Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21. Of course, what will be important is the Order they issue with V5. When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.
This is the second post in the series of three or four I am writing about ambiguities in CIP-002-5, and the different interpretations I've encountered that try to address these ambiguities.[i] The last one had to do with how an entity identifies its BES Cyber Assets / Systems. This one addresses a question I've debated with several other people who don’t have anything better to do than discuss CIP Version 5: Will all the cyber assets associated with a particular Facility take the ranking of that Facility, or can there be multiple levels of cyber assets (H/M/L) at the same Facility?
This is the second post in the series of three or four I am writing about ambiguities in CIP-002-5, and the different interpretations I've encountered that try to address these ambiguities.[i] The last one had to do with how an entity identifies its BES Cyber Assets / Systems. This one addresses a question I've debated with several other people who don’t have anything better to do than discuss CIP Version 5: Will all the cyber assets associated with a particular Facility take the ranking of that Facility, or can there be multiple levels of cyber assets (H/M/L) at the same Facility?
But in the
course of these debates – and especially a discussion with a veteran NERC
compliance manager in the Generation arm of a large IOU – I have come to
realize there are really two questions here:
- Can there be more than one level of BES Cyber Systems at a particular Facility?
- Can there be multiple levels of cyber assets at a particular Facility?
And let’s
clarify something now: These questions can only apply to Medium or High impact
Facilities. At a Low impact Facility,
there can’t be any question of having multiple levels of cyber assets.[ii]
Question 1: BES Cyber Systems
To address
the first question, I’ll say at the outset that I believe there can only be one
kind of BES Cyber System at a particular Facility. I’ll admit that nowhere in CIP-002-5 is there
any mention of whether or not this is a correct statement. This is why I’m dealing with this issue as a
religious one: absent the standard being rewritten or binding guidance being
provided at some point by NERC, this is a question everyone will have to
address to their own satisfaction.[iii]
Why would someone
get the idea that there could be multiple levels of BES Cyber Systems at[iv] a
single Facility? That’s simple: because
CIP-002-5 has many cases of sloppy wording.
It’s very easy to miss what the standard means by getting too hung up on what it says.[v]
Exhibit A is
the example my generation compliance friend brought up to me: Criterion 2.1 of
Attachment 1 of CIP-002-5 reads (with its preamble sentence):
(the entity needs to identify) Each BES
Cyber System, not included in Section 1 above, associated with any of the
following:
2.1. Commissioned generation, by each group of generating
units at a single plant location, with an aggregate highest rated net Real
Power capability of the preceding 12 calendar months equal to or exceeding 1500
MW in a single Interconnection. For each group of generating units, the only
BES Cyber Systems that meet this criterion are those shared BES Cyber Systems
that could, within 15 minutes, adversely impact the reliable operation of any
combination of units that in aggregate equal or exceed 1500 MW in a single
Interconnection.
The preamble
sentence clearly states that the purpose of this criterion is to classify BES
Cyber Systems, and the second sentence of the criterion says “the only BES
Cyber Systems that meet this criterion are…”
Thus, there must be the possibility of more than one level of BES Cyber
System at the plant, right? Otherwise,
how could this sentence be distinguishing between different types of BES Cyber
Systems?
Again, the
problem is you’re looking at the words that are written, not what was
intended. As I've explained in previous
posts such as this
one (especially the last section), it is simply dishonest for Attachment 1 to
say it’s for classification of BES Cyber Systems. Attachment 1 is really for classifying the Facilities (or “assets”, since the two
terms are used almost interchangeably in CIP-002-5) at which BES Cyber Systems
are located.[vi] And if you look at criterion 2.1 that way
(i.e. as really just classifying a Facility, not BES Cyber Systems at a
Facility), I think you’ll agree it doesn't lead to the idea that there could be
multiple BCS levels at one Facility (note, all of this discussion could apply as well to Criterion 2.2, which is essentially the same language applied to reactive resources - and I want to thank my Generation friend for pointing that out).
Are there
other examples of language in CIP-002-5 that would lead one to conclude there
could be multiple levels of BES Cyber Systems at a particular Facility? I don’t think so. Some people might point to the fact that
entities are allowed to “slice and dice” a substation that has both
Transmission and Distribution elements, so that only the Transmission elements
are subject to CIP Version 5. If the
Transmission elements were a Medium impact Facility, would the Distribution
elements be a Low? Certainly not, since
the Distribution elements wouldn't be part of the Facility at all, and thus
wouldn't even be in scope for CIP V5 (this assumes they aren't networked with
the Medium elements, but if they were, the substation couldn't be “sliced and
diced” in the first place. This
operation assumes that the two types of elements are on separate networks).
My Generation friend also pointed out that Criterion 2.3 might lead to multiple levels of BCS at a Facility. This could happen in the case where the Planning Coordinator or Transmission Planner notified the owner of a large generating station that one or more units in the station - but not the whole station - were what's known as "Reliability Must Run". In this case, the systems that control or impact those unit(s) are Mediums, while those that control the other units are Lows (although my friend believes the latter could be out of scope altogether for CIP V5 unless they are actually Low BES Cyber Systems. I actually think such an animal - a Low BCS - doesn't exist, but even if it did it wouldn't make a difference in practice at all. I hope to do a follow-on post based on the emails we've been exchanging on this and other questions related to this post).
My Generation friend also pointed out that Criterion 2.3 might lead to multiple levels of BCS at a Facility. This could happen in the case where the Planning Coordinator or Transmission Planner notified the owner of a large generating station that one or more units in the station - but not the whole station - were what's known as "Reliability Must Run". In this case, the systems that control or impact those unit(s) are Mediums, while those that control the other units are Lows (although my friend believes the latter could be out of scope altogether for CIP V5 unless they are actually Low BES Cyber Systems. I actually think such an animal - a Low BCS - doesn't exist, but even if it did it wouldn't make a difference in practice at all. I hope to do a follow-on post based on the emails we've been exchanging on this and other questions related to this post).
Not hearing
any dissent,[vii]
I will now go to the second question:
“Can there be multiple levels of cyber assets at a particular Facility?”
Question 2: Cyber Assets
To answer
the second question up front, I do believe there can be multiple levels of
cyber assets at a High or Medium impact Facility. Let’s be clear about the difference between
this and the first question: The first question dealt with BES Cyber Systems and
implicitly with their components, BES Cyber Assets; you identify BES Cyber
Assets by looking at the total population of cyber assets at a Facility and
deciding which of those meet the definition of BCA.[viii] What we’re talking about in this question is the
cyber assets that weren't identified
as BCA’s.
These
“leftover” cyber assets can be further classified by whether or not they’re
networked with a BES Cyber System. If
they are so networked, then they are Protected Cyber Assets under CIP Version
5; any requirements in CIP-003-5 through CIP-011-1 that apply to PCA’s will
apply to these cyber assets. But what
about the cyber assets that aren't networked with BES Cyber Systems but are
still at the Medium or High impact Facility in question?
Let’s
consider what we would have done with these cyber assets in CIP Versions
1-3. Those of you who had to comply with
one or all of those versions hopefully followed an important practice: you
needed to segregate your Critical Cyber Assets (the V1-3 equivalent of BES
Cyber Systems) onto separate networks.
This would keep them from being so-called “non-critical cyber assets
within the ESP” (the V1-3 equivalent of Protected Cyber Assets in V5). In fact, they would be completely out of
scope for V1-3; they might as well not exist at all.
Do you think
you can do the same thing in Version 5?
That is, once you've identified your BES Cyber Assets / Systems, can you
segregate as many cyber assets as possible on separate networks and then not
have to worry about them anymore? Once
again, the language of CIP-002-5 isn't clear on this subject, but it seems to
me (and to many others. This is one area
in which I do agree with most of the
people I've discussed this with) that these cyber assets don’t just fade from
view, as they do in V1-3. I and the
others believe they need to be treated as Lows.[ix]
As before, I
can’t point to any particular language in CIP-002-5 to support this position (although
it should be there, in a perfect world).
But I will go back to the example of the large generating station in
Criterion 2.1 of Attachment 1.
Essentially, the wording in that criterion separates the one plant into
two: one plant with BES Cyber Systems that affect more than 1500MW of
generation, and the other with systems that don’t affect more than 1500MW. The former systems are clearly Medium impact,
but what of the latter? If they were
completely out of scope for Version 5 (not Lows), then this second “plant”
would be treated completely differently from any other plant on the BES. All BES Facilities will be at least Low
impact in Version 5, and by saying this second “plant” wasn't even a Low, you
would be saying it wasn't even a BES Facility.
That would really be stretching the standard. So I think the cyber assets that don’t affect
1500MW at a Criterion 2.1 plant are Low impact.
And if these
cyber assets (i.e. the non-1500MW assets at a plant subject to criterion 2.1) are
Lows, I think you can make a pretty good analogy to cyber assets at other
Medium or High impact BES Facilities that aren't networked with BES Cyber
Systems. They aren't Medium or High
impact, but they also aren't completely out of scope; so they must be Lows as
well.[x]
My Generation friend also pointed out that Criterion 2.3 might lead to multiple levels of BCS at a Facility. This could happen in the case where the Planning Coordinator or Transmission Planner notified the owner of a large generating station that one or more units in the station - but not the whole station - were what's known as "Reliability Must Run". In this case, the systems that control or impact those unit(s) are Mediums, while those that control the other units are Lows (although I believe my friend says the latter are out of scope altogether for CIP V5; I don't believe that myself, as is hopefully clear by now. Of course, we are talking about religious discussions here!).
It seems, Dear Reader, that we've reached the end of this post. To summarize, I think there can’t be multiple levels of BES Cyber Systems at a single Facility. But I do think there can be multiple levels of cyber assets at a Facility. Of course, the only way I can say this is by ignoring some of the wording of CIP-002-5 that I contend doesn't reflect the intentions of the drafting team. But before you condemn me for that, consider this: I don't think it is possible to make any consistent interpretation of CIP-002-5 without ignoring at least some of the language. Not a great situation, but it's what we've got.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i]
I’m calling this Part II, but there was really a follow-on to the first post that
could have been called “Part
IA”.
[ii]
I’m sure someone will pipe up, “Hey, what about cyber assets that control one
facility but are physically located at another one? Like AGC, where a component is often located
at a control center?” I would agree this
would be a valid question if we were dealing with CIP Version 3. In that version, a cyber asset can be a CCA
as long as it’s “essential to the operation of” a Critical Asset; it doesn’t
have to be physically located at the Critical Asset.
However, the Version 5 SDT has – I believe accidentally
– taken care of that problem for us. For
example, requirement part 1.1 reads “Identify each of the high impact BES Cyber
Systems according to Attachment 1, Section 1, if any, at each asset” (italics are mine).
It seems there is no longer a possibility of a BES Cyber System (the
functional equivalent of a CCA) being located anywhere but at the BES Facility it’s associated with. I really think the SDT meant for Version 5 to
be like Versions 1-4 in this regard – namely, that all cyber assets associated with a Facility should be considered
as BES Cyber Assets for that Facility. And
they actually say this in Attachment 1, where entities are required to identify
BES Cyber Systems “associated with” each of the different criteria. However, I think language found in
Requirement Parts 1.1 and 1.2, which call out Attachment 1, would take
precedence over language in Attachment 1 itself. And those two requirement parts clearly say
“at” not “associated with”. Of course,
this is yet another ambiguity in CIP-002-5 that would best be cleaned up by
rewriting the standard. I’d like to
think FERC will order that to happen, but I don’t know whether they will.
[iii]
When I rewrote CIP-002-5 for my comments to FERC in June, I explicitly included
the statement “All BES Cyber Assets associated with an Asset/Facility shall
take the impact level of that Asset/Facility.”
You can find a discussion of this point (if you look hard enough) in this
post.
[iv]
As I mentioned in end note ii, I don’t believe the SDT really wanted to limit
BES Cyber Systems to those that are physically located at a Facility; I believe
they wanted to include remotely-located systems that can control (or otherwise
have an impact on) that Facility. If
this is the case, then there could be multiple levels of BCS located “at” a
Facility, since an AGC system that controlled a Medium impact generating
station could theoretically be located at a Low impact station. However, if CIP-002-5 is corrected (or
perhaps interpreted) to consistently say “associated with”, then the question I
asked at the beginning of this post becomes, “Can there be multiple levels of
cyber assets associated with a single
BES Facility?” The answer to that
question will be the same as the answer to the equivalent question (with “at”)
at the beginning of this post. Given
that CIP-002-5 currently reads “at” not “associated with”, we have to work with
that wording at the moment.
[v]
Of course, I’m engaging in gallows humor here (the fact that I’m writing this
on Halloween may have something to do with that). Asking people to follow the intent of the
standard rather than the wording isn’t exactly the textbook approach to
compliance enforcement. Of course, this
is just one of the very serious problems I see in CIP-002-5. I frankly don’t think the standard, as
currently written, would ever hold up in a court of law were an entity to
challenge a large fine. And if CIP-002-5
gets invalidated, the other V5 standards become invalid as well. Comforting thought, isn’t it?
[vi]
For proof of this, see requirement parts 1.1 and 1.2 of CIP-002-5 2 (1.1 reads “Identify
each of the high impact BES Cyber Systems according to Attachment 1, Section 1,
if any, at each asset”). I interpret these
to mean (and I’ll admit that some might disagree with this interpretation) that
Attachment 1 is being called out so the entity can use it to classify assets,
not BES Cyber Systems.
[vii]
This reminds me of a great cartoon I once saw.
It shows a dictator standing at a lectern, surrounded by menacing storm
troopers glaring out at the crowd and Nazi-like flags. He is saying, “...and I think I can state
without fear of contradiction….”
[viii]
Of course, there are some knowledgeable people who believe there is a different
way to identify BES Cyber Assets. I have
discussed that difference of opinion in the first
post in this series.
[ix]
However, I’m not saying they should be treated as “Low impact BES Cyber
Systems”. I think that phrase is a contradiction
in terms, like “English cuisine” or “business ethics”. Now, I know that CIP-002-5 and CIP-003-5 both
refer to “Low impact BES Cyber Systems”. However, both say that no inventory of Low
impact cyber assets is required; this means the entity is never required to identify
these phantom Low impact BCS. So this is
a purely theoretical construct, and is explicitly removed from being applicable
to compliance with CIP Version 5. There
are no requirements in CIP Version 5 that apply to Low impact BES Cyber Systems,
only to the Low impact Facility as a whole.
Of course, FERC made noise about changing this in their NOPR in April,
but I don’t think they will actually do that when they approve Version 5.
[x]
I’ll be the first to admit that this “proof” isn’t exactly up to the highest
mathematical standards. But, given the
many ambiguities in CIP-002-5 as currently worded, it’s the best I can do.