A recent post
described – at a very high level – my “methodology”[i] for
complying with CIP-002-5.1 R1 (which I usually refer to simply as “R1”). When I wrote that post, I didn’t think there
would need to be many changes to the methodology. However, I have already made one
change in the methodology and now have two more to make – one substantial, one
less so.
Besides
describing these changes in this post, I will make them in the original post as
well (as I did for the first change). In
fact, since I know there will be more changes in the future, I will do this
from now on: put out a post describing the change, then edit the original post
so it reflects it. This makes the
original post a “living” document that will hopefully always describe my most
recent thinking on R1 methodology.
I. BCS Identification
If you
haven’t read the original post (but if so, why are you reading this one?), I’ll
point out that my “methodology” is heavily laden with a series of decisions the
entity must make in order to comply with R1.
Perhaps the most important of those decisions is exactly how BES Cyber
Systems will be identified in the first place (i.e. before they’re classified
High, Medium or Low impact).
In that post
as well as a previous
one, I described two primary methods for identifying BCS: “top-down” and
“bottom-up”. My post stated that the
best practice is to combine the two methods, since I believed that, in all
cases, some BCS could be missed if only one of the two methods were used. However, since that post I have heard from
two different sources - one a CIP auditor - that the top-down approach doesn’t
really buy much in substations, although it does in control centers and
generating stations.
The
reasoning for this makes a lot of sense: in control centers and generating
stations, there are certain well-understood functions that are performed by the
asset as a whole; these functions each have systems associated with them. For example, BA control centers almost always
have systems including production SCADA/EMS, Outage Management System, ICCP,
Historical Data Retention, Operations Engineering Support System, etc. Generating stations have a digital control
system, soot blow down system, control air management system, etc.[ii]
The entity
only needs to confirm that the loss, misoperation, etc. of any of these systems
has a BES impact within 15 minutes; if it does, the system is a BCS. So for these two asset types, starting with
the top-down approach is best. Of
course, the entity still needs to perform the bottom-up analysis, in which it
considers each of the Cyber Assets at or associated with the asset[iii] - that
haven’t already been identified as components of BES Cyber Systems through the
top-down analysis - to determine whether or not they meet the definition of BES
Cyber Asset, including having a 15-minute impact on the BES. Every BCA so identified should then be
included in a BES Cyber System.[iv]
Substations
are different. Substations don’t
inherently perform particular functions – they can be all over the map, and can
include some mix of Transmission (in scope for CIP) and Distribution (not in
scope) functions[v]. There is no inherent set of functions that
most or all substations perform. You
really have to look at each individual Cyber Asset and consider whether it has
a 15-minute impact on the BES, then perform the rest of the bottom-up
analysis. But the top-down analysis
isn’t likely to identify BCS that aren’t identified in the bottom-up approach,
and therefore doing both analyses doesn’t buy you anything.
However, you
may say, “What about the BES Reliability Operating Services (BROS), which are
an integral part of the top-down approach?
Do we just forget about them for substations?” No. Just
because the entity doesn’t use the top-down approach for substations doesn’t
mean the BROS don’t come into play in the BCS identification process. Since the heart of the BES Cyber Asset
definition is that the loss of the Cyber Asset would “adversely impact” the BES
within 15 minutes, a good way to identify BCAs is to consider whether a Cyber
Asset has a 15-minute impact on one or more BROS. If so, the Cyber Asset is most likely a BCA.[vi]
So I will
revise my R1 methodology post to reflect what I’ve just said. However, I’ve just identified another post
that needs to be modified. This is a post
I wrote on the meaning of “affect the BES” in the BCA definition. In that post, I stated that there was no
point, when doing the bottom-up analysis, to consider the BROS. I said this because I was assuming that all
entities would start their BCS identification with the top-down analysis, so they
would have already identified all Cyber Assets that fulfilled a BROS - they are components of BCS. Since I’m now saying the top-down
approach doesn’t help for substations, this means the BROS should be considered
(again, not exclusively), as substation owners/operators identify their BCAs
through the bottom-up analysis. I will
modify this other post as well.
II. “Transmission Facilities”
In my R1
methodology post (item 3 under Task 2), I indicated that one of the definitions
each entity needs to develop is one for “Transmission Facilities”. This term is used in several of the Medium
impact criteria, yet even though both “Transmission” and “Facility” are
NERC-defined terms, I had heard that trying to combine these two definitions
didn’t yield anything very helpful. And I heard this was causing problems for
Transmission entities as they tried to sort out Transmission from Distribution
cyber assets in their substations. In
addition, I heard the new BES definition (which essentially defines
Transmission) wasn’t too helpful in sorting things out. I had discussed this issue in a previous post.
However, I
have since heard from a couple knowledgeable persons that it really isn’t all
that hard to separate Transmission from Distribution cyber assets (and
Facilities) in substations, using the new BES definition. Since I haven’t heard any further comments to
the contrary, I am officially declaring this a non-issue (leaving only 4,368 known
issues with R1 and Attachment 1, by my latest count), and will remove it from
the R1 methodology post.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
I use quotes here because, as explained in the original post, it is impossible
to write down – in a document with fewer words than the Bible – a single
methodology for complying with R1; there are far too many branches and options
required. But this doesn’t mean NERC
entities, with High or Medium impact assets under CIP v5, don’t have to follow
any particular methodology when they comply with R1. They have to follow some methodology, and it has to be documented. My post should be seen as more or less a
“template” for developing the methodology, although a large part of the
contents – various definitions and interpretations – need to be determined and
inserted by the entity; there is no way they can be dictated in advance, given
the ambiguities and contradictions in the wording of R1 and Attachment 1.
[ii]
All of these examples of systems were suggested by the auditor.
[iii]
If the asset is a High impact Control Center, the applicable wording is “used
by and located at”. If it is a Medium
impact Control Center or a Medium impact generating station, the wording is
“associated with”.
[iv]
The exception to this rule is for large plants (usually coal) that are in scope
with v5 because of criterion 2.1. In
these, it is usually impossible to apply the true “bottom-up” approach, because
of the huge number of devices (sometimes in the tens of thousands) that may
meet the definition of Cyber Asset.
Since my post on R1 methodology in theory just applied to substations
(although I think it also works for generating plants that don’t meet 2.1), I still
haven’t addressed the “2.1 plant” methodology.
I hope to in a future post.
[v]
It occurred to me that this is why CIP Versions 1-3 fit so badly in substations. A Critical Cyber Asset was defined as a Cyber
Asset “essential to the operation” of a Critical Asset. Since, strictly speaking, a substation
considered as a whole doesn’t perform any particular operations, there really
aren’t any Cyber Assets that meet that definition. Version 5 tried to address this issue by
writing all the criteria that apply to substations (2.4 – 2.8) with the word
“Facilities” in the subject – meaning the lines, transformers, busses, etc.
that are located at the Transmission substation. These
are what becomes Medium impact, not the substation itself. Of course, many Transmission entities and
even Regional Entities seem to be interpreting the word Facilities to mean the
substation itself, even though that is almost certainly not what was intended
(although as I said in my methodology post, there’s nothing wrong with doing
this – as long as you accept that you’ll probably identify more Medium BCS than
if you used the pure “Facilities” approach).
I have discussed this issue in several posts, including this
one.
[vi]
Of course, the converse isn’t true: If the Cyber Asset doesn’t have a 15-minute
impact on a BROS, it doesn’t mean it isn’t a BCA, since its impact could be in
another area than reliability. For
example, the fire suppression system in a substation doesn’t fulfill any
particular BROS, but were it to fail to operate when needed (in the event of a
fire), its failure to operate would presumably have a 15-minute impact (e.g.
one or more lines might be tripped because their associated relays burned up).