn what it needs to do to comply with
CIP Version 5. A corollary to that
statement is that there is no way (as far as I can see) that an auditor could
strictly follow the standard to determine whether an entity was in compliance
with it.
This post
led to a series of three more in which I went into the problems in CIP-002-5 in
more depth. The fifth
post in this series (and I’d never planned it as a series, of course) was
comments that I submitted to FERC (as part of the NOPR comment period that
ended in June), in which I rewrote CIP-002-5 in a way that I believe makes it a
usable standard.[i]
As I started
working on my webinar presentation, I revisited my previous efforts to make
sense of the CIP-002-5 standard as written.
But I noticed something I hadn’t noticed before: the phrase “Facilities,
systems and equipment”, which plays a big role in the standard, should simply
never have been used at all. Either
because I just didn’t see this the first time around, or more likely because I
was already overwhelmed with the other problems in the standard and thought
this one was a little less pressing, I missed this in my previous posts (mainly
in this
post), as well as in the comments I submitted to FERC.
“Facilities,
systems and equipment” appears in Sections 4.1 and 4.2 of the standard. These sections, which are intended to be a
precursor to the actual requirements that follow, provide a guideline for a
NERC entity to decide whether it does have assets (“big iron”) that will fall
under CIP Version 5. Essentially, if an
entity has a NERC functional classification (BA, TOP, etc) that is listed in
Section 4.1, all of its owned “Facilities, systems and equipment” are in
scope.
Section 4.2
starts with this paragraph:
Facilities: For the purpose of
the requirements contained herein, the following Facilities, systems, and
equipment owned by each Responsible Entity in 4.1 above are those to which
these requirements are applicable. For requirements in this standard where a
specific type of Facilities, system, or equipment or subset of Facilities,
systems, and equipment are applicable, these are specified explicitly.
“Facilities”
is capitalized because it is a defined term in the NERC Glossary. Here is the definition:
A set of electrical equipment that operates as a single Bulk
Electric System Element (e.g., a line, a
generator, a shunt compensator, transformer, etc.)
Now that I
look at it more closely, I see two problems with Section 4.2:
- If taken literally, the phrase “Facilities, systems and equipment” requires the entity to evaluate every Facility (per the definition), every system, and every piece of equipment it owns for applicability in CIP Version 5. Leaving aside Facilities for the moment, it implies that the entity needs to list every computer system it owns (whether it’s an EMS balancing load and supply in an entire city or a system sitting on an account clerk’s desk, used for dealing with late bill payers), as well as every piece of equipment it owns (each truck, each pair of wire cutters, etc). You can imagine this would be a pretty long list in the case of Duke Energy.
- Now with regard to “Facilities”, look at the examples shown in the definition: “a generator, a shunt compensator, a transformer”. Again, following the literal wording of Section 4.2, the entity needs to develop a list of every generator (not a generating station, but presumably every unit in that station, as well as every backup diesel generator in the warehouse), every shunt compensator (I don’t know what that is, but I have a strong feeling that it should never be considered as an asset in CIP Version 5), and every transformer. And the auditor should ding them if they can’t prove they’ve done that.
Of course,
this is nonsense. It was never the
intent of the SDT for the entity to have to develop these lists. In fact, when the entity gets to Requirement 1, they see this:
Each Responsible
Entity shall implement a process that considers each of the following assets
for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time
Horizon: Operations Planning]
i.Control Centers and
backup Control Centers;
ii.Transmission stations and
substations;
iii.Generation
resources;
iv.Systems and facilities
critical to system restoration, including Blackstart Resources and Cranking
Paths and initial switching requirements;
v.Special Protection Systems
that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers,
Protection Systems specified in Applicability section 4.2.1 above.
Since parts
1.1 through 1.3 take the entity through Attachment 1, what the above is really
saying is this: “Forget all the stuff we said in Section 4.2 about Facilities,
systems and equipment. What we really
want you to do is consider each of these six types of assets[ii] in
Attachment 1.” Is your response the same
as mine: “Why did you make us go through
the effort of listing every Facility, system or piece of equipment we own in
Section 4.2, if we really only need to consider these six assets? Why didn’t you just tell us in 4.2 that these
six assets are everything that is in scope for CIP Version 5? Why even mention ‘Facilities, systems and
equipment’ in the first place?”[iii]
I don’t have
a good answer for this question, to be honest.
It seems to me the SDT had one meeting too few: before they developed
the final draft of V5, they should have called one final meeting just to try to
fix the problems in CIP-002-5 (not just this, but all the problems I’ve
previously discussed). The fact that
they didn’t do that has left the industry with a standard that nobody can
strictly follow and nobody can strictly audit.
There have been a lot of problems with interpreting and auditing CIP
Versions 1-3, but the standards themselves don’t lead to logical dead ends like
CIP-002-5 does. My hope is that FERC
will order NERC to rewrite CIP-002-5 to address these problems, along with the other
changes in Version 5 they are probably going to require.
This is why,
in the webinar, I recommended that NERC entities simply disregard the
“Facilities, systems and equipment” language in Section 4.2 and instead
substitute the six asset types in Section R1.
But if FERC doesn’t order any changes in CIP-002-5, let’s hope the
auditors don’t feel inclined to take the wording of Section 4.2 too seriously
when it comes time to edit this; let’s hope they have a good sense of humor and
consider “Facilities, systems and equipment” to be the SDT’s little joke. But this isn’t exactly how auditors are
supposed to think, is it?
In the rest
of this post, I’m going to rewrite my version of CIP-002-5 that I submitted to
FERC, to accommodate this change (there are other changes required as well, due
to the fact that Facilities reappears in Attachment 1).
My Original Version
This is what
I submitted to FERC as my replacement for CIP-002-5 (for the reasons why I used
this wording, see the series of posts):
(I
first provided the following definition of Asset, for insertion either in
Section 4.2 or in the V5 Definitions document:
An Asset is a Control
Center or a group of one or more Facilities at a single location.
(Then
I continued with the requirements themselves)
R1. Each
responsible Entity shall:
R1.1 Implement
a process that considers each of the following Assets or Facilities for
purposes of Requirement R2:
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the
Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability
section 4.2.1 above.
R1.2 Develop a
list of its Assets or Facilities including each type listed in R1.1.
R2. Each
Responsible Entity shall identify its High, Medium and Low impact BES Assets or
Facilities in parts 1.1 through 1.3:
2.1 Using the criteria in Attachment 1, Section
1, identify its High impact Assets or Facilities;
2.2 Using the criteria in Attachment 1, Section
2, identify its Medium impact Assets or Facilities;
2.3 After removing High and Medium impact Assets
or Facilities from the list of Assets or Facilities developed in R1.2, identify
the remaining Assets or Facilities as Low impact.
R3. The
Responsible Entity shall identify BES Cyber Assets associated with each High,
Medium and Low impact Asset or Facility.
Only BES Cyber Assets located at a High impact BES Asset shall be
considered to be associated with the High impact BES Asset. All BES Cyber Assets associated with an Asset
or Facility shall be classified with the impact level of that Asset or
Facility.
R4. The
Responsible Entity shall identify BES Cyber Systems from groupings of one or
more BES Cyber Assets.
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts
(and update them if there are changes identified) at least once every 15
calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve
the identifications required by Requirements
R1-R4 and all their parts at least once every 15 calendar months, even if
it has no identified items in Requirement R1.
(I then
proposed this replacement for Attachment 1)
1. High Impact
Rating (H)
Assets or Facilities that meet one or more of
the following criteria are High impact:
(followed by
existing criteria 1.1 – 1.4)
2. Medium
Impact Rating (M)
Assets or Facilities that meet one or more of
the following criteria, and are not included in Section 1 above, are Medium
impact:
(followed by
existing criteria 2.1 – 2.13)
3. Low Impact
Rating (L)
Assets or Facilities meeting the
applicability qualification in Standard Section 4, which are not included in
Sections 1 or 2 above, are Low impact:
(followed by the
same list of types of assets as in CIP-002-5 Attachment 1 part 3)
My New Version
These are
the changes that need to be made in the above:
- The definition of Asset now isn’t needed. We are going to “define” asset as simply the six types of assets listed in R1.
- I will take “Facilities, systems and equipment” out of Section 4.2 and replace it with the list of six asset types (since “Facilities, systems and equipment” appears multiple times in 4.2, I have reproduced the whole section below and changed those references). This will allow me to remove that same list from R1.
- We will replace all of the “Assets or Facilities” with just “assets”. Again, since we’re no longer specifically defining the word, it isn’t capitalized. It just means the six types of thingamajigs now listed in Section 4.2.
- I’m kind of glossing over one problem in Attachment 1 that I discussed at length before: the fact that “Facilities” rears its head again in Criteria 2.3 – 2.8 in Attachment 1. As I pointed out then, I believe the main reason the SDT did this was to allow entities to separate out distribution from transmission elements at substations that have both. To be honest, I can’t see any real purpose in trying to figure out a way to word these six criteria that doesn’t include “Facilities” – so I’m not going to suggest any changes in these criteria (or any of the other criteria, for that matter). The SDT did do a good job of describing their intent to let the entities “slice and dice” their substations in the Guidance and Technical Basis of the standard. Hopefully, the auditors will consider that enough authorization for this practice.
Here is my
new version:
4.2. Facilities:
For the purpose of the requirements contained herein, the
following assets are those to which these requirements are applicable. For
requirements in this standard where a specific type of asset or subset of assets
is applicable, these are specified explicitly.
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the
Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability
section 4.2.1 below.
4.2.1. Distribution Provider: One or more
of the following assets owned by the Distribution Provider for the protection
or restoration of the BES:
4.2.1.1. Each UFLS or UVLS System that:
4.2.1.1.1. is part of a Load shedding program
that is subject to one or more requirements in a NERC or Regional Reliability
Standard; and
4.2.1.1.2. performs automatic Load shedding
under a common control system owned by the Responsible Entity, without human
operator initiation, of 300 MW or more.
4.2.1.2. Each Special Protection System or
Remedial Action Scheme where the Special Protection System or Remedial Action
Scheme is subject to one or more requirements in a NERC or Regional Reliability
Standard.
4.2.1.3. Each Protection System (excluding
UFLS and UVLS) that applies to Transmission where the Protection System is
subject to one or more requirements in a NERC or Regional Reliability Standard.
4.2.1.4. Each Cranking Path and group of
Elements meeting the initial switching requirements from a Blackstart Resource
up to and including the first interconnection point of the starting station service
of the next generation unit(s) to be started.
4.2.2. Responsible Entities listed in 4.1 other than
Distribution Providers:
All
BES assets.
4.2.3. Exemptions: The following are exempt from
Standard CIP-002-5:
4.2.3.1. Cyber Assets at assets regulated by
the Canadian Nuclear Safety Commission.
4.2.3.2. Cyber Assets associated with
communication networks and data communication links between discrete Electronic
Security Perimeters.
4.2.3.3. The systems, structures, and
components that are regulated by the Nuclear Regulatory Commission under a
cyber security plan pursuant to 10 C.F.R. Section 73.54.
4.2.3.4. For Distribution Providers, the
systems and equipment that are not included in section 4.2.1 above.
(Now
I skip down to R1)
R1. Each
responsible Entity shall:
R1.1 Implement
a process that considers each of the assets from Section 4.2 for purposes of
Requirement R2.
R1.2 Develop a
list of its assets including each type listed in Section 4.2.
R2. Each
Responsible Entity shall identify its High, Medium and Low impact BES assets in
parts 1.1 through 1.3:
2.1 Using the criteria in Attachment 1, Section
1, identify its High impact assets;
2.2 Using the criteria in Attachment 1, Section
2, identify its Medium impact assets;
2.3 After removing High and Medium impact assets
from the list of assets developed in R1.2, identify the remaining assets as Low
impact.
R3. The
Responsible Entity shall identify BES Cyber Assets associated with each High,
Medium and Low impact asset. Only BES
Cyber Assets physically located at a High impact BES Asset shall be considered
to be associated with the High impact BES Asset.[iv] All BES Cyber Assets associated with an asset
shall be classified with the impact level of that asset.[v]
R4. The
Responsible Entity shall identify BES Cyber Systems from groupings of one or
more BES Cyber Assets.
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts
(and update them if there are changes identified) at least once every 15
calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve
the identifications required by Requirements
R1-R4 and all their parts at least once every 15 calendar months, even if
it has no identified items in Requirement R1.
(I
now propose this replacement for Attachment 1)
1. High
Impact Rating (H)
Assets that meet one or more of the following
criteria are High impact:
(followed by
existing criteria 1.1 – 1.4)
2. Medium
Impact Rating (M)
Assets that meet one or more of the following
criteria, and are not included in Section 1 above, are Medium impact:
(followed by
existing criteria 2.1 – 2.13)
3. Low Impact
Rating (L)
Assets meeting the applicability
qualification in Standard Section 4, which are not included in Sections 1 or 2
above, are Low impact:
(followed by the
same list of types of assets as in CIP-002-5 Attachment 1 part 3)
This is the
CIP-002-5 I wish I’d submitted to FERC in June, not the other one. I don’t believe I can amend my official
comments, so I’m not sure how I’ll get this to the attention of the
Commissioners. Maybe I’ll sneak in and post
it in their bathroom (of course, that doesn’t reach the one female Commissioner. Maybe I’ll wrap this post around a rock and
throw it through her window). Or maybe
they’ll read the post.
[i]
Note that, in all of this, I’m not contesting what I believe to be the
intention of the Standards Drafting Team in writing CIP-002-5. I’m just saying those intentions were poorly
translated into words. I have tried to
do that translation myself.
[ii]
Of course, the fact that R1 refers to assets (a term that is undefined in both
the NERC Glossary and the V5 Definitions) is a problem in itself. What the h___ happened to Facilities? This becomes more of a problem when Facilities
suddenly reappears in some of the criteria in Attachment 1. I deal with that later in this post.
[iii]
Note that, even though CIP does ultimately deal with systems (BES Cyber
Systems, to be exact), listing them as in scope in Section 4.2 isn’t
needed. 4.2 is where you find out what
“big iron” (aka assets) is in scope. Once
you’ve run all of those assets through Attachment 1, you then identify the BES
Cyber Systems associated with those assets.
You don’t even think about systems before then.
As always when I get into these religious questions, I
need to point out that many knowledgeable people (including SDT members) don’t
agree with me on this. They seem to
think there is some independent evaluation of a cyber asset’s H/M/L impact
level on the grid – different from the evaluation of the asset’s (big iron)
impact. On the other hand, I have never
heard a clear explanation of how this will happen, although I can certainly see
why the wording of CIP-002-5 leads these people to believe that. This is why I rewrote the standard – to
eliminate this type of confusion.
[iv]
In case you’re wondering why this sentence is in here, I refer you to this
post. If you go to right before the
Summary at the end, you’ll see a section that was added June 22. This is where I explain why I put that
sentence in. It has to do with the fact
that the SDT (rightfully) wanted only cyber assets physically located at
control centers to be BES Cyber Assets, while for other assets like generation
that isn’t the case.
[v]
I admit I still have a lot of problems with this sentence. It’s in there because this is another of
those religious issues I discussed in a previous footnote. Going hand-in-hand with the idea that there
is an independent H/M/L impact analysis of each cyber asset is the idea that
you can have differing impact levels of cyber assets at each asset – e.g. a
control center could have High, Medium and Low impact assets. I admit there are at least a couple cases
where this is likely. One is at a 1500MW
generating station where some of the cyber systems don’t themselves affect
1500MW of capacity. Another is when an
entity creates separate networks at a High or Medium impact asset, with some
networks containing BES Cyber Systems and others not containing any. I think all the cyber assets on the former
would be High or Medium (in line with the asset itself), and all of the cyber
assets on the latter would be Lows. This
is one of many reasons I strongly recommend a V5 asset identification guidance
document be written (in fact, I think I must have said that about ten times in
the webinar). To get back to the
sentence in question, it would be nice if it were modified to allow for these
two exceptions (and there may be others as well), but this may be too awkward
and it might have to go. But I do want
some sentence in CIP-002-5, or at least the Guidance, stating clearly that, in general, all cyber assets take the
value of the asset (big iron) they’re associated with.