Note on April 18, 2016: I put a reference to this post in a post I put up yesterday, so I expect at least a few people will read this. I admit that I would write this more concisely if I had time to do it over, but the points are all still valid. I do want to emphasize that, were I employed by a NERC entity, I would be the first to sign up for my SGAS - I'm not in any way blaming the entities for this misguided policy. And I would support the SGAS if the results were somehow made public - there are a number of ways that they could be sanitized so that no information traceable to a particular entity is disclosed. The whole problem is that the results aren't disclosed, so entities can't take advantage of any information provided to their peers.
Dear Reader: Since 2014, this blog has maintained a proud tradition of annual April Fool’s Day posts. I can assure you this tradition will continue this year. However, as I write the post below, I am beginning to worry that people will interpret this as my early entry for April Fool’s. Let me assure you, this is not the case. What this post discusses is real; I wish it were otherwise. I will find it very hard to top this come April 1.
Dear Reader: Since 2014, this blog has maintained a proud tradition of annual April Fool’s Day posts. I can assure you this tradition will continue this year. However, as I write the post below, I am beginning to worry that people will interpret this as my early entry for April Fool’s. Let me assure you, this is not the case. What this post discusses is real; I wish it were otherwise. I will find it very hard to top this come April 1.
I have
started a series of posts documenting how NERC and the regions are simply
improvising as they deal with the many serious interpretation issues for CIP
Version 5 – issues that keep sprouting out of the ground like weeds on a warm
spring day. Part I was my first post
on two emails from ISO New England that were causing generators to wring their
hands and explore alternative careers in fast food – anything but NERC CIP; this was followed by four more posts on
those emails, although I didn't label them part of this series.
However, an email from NERC today (and an email
conversation with a former auditor whose opinions I greatly respect) reminded
me that there is a much more important example of “Making It Up as they Go
Along” on the table – and that is from NERC itself. The email discussed the Small Group Advisory
Sessions (SGAS) that NERC has suddenly started advertising. These are 60-90 minute sessions in which a
group of SMEs from a NERC entity sits down with NERC staff to talk about “issues pertinent to that
entity’s implementation of the CIP v5 Standards.”
So
what’s wrong with that? What’s the
matter with NERC sitting down to answer people’s questions? I have no problem with their doing that. What I do have a problem with – and others
do, too – is that these are explicitly stated to be “closed” sessions.
First,
what will be the subject of these closed sessions – important enough for
critical NERC CIP SMEs to take a couple of days off and fly to Atlanta for a
60-90 minute meeting[i]? It’s safe to say it won’t be the Braves’
prospects for 2015. It’s also safe to
say the meetings won’t rehash some compliance issues that have already been
settled through Lessons Learned, etc. (although there are precious few of those
that I would call genuinely “settled”) – or that may be addressed in the public
CIP v5 Workshop going on at the same time in Atlanta.
Children,
I’m afraid I have some bad news for you: The nice lessons you learned in Civics
class about public bodies always dealing with public issues in a public manner
don’t necessarily correspond with the reality of this terrible world we live
in. These sessions will be to discuss
compliance issues that haven’t been publicly dealt with by NERC – or at least
not officially “resolved”[ii];
that’s why entities will probably be lining up to have these meetings. Whatever NERC says in the meetings will
presumably never go beyond the ears of the attendees, as well as some others in
their organizations.
Even
that may not seem so bad on the face of it.
Given the fact that sensitive cyber security issues are being discussed,
could these be anything but closed discussions?
And isn't it true that entities sit down one-on-one with their Regional
Entities to discuss compliance issues all the time? Why is it different if they sit down with
NERC?
There
is a big difference. The entities are
supposed to be getting all of their guidance on compliance from their
regions. The regions know all of their
entities well, and if they have a closed meeting with one entity, they will
presumably share anything that has general applicability with other entities
who should be notified. Even if they
don’t immediately share these compliance points, they will certainly do so if
another entity raises the same issue with them. NERC
isn't the auditor for any of the entities in the US (or Canada, for that
matter)[iii];
the Regions[iv]
are.
NERC
doesn't have the same relationship with the entities as do the regions, and they could never make
sure they had shared a particular piece of information with all of the entities
in North America to whom it might apply.
Let me correct that: they could certainly share the information with all
such entities by putting it out in a public document. For example, if they end up telling entity X
that two of their Transmission assets – that are contiguous but don’t share a
common fence – actually constitute two substations for the purposes of
Criterion 2.5 (an issue I discussed in this
post), they could try to generalize[v]
that ruling into a public document like a Lessons Learned. Yet NERC doesn't seem to have any intention of
doing that.
Is
this bad? More specifically, does it
meet one or more of the “unholy trinity” by being
- Illegal,
- Immoral, or
- Fattening?
I
think we can rule out no. 3, although that depends on the type of snacks NERC
has in the room. As for number one, it
is definitely illegal (in the sense that it violates the NERC Rules of Procedure, not that it will
result in somebody being thrown in jail).
But that’s not my concern here – I have said
repeatedly that the only way CIP v5 (and especially CIP-002-5.1 R1) can be
successfully implemented is if a number of illegal interpretations are made –
by somebody[vi]. The last chance NERC had to fix the problems
with v5 legally was when they wrote the SAR for the CIP v5 Revisions (aka v6) –
instead, they kept the scope of the SAR narrowly to the four mandates FERC had
made in Order 791. I’m just glad to see
that NERC is finally stepping up even to do these illegal interpretations,
since for a while it looked
like they weren't going to.
So
are the SGAS immoral? On the surface,
they are. If NERC is making “rulings”
for individual entities, then that is unfair to those that can’t set up an
SGAS. According to the latest email from
NERC, the SGAS will be offered on nine days in February, March and April. If you assume they set up six meetings on each
of those days (probably an over-estimate), that leads to 54 meetings, and 54
entities (presumably large ones) that have had their biggest v5 interpretation
issues addressed by NERC. What about the
other hundred or more[vii] entities that don’t get to do this? I suggest there be a new Functional Model
classification for these entities: SOL.
But
hey, I’m a realistic guy. NERC has a job
to do – successfully implement the v5 standards on April Fool’s Day, 2016. It may not be fair to some of the other
entities that they don’t get an SGAS, but maybe NERC can help them out by
setting up individual phone calls, etc.
Strict morality is a nice thing to have, but desperate times call for
desperate measures – and make no mistake, with the implementation date 13
months away and about 500 serious v5 issues on the table, these are desperate
times indeed.
No,
the core of my objection to the SGAS is that they could well destroy the
enforceability of CIP version 5 (and I really mean v5.5
here, as well as almost everywhere else where I say “v5” nowadays). The reason I say that is quite simple: How
can you possibly call something a “standard” that doesn't apply in the same way
to every entity to which it’s supposed to apply? Even more importantly, how could any penalty assessed for a CIP v5
violation ever be upheld if the entity challenges it in court?
Now,
I have repeatedly suggested
that CIP-002-5.1 R1 should be declared an “open” requirement by NERC, meaning
no penalties will ever be assessed for “violations” resulting from good-faith
efforts to understand what that requirement (and Attachment 1) means. In fact, I have also said that R1 will be open regardless of whether or not
NERC declares it so: there is so much ambiguity and contradiction in the
wording that no violation could ever be upheld in a court of law (and of
course, NERC CIP v5 is regulatory law because of FERC’s approval of it;
penalties can be appealed in the regular court system); I even doubt any auditor would assess a PV in the first place, given that it will result in a huge battle and will most likely end up being deep-sixed.
In
making this statement, I did wonder if the “open-ness” of R1 would “spread” to
the requirements in the other standards.
After all, R1 is where you identify and classify your BES Cyber
Systems. If there is no ironclad methodology
for doing that, then clearly the entity can never be certain it is applying the
remaining requirements to the right systems – and the auditors can’t verify
that, either. However, I reasoned to
myself that, even though the BCS identification process is fatally flawed, it
is still possible to say objectively whether or not the entity has properly
complied with the other v5 requirements – if you accept as given the BCS lists
that came out of CIP-002-5.1 R1. And
auditors could still issue PVs for entities that missed the boat on these other
requirements[viii].
But
that reasoning is out the window.
There’s nothing in the SGAS announcement that says the closed
discussions between the entities and NERC will be limited to CIP-002-5.1 R1; so
potentially any other v5 requirement could
be discussed as well – and NERC might well issue private “rulings” for those
requirements.
So
what happens – say, five years from now – when an entity has been fined by FERC
for violating CIP-007-6 R2, for example?
They appeal it to the courts, and their argument is quite simple: It’s
impossible to know whether or not NERC might have given a private
“interpretation” of that requirement during one of the SGAS. It is quite possible that another entity was
given advice on complying with this requirement (patch management) that could
have applied to the entity that was fined as well. They would then have done things differently
and avoided the violation. How could the
fine possibly be upheld? On any v5 requirement?
I’m
reminded of the early 2000’s, when all companies finally jumped on the
Internet. At first, they just put up
static pages; for example, a bank would just show its hours and locations,
provide some forms to download, etc.
Then they all started trying to “personalize” the site. Instead of “bankname.com”, the site became “mybankname.com”. You would log in and get access to your
personal banking information, do transactions online, etc.
It
seems that the SGAS are following that same process. Instead of having just one version of CIP v5
for everybody, now everyone (at least the lucky ones) will have “my CIP v5” –
their own CIP v5 custom tailored for their own unique environment. It’s all about serving the customer.
Of
course, at that point you can’t use the word “standards” for CIP v5; something
like “suggestions”, “guidelines”, etc. would be much more appropriate. And of course, there will be no more talk
about fines or nasty stuff like that – how can you issue a fine against someone simply because they didn't take your suggestion? If FERC is
happy with this situation then hey, who am I to complain?
At this point,
I have to pause to retrieve my tongue.
It’s so far back in my cheek that I’m in danger of swallowing it. I told you it’s going to be very hard to top
this post on April Fool’s Day.
So
what can NERC do to avoid this perhaps fatal blow to all of CIP v5? I see two overall options. First, they could:
- Keep the SGAS – I do like the idea of having NERC meet
with entities to discuss v5 – but make it quite clear the meetings are
solely for gathering questions the entities have about the meaning of
particular wording in CIP v5 (of course, the first SGAS already took place
this week. I hope NERC anticipated
this post and followed my advice before I gave it).
- Once NERC has all these questions in hand (and they
should gather them from other sources as well, especially the entities who
can’t make an SGAS), they should commit to addressing every one of them in an open manner – presumably through
something like the Lessons Learned documents (but I’m even OK if NERC
short-circuits the LL process and just issues their “rulings”. Strictly speaking, they’ll be illegal, but
at least they’ll be completely public).
- However, there’s no way NERC can address all of these
questions in time for the answers to be of help for entities trying to
comply with the 4/1/16 date. That
has to be pushed
back by at least a year.
What’s
NERC’s second option? It’s to continue
on their current course and hope everything works out for the better. And my money’s on their choosing Door Number
Two. CIP v5 has been dealt a potentially
fatal blow. The victim is staggering but
still standing. Will he finally fall for
good? And if he does, when will that
happen?
To Be Continued…
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
There is a larger
meeting – open to all NERC entities – that they will be able to attend while
they’re waiting around for their private hour with NERC. So they don’t just have to go to the bar and
watch TV.
[ii]
Of course, “resolved” isn't the right word for what NERC is doing. As I've said repeatedly, NERC has no way to
give binding interpretations of standards, except by going through the RFI
process – which requires 2-3 years. The
most they can do is put out a document for public comment – which is what the
Lessons Learned are – then revise it to incorporate those comments. They presumably hope this process will build
a consensus among the entities and the regions regarding the topics discussed
in the Lessons Learned.
[iii]
I believe NERC is the auditor for the regions themselves, and perhaps for the
ISOs.
[iv]
In Canada, it’s not even the Regions.
The entity that enforces the standards is different in each province.
[v]
Of course, I’m sure the nature of the issues brought up in these meetings will
be quite specific to the particular situation of the entity, so it will be hard
to generalize NERC’s “ruling” on an issue to other NERC entities. On the other hand, these “rulings” will
constitute non-public interpretations, regardless of whether or not there is
only one entity they could apply to.
Back in 2012 (in a post on another blog that I re-posted here
in 2013), I suggested some sort of “Supreme Court of CIP” that would officially
resolve the myriad questions that I could see were going to come up about
application of the bright-line criteria.
It seems NERC may be taking me up on that suggestion, although I’m sure
they don’t remember my making it – and of course, I intended the “court”
sessions to be public, not private. I
hope to do a new post soon on the problem of the bright-line criteria. I would say it is the most serious problem
for CIP v5, if I didn't know a couple others that are in pretty close
contention for that title.
[vi]
And I've suggested at various times that “somebody” could be God, Barack Obama,
Judge Judy, Joe DiMaggio, The Tibetan
Book of the Dead – basically, any person or thing, alive or dead, that
would have enough authority to command the respect of the NERC community. In practice, of course, NERC is the preferred
“somebody”, although for a while it looked
like they weren't going to do anything to address the v5 interpretation
issues. Now they’re finally doing
something on a fairly large scale (although not sufficiently large) - I'm referring to the Lessons Learned and FAQs; the fact
that these don't constitute "legal" interpretations of v5 doesn't bother me in the least. The SGAS do bother me, although not the fact that they're "illegal", but the fact that their results won't be made public.
[vii]
I of course don’t know how many entities are subject to all of CIP v5 – i.e.
they have High and/or Medium impact assets with High or Medium BES Cyber
Systems. It may not be more than 200. In any case, it’s more than 54.
[viii]
The only possible exception to this statement would be CIP-005-5 R1, since that
also deals with “fundamental” asset classification issues. For example, it’s
the requirement that results in your having to identify Protected Cyber Assets. If the BCS are identified “incorrectly”, the
PCAs will be as well. And the question of what constitutes External Routable Connectivity is a huge issue that is nowhere close to being resolved. I guess this falls into 005 R1 as much as it does in any other requirement.