I have now
done two posts (both of which I’m calling Tom’s Lessons Learned) about the
meaning of “adversely impact” in the definition of BES Cyber Asset. The second
post went further to show how my “definition” (really a procedure for
determining whether or not a Cyber Asset can adversely impact the BES) could
clear up the question whether HVAC and UPS systems need to be considered as
BCA/BCS. I also gave two other examples
of systems where my “definition” provides a way to answer this question: the
SEMS system in a power plant and the fire suppression system in a substation.
The day
after this post, an auditor emailed me to say that phone systems should be
included in this analysis as well (we’re talking about electronic phone systems
here, since others wouldn’t be Cyber Assets in the first place. If your current phone system requires you to
ring up the operator and ask for “Ravenswood 4229”, you’re already off the hook
– so to speak[i]).
Of course, the
reason that phone systems would even be an issue in the first place is that
they are sometimes a backup for system-to-system communications, e.g. when a
control center dispatches a generating station.
And some have wondered to me whether, in cases where the communications
needs to happen within 15 minutes and the SCADA system could fail, the phone system might have to be declared a BCA/BCS
(since as we well know, redundancy isn’t in itself an argument against
declaring it such).
So let’s
apply the analysis from the previous post, which at its heart consists of two
questions. Both of these questions need
to be answered affirmatively in order for the Cyber Asset to be considered to
have adverse impact on the BES, if lost or misused.
1.
Does the loss or misuse of the Cyber
Asset adversely impact the asset/Facility?
2.
Does this adverse impact on the
asset/Facility necessarily[ii] translate
into an adverse impact on the BES within 15 minutes?
To answer the first question, I think
it can be said there would be some sort of adverse impact on the control center
if the phone system were down. But what
about the second question?
Let’s say the SCADA system in a
control center is down (and the backup SCADA has failed to kick in for whatever
reason); meanwhile, the ICCP system (which isn’t down) shows that the ISO needs
a peaker plant dispatched immediately. If the control center’s phone system happens
to be down as well, are they simply SOL?
Will there be an inevitable BES impact?
That’s hard for me to believe, since probably everybody in the control
room has a cell phone in their pocket or purse.
My guess is the message will get through to the peaker plant, even if it
requires smoke signals or carrier pigeon.[iii]
So the answer to the second question is no, there won’t
inevitably be a BES impact. Ergo, phone systems don’t need to be
considered as BES Cyber Assets/Systems.
The auditor did make another good point about
the previous post. He pointed to the
place where I’d essentially restated the two questions. In discussing what an entity would need to
prove in order to show that a Cyber Asset wouldn't have an adverse impact on
the BES if lost or misused, I had said they would need to show that this loss
or misuse
- Won’t impact the
asset/Facility (i.e. question 1 above)
- in a way that
would cause the asset/Facility to fail to fulfill one or more of the BROS
that it normally fulfills (question 2).
He noted that making total failure to fulfill
one or more BROS the criterion determining whether or not the second condition
had been met would eliminate cases where misuse of a Cyber Asset had caused the
asset/Facility to partially fulfill its BROS.
He gave the hypothetical example of an entity that argued (using the SEMS example
from the previous post) that while the plant may have had to reduce its
generation output below a certain threshold in the event of the SEMS failure,
as opposed to tripping the plant offline, it was still producing energy, doing
voltage control, etc. - all of the BROS functions it normally performs;
it just wasn't completely fulfilling
all of those BROS to the same degree as previously. His point was that even a partial failure to fulfill BROS constitutes adverse impact on the BES. I have changed the second item to read “in a
way that would cause the asset/Facility to fail to fully fulfill one or more of
the BROS that it normally fulfills..”
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
I won’t say there aren’t any of these systems out there. There may still be a few utilities that haven’t
gotten permission from the PUC to update the phone system they bought in the
1930’s. Of course, I can’t imagine there
are too many operators out there nowadays, ready to plug the long black thingy
into the proper hole on their switchboard.
[ii]
The word “necessarily” wasn’t in the previous post, but I think it is really
crucial (I’ve updated that post now).
As I said in the previous post, it seems to me axiomatic that a control
system could have an adverse impact on the asset or Facility it’s associated
with or located at (question 1); it wouldn’t be a control system if that weren’t
the case. But it isn’t axiomatic that
the impact on the asset/Facility will translate into an impact on the BES
(question 2). In the case of the fire
suppression system in the previous post, even though that system had been
disabled by a hacker, someone might be at the substation and pick up a fire
extinguisher to put out the fire; or the wind might be blowing in a direction
where there was no harm to a BES Facility.
It is only if the BES impact is inevitable (question 2) that the Cyber
Asset can be said to have an adverse impact if lost, misused, etc. – and
therefore be a BES Cyber Asset.
[iii]
The fact that I’m even considering this question may seem to violate the
statement in the BCA definition that redundancy “shall not be considered when
determining adverse impact.” Remember,
since I’m breaking the determination of “adverse impact” into two parts, this
statement only needs to be true for one of the two parts (questions). For the second question, I agree that
redundancy doesn’t make any difference – if an asset has a BES impact, it has
it regardless of whether or not there is redundancy. But for the first question, I think
redundancy is sufficient mitigation to make the answer to the first question “no”,
and therefore to make the phone system not a BES Cyber Asset/System. Think what you might have to do if redundancy
weren’t a mitigation for the first question, in the control center case: every
cell phone used in the control center (and actually maybe every cell phone that
could be borrowed by an operator, no matter who owned it) would have to be
considered as a BES Cyber Asset!
No comments:
Post a Comment