This is the
first of two or three posts based on my visits to the SPP CIP v5 Workshop in
Kansas City and the WECC CIP User Group in Portland during the first week of
June. I learned a lot from the presentations
at the meetings and from individual conversations with various parties, which
I’d like to share with you.
Without
doubt, the biggest concern at both meetings was the six “Memorandums”
that NERC put out in April. And the
biggest part of this concern was caused by the impression that the guidance
provided in these documents was in some way mandatory for compliance. The Memorandum that caused the most concern
was the one on Programmable Electronic Devices.
On April 22,
NERC released a Memorandum on the meaning of “Programmable
Electronic Device” (PED). As
we all know by now, this is how “Cyber Asset” is defined in the NERC
Glossary. And since Cyber Asset can be
considered the foundational definition of CIP Version 5, getting this right is
of vital importance for compliance with v5.
PED was never defined in the drafting process for v5, which is why we’re
having this conversation now.
Some
background: The Memorandum wasn’t the first time NERC has addressed this
issue. There was a draft Lesson Learned posted
on January 9[i]. The argument in this document hinged on the
distinction between devices that are “field updateable” and those that are
“configurable only”. According to the
Lesson Learned, the former are programmable (and therefore meet the definition
of Cyber Asset); the latter are not.
When this draft Lesson Learned appeared in January, most NERC entities I
talked to thought it was a fair document – one they could live with.
I had
expected the Lesson Learned would be finalized by April, but the April
Memorandum made clear that this document now sleeps with the fishes; it will
never be finalized. The Memorandum states (page 2) “After further evaluation,
NERC determined that the issue related to this topic was not appropriately
addressed through a lesson learned or FAQ as it was not consistent with the
purpose of those guidance documents.”
What’s the
new definition? NERC wastes no time in
setting that out in the Memorandum, it is “any device that is electronic and
capable of executing a set of instructions.” In other words, “configurable
only” devices are now considered programmable, whereas they weren’t in the
Lesson Learned. This new “definition” is based on the SDT’s responses to
comments from NERC entities received during the drafting process for CIP v5,
which were included in NERC’s 7,000-page (!) CIP v5 filing with FERC in January
2013.
Is the new
“definition” much different in practice from the old one? From what I’ve heard, yes. There are many devices that would have been
excluded as Cyber Assets using the draft Lesson Learned because they are
“configurable only”. According to the
Memorandum, these will all now be Cyber Assets, and will have to be considered
as possible BES Cyber Assets. As soon as
the Memorandum came out in April, I heard cries of anguish from NERC entities
about this.[ii]
I heard more at the SPP and WECC meetings.
However, there
was total unanimity among the speakers at the two meetings that the Memoranda
don’t count as mandatory interpretations.
At the SPP meeting (which occurred on Tuesday June 2), three speakers –
Kevin Perry of SPP, Lew Folkerth of RFC, and Tom Hofstetter of NERC – all
agreed this was the case (naturally, they were speaking for themselves, not the
organizations they work for – the standard disclaimer). However, they all did
say that any entities that choose not to follow the “definition” in the
Memorandum need to have a pretty good story about why this is the case.
Lew
Folkerth did go beyond that and pointed the audience to an article he wrote for
RFC’s newsletter
(pp. 8-9) last December, discussing in general how entities can deal with “non-prescriptive”
standards[iii]
such as some of the CIP v5 ones – i.e. how they can comply when the standard
doesn’t provide all of the information needed to fully understand what “comply”
means. Let me go beyond what he said to
address this particular problem: If your entity started their CIP v5 compliance
program before April (and I would hope almost all entities did), you should
point out to the auditor – when he/she questions why you didn’t use the April
Memorandum as your “programmable” definition - that you couldn’t have even
started your compliance effort without a definition of Programmable, since that
is the first step in the process of identifying BES Cyber Systems. If you started this year, you may have used
the Lesson Learned from January. If you started last year, you may have used
something like the “definition” provided to me by a Generation compliance
person, which I described in this
post last September. Whatever you did, you need to document a) how you searched
through all guidance on this issue that was available at the time and b) the
definition you used and how you arrived at it.
Hearing two
regions (and a NERC spokesperson) say the new “definition” of PED wasn’t
mandatory was certainly good news, but at the WECC meeting two days later (on
Thursday June 4) there was even better news.
First, Brent Castagnetto, Chief CIP Auditor for WECC, said
they didn’t consider any of the Memoranda to be mandatory (I’m told Texas
Regional Entity also announced this).
Even more significantly, it was announced that, at a meeting in Atlanta
held on Tuesday and Wednesday of the week, NERC had decided to withdraw the
Memorandum on Programmable Electronic Devices altogether.[iv]
This last
statement is quite interesting because of what it doesn’t contain – namely, any
reference to what is going to replace the Memorandum. Should entities try to follow the Lesson
Learned?[v] Or are they truly on their own to come up
with the best possible definition? I’m
hoping that the CIP v5 Revisions SDT will address this, as well as the many
other issues with CIP-002-5.1 (and the BCA/BCS definitions), by drafting a
revised CIP-002 (which would have to include new BCA, BCS and Cyber Asset
definitions; these are all intimately linked to the current CIP-002 wording). This is the only way to settle these
questions once and for all.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte & Touche LLP.
[i]
I wanted to include a link to this document, but it seems to have been removed
from the NERC web site. If you want to
email me at talrich@deloitte.com I’ll
send it to you.
[ii]
It was stated at the SPP meeting that the biggest reason for pushing through
this changed definition was because the definition from the Lesson Learned
would probably have been used by many entities to remove all relays, RTUs and some
other devices from the scope of CIP v5.
I found this simply incredible, since I had never heard of anyone even
considering this possibility – and I confirmed with others in the industry that
they had never heard of that either. If that is why NERC developed this
Memorandum, it seems to clearly be a solution in search of a problem.
[iii]
I prefer the term “ambiguous”. Just a
matter of taste, I suppose.
[iv] I’m publishing this post a week after I wrote
it. I regret to say that, at the NERC CIPC meeting in Atlanta June 9-10, Tobias
Whitney of NERC made clear that not only does the PED Memorandum remain in
effect, but NERC still considers it “auditable”. He said the only recourse that
entities have, if they don’t like the Memorandum, is to file an RFI or a SAR
for a new definition; of course, this doesn’t help anybody for compliance by
next June, since both of these are multi-year processes at best – and I hear
that NERC hasn’t even permitted any RFIs to go forward so far.
[v]
NERC unfortunately cannot return to advocating that entities follow the Lesson
Learned on PED. They said in the
Memorandum that the PED question wasn’t addressable through a Lesson Learned,
per the quote in the fifth paragraph of this post. This is probably why the LL has been removed from the NERC web site.
Kevin Perry of SPP emailed me to point out that I had “misquoted” him when I noted in the second footnote that he had said the definition of “Programmable Electronic Device” from the January draft Lesson Learned would “probably have been used” by NERC entities to remove many devices – including relays – from being in scope for CIP v5 (I of course didn’t mention his name in the post, but since he’s a well-known figure in the CIP world many people probably drew the conclusion he had said it). Kevin says he really said – and I’m not disputing this – that, had the LL gone through (and had the Memorandum not been published in April), these devices could potentially have been removed from being Cyber Assets, leaving a large portion of the grid unprotected.
ReplyDeleteAs I said in the footnote, I talked with a number of people who said they had never heard of – nor considered on their own – the idea that the Lesson Learned on PED would have removed relays and other devices. In fact, after that post I confirmed with the person in charge of compliance at probably the largest manufacturer of devices used in substations that they hadn’t heard of this from a single customer. However, I don’t dispute the idea that at some point in the future there could have been a general realization that the LL provided a great “get out of jail free” card for relays, RTUs, etc. So I am correcting my statement.
However, there’s a bigger issue for NERC here. They are saying their main motivation for issuing the Memorandum on PED was that a change was needed to prevent a serious danger to the BES. Let’s stipulate there was a danger – how can that possibly be a motivation for issuing the Memorandum? The Memoranda are supposed to be based on the “plain wording of the standard” and the “record of development”; indeed, the PED Memorandum quotes from several sections in NERC’s 7,000-page filing of comments they made with the CIP v5 standards.
I thought the reason for issuing this and the other Memoranda was that NERC had suddenly found this wording in the filing, and realized it offered guidance that needed to be spread to the community immediately. Now it seems the Memorandum was in effect a new definition of PED, developed because NERC saw a clear and present danger caused by their previous definition in the Lesson Learned. I thought new definitions required a SAR. Are we now jettisoning the standards development process because of the need to meet the 4/1/16 compliance date? What are we going to jettison next? Rather than throwing away the Rules of Procedure, why don’t we push back the compliance date instead, so we can deal with these issues in the proper and legal manner?