Sunday, January 31, 2016

What Do You Need to Do After April 1?

January 31: I recently wrote a post that made the case that compliance after April 1 with CIP v5 (and v6) will be quite different from what compliance with CIP versions 1 through 3 was after their compliance dates. The post went on to describe how I thought NERC entities should approach compliance with v5. However, I decided that the second part of that post (the compliance approach) needed to be rewritten, which I’ve done here. I’ve also made some lesser changes to the first part. Thus, this post entirely replaces the previous one.

What happens on April 1? My guess is you will give one of three answers:

1.    NERC CIP version 5 comes into effect;
2.    It’s April Fool’s Day; or
3.    Some combination of these two. 

My personal preference would be the third answer. CIP v5 does come into effect on April 1, but this time is very different from when previous CIP versions (or other NERC standards) have come into effect. What will entities need to do on (and after) April 1, that they didn’t need to do in previous CIP versions?

The reason CIP v5 (and when I say CIP v5, I mean v5 and v6) is so different is that there are many areas of uncertainty regarding what the requirements mean, and many entities are far behind where they should be in preparing for the compliance date – because they have been expecting/hoping for some clear guidance, which hasn’t shown up. Of course, I’ve been saying this since 2013, but here are three recent pieces of evidence:

First, I recently wrote a post discussing a recent article written by Lew Folkerth of RF on the idea of “implicit requirements” in CIP v5. Lew had stated last October at an RF meeting that he was going to work on a list of these implicit requirements. However, in his article he said, “My opinion is that we may never be able to achieve a complete list of implied requirements; the more we mature in our understanding of CIP Version 5, the more implied requirements we will find.”

Think about this. Lew has been saying for a while (and I picked up his banner) that there are a lot of things an entity needs to do to comply with CIP v5 that aren’t actually written in the standards. Now he’s saying that it will probably never be possible to produce a complete list of these items. In other words, there will probably never be a complete list of what an entity needs to do to comply with CIP version 5!

Second, in a recent post I republished a news article on the run-up to CIP v5. That article made a point that both Lew and I have made repeatedly for more than a year: For areas of the CIP v5 standards where there is ambiguity in the requirements or definitions, the only choice the entity has is to determine for themselves the right interpretation. But they need to document their interpretation and how they arrived at it – and they need especially to show they’ve considered whatever guidance NERC or their region has put out, even if they didn’t actually follow that guidance.

Third, on January 19 I listened to a NERC webinar on “Future CIP Standards Development”. NERC officially announced that a number of issues (more than eight) in CIP v5 will be referred to the current CIP v5 Revisions Standards Drafting Team for development of revised or new standards or definitions. This in itself wasn’t a surprise, since NERC has been saying this would happen for more than a month. What was surprising was that the drafting team will be addressing what I think are probably the three most fundamental areas of ambiguity in CIP v5:

1.    The definition of Cyber Asset, especially the meaning of “programmable”.[i] I have written a number of posts on this issue, but the one I like best is still the first one.

2.    The definition of BES Cyber Asset, and especially the meaning of “adverse impact” in that definition. I have written several posts on that topic, but the best is here.

3.    The concept of External Routable Connectivity. My last post on ERC was this one. However, just like with “programmable”, I no longer think there can ever be a dictionary-style definition of ERC that will address all of the current questions. There will need to be a list describing different cases (presumably with diagrams): “In case A, there is ERC; in case B, there isn’t ERC; in case C….etc.” This is similar to the discussion of LERC in the Guidance and Technical Basis section of CIP-003-6. 

So I’m happy that the SDT is actually going to address some of the basic problems[ii] in CIP v5. Of course, this means it will easily be three to four years before the new standards and definitions are drafted, approved by NERC and approved (maybe) by FERC. Until then, NERC entities will have to resolve each of the above areas of ambiguity to their own satisfaction and document how they resolved them. In addition, each entity will need to document that they considered all available NERC guidance in arriving at their own “definition”, and that this was applied consistently across their assets (for example, both Generation and T&D need to use the same “definition” of “programmable” in deciding which devices are Cyber Assets and which aren’t).

Let’s get back to my question above: What do entities need to do starting this April that is different from what they did to comply with previous CIP versions? As I’ve just shown, there are explicit and implicit requirements in v5. Let’s discuss these separately.

Addressing Explicit Requirements
Explicit requirements are ones that are stated in the CIP v5 (or v6) standards. If the requirement has a number like R1, R2 etc. in front of it, it’s an explicit requirement. However, there are two types of explicit requirements: clear and ambiguous. While the line between these two types isn’t a clear one, in general a clear requirement is one about which there is no fundamental debate. For example, CIP-007-6 R2 Patch Management is fairly clear in its concepts, although there is some disagreement around the edges. An entity that decides to take 60 days to evaluate new security patches for applicability, rather than the 35 days in the requirement, will most likely receive a PV. It would be very hard for them to argue that the requirement isn’t clear on this point.

An example of an ambiguous explicit requirement is CIP-002-5.1 R1. I have expended billions of perfectly good electrons discussing the problems with that requirement; a recent post is here. Another example is any requirement, like CIP-007-6 R1, where External Routable Connectivity is mentioned in the Applicability section. Since the definition of ERC has been turned over to the Standards Drafting Team to rewrite (presumably in CIP version 7), its ambiguity[iii] will never be resolved until that effort is completed and approved, easily 3-4 years from now.

For “clear” explicit requirements, you need to comply with them in the same way you did for requirements in CIP versions 1-3: Develop and document procedures for compliance, and make sure the procedures are applied to all of your cyber assets that are covered by the requirement in question. If you won’t be fully compliant with one of these requirements on April 1, you need to self-report a violation and work as quickly as possible to come into full compliance. A PV may be issued, whether you self-report a violation or it is discovered during an audit.

For ambiguous explicit requirements, you first have to develop and document how you have resolved the ambiguity. To use the example above, for CIP-002-5.1 R1 you need to develop and document your own methodology for identification and classification of BES assets and BES Cyber Systems. This needs to take advantage of whatever guidance has been provided by NERC or your region, but at the end of the day it is your entity that must make the decision on what is the best methodology, since the wording of the requirement itself (and Attachment 1) is ambiguous and contradictory. You also need to document that this methodology has been applied on a consistent basis across all of your assets.

If you have taken these steps by April 1, you don’t need to self-report anything. However, if you simply have not finished this methodology by April 1, and/or you haven’t finished applying it to all of your assets in scope, I believe you do need to self-report that you are in violation and work as quickly as possible to come into compliance. In other words, for requirements that are explicit but ambiguous, you need to resolve the ambiguity in some way and proceed with complying with the requirement. You won’t get a pass from your auditor if you say you just couldn’t figure the requirement out, so you didn’t do anything at all.

Addressing Implicit Requirements
It’s a different story for the implicit requirements. First, you need to identify them. How do you do this? You think about how you comply with each explicit requirement, and you look for steps you need to take that aren’t specifically stated in the requirement. For example, you may have noticed that, while the Applicability sections of many requirements list Protected Cyber Assets, EACMS, and PACS as devices to which they may apply, you are never required to identify these in the first place. So identifying them is an implicit requirement.[iv]

It would certainly help if there were a definitive list of implicit requirements. However, as I mentioned above, Lew Folkerth now says there can never be such a list; I agree with him.[v] It is up to each entity to identify implicit requirements and document how it dealt with each one. You can find implicit requirements discussed in many documents, such as the NERC Lessons Learned and in many of my posts. They aren’t usually identified as implicit requirements, but here is a rough “field guide” to some of the primary types:

1.       If you have to develop your own definition in order to comply with a requirement, doing so is an implicit requirement. Examples of this are the word “Programmable” in the Cyber Asset definition; “adverse impact on the BES” in the BES Cyber Asset definition; “External Routable Connectivity” when the communications stream to a device includes both routable and non-routable components; and “custom software” in CIP-010-2 R1. For all of these, you have to develop and document your own definition. In addition, you need to document that the definition was applied consistently across your assets. Keep in mind that the “definition” will often not be dictionary-style, but will probably be a procedure for identifying something, as in the “programmable” procedure discussed in this post.

2.       In other cases, the entity will have to develop a list, for example lists of PCAs, EACMS, and PACS. As I discussed above, even though many requirements apply to these cyber asset types, there is no requirement to actually identify and list them in the first place. That requirement is implicit.

3.        In a number of cases, the entity needs to develop and document a methodology. For example, there is no explicit requirement in CIP-002-5.1 to identify BES Cyber Systems, so the requirement itself provides no guidance on how you can do that. It’s up to you to read whatever you can about this (including the Guidance and Technical Basis for CIP-002-5.1, rogue blog posts like this one, and the Lesson Learned just released by NERC, which primarily relates to identifying Cyber Assets) and develop your own methodology. You also need to show that you applied that methodology consistently in identifying your BCS.

4.       Some implicit requirements follow from actual requirements by simply applying common sense. One good example (borrowed from an EnergySec webinar) is the fact that CIP-003-6 R1 requires an annual review of cyber security policies, but doesn’t require the entity to change a policy if the review finds the need for a change. Of course, common sense dictates you should make the change.

5.       There is a whole class of implicit requirements that deals with virtualization. Since virtualization wasn’t considered at all in developing the CIP v5 standards, the entity has to think about what makes the most sense if they have virtual machines or virtual switching. This is one of the topics that the drafting team will take up, so there will be no official word on this topic for years. However, NERC provided some “implicit guidance” in a recent document that I discussed in this post. If you have any virtualization within your ESPs, you need to address that in some way in CIP v5, not simply pretend it’s not there.                                                                                                            
So there is a lot of work that needs to be done to comply with the implicit requirements in CIP v5, starting with the fact that there is not now, and never will be, an official list of these requirements. I think there are at least 150 different types of documentation required for CIP v5, and my guess is half of these are due to implicit requirements. This is primarily why I say the paperwork burden for CIP v5 is greater by some factor (at least three or four, in some cases a lot more than that) than the burden for CIP v3, even when you allow for the fact that there are many more cyber assets in scope for v5 than for v3.

I don’t believe PVs will ever be issued directly for violation of implicit requirements. However, since an implicit requirement is always part of complying with an explicit requirement, you will almost always have to self-report a violation of the latter. For example, if your entity doesn’t develop a consistent methodology for identifying and classifying BES Cyber Systems (an implicit requirement), but instead lets each group in your organization determine for themselves how to do this, this would probably be interpreted as a violation of CIP-002-5.1 R1 - since your entity would be identifying BES Cyber Assets differently in different instances.

If you have complied with an implicit requirement but just have not yet documented that fact, you don’t need to self-report anything. Going back to the example of identifying PACS, EACMS and PCAs, you don’t have to self-report on April 1 if you haven’t documented your methodology for identifying these devices, since this is an implicit requirement. On the other hand, if you haven’t documented your methodology because you don’t have one and you have just been identifying these devices willy-nilly, you will need to self-report that, since you haven’t identified these three items consistently and this will affect your compliance with a number of explicit requirements.

Wrapping Up
The purpose of this post has been to show that the answer to the question “What do I have to do regarding CIP v5 after April 1, 2016?” is much more complex than it was with previous CIP versions. This is primarily because of the large number of ambiguous and implicit requirements in CIP v5, and the documentation needed to “comply” with them.

To summarize what I’ve said,

1.    “Clear” explicit requirements need to be treated as they always have been in previous CIP versions. Self-reports are required for any areas in which you know (or suspect) you aren’t compliant, and PVs may be issued.

2.     To be compliant with an ambiguous explicit requirement, you need to resolve the ambiguity to the best of your ability (e.g. by developing your own methodology for identifying BES Cyber Systems, since CIP-002-5.1 R1 doesn’t provide any guidance on that), document how you resolved the ambiguity, and make sure you have applied this consistently to all cyber assets. If you haven’t done this, you aren’t compliant with that requirement, and need to self-report.

2.     You need to document how you complied with an implicit requirement, although you don’t have to make a self-report if the documentation isn’t in place on April 1. However, if you haven’t fully complied with an implicit requirement, it is very likely you have violated an explicit one (as in the two examples above); you will need to self-report that.

Feb. 3: I felt I hadn't actually answered the question in the heading in this post, so I published a follow-on to this post here.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] I certainly hope the SDT doesn’t limit themselves to just defining Programmable. I think they should consider what would be the best definition of Cyber Asset, which might not even include that word. I also think that it will ultimately be impossible to come up with a “definition” of Cyber Asset in the dictionary sense of the word. The only approach that will work, in my opinion, is some sort of list, for example “Devices with one or more of the following characteristics are Cyber Assets.”

[ii] When I say “basic problems” here, you may wonder how this relates to my recent post where I said it was time to start dealing with the “fundamental problem” with the CIP standards – namely, that they are prescriptive, while cyber security is much better addressed with risk-based standards. I regret to say that the SDT’s efforts won’t address this fundamental problem; only a complete rewrite of CIP (in a form something like CIP-014) would do that. My preference would be that NERC (and I guess FERC) decide to do that complete rewrite now. However, other than my kids and my barber, I don’t know anyone who is wholly in agreement with this idea yet. It will take a while to build up a constituency for this change. If the CIP v5 framework will be around for a number of years (not my preference!), it is still important to try to get the foundation as solid as possible, so the work that the SDT will do is important.

[iii] When I say the ERC concept is ambiguous, I need to point out it is only ambiguous in the case where the communications stream between a Cyber Asset like a relay and the control center includes both routable and non-routable (serial) components. If the stream is entirely routable or entirely serial, there is no ambiguity. In the former case, there is ERC; in the latter, there isn’t.

[iv] For that matter, you are never required to identify BES Cyber Assets or BES Cyber Systems, either. Where the word “identify” is used in CIP-002-5.1 R1.1 – R1.3, it really means to classify them after they have been identified. In developing your CIP-002-5.1 R1 compliance methodology (discussed under explicit requirements), you will need to show how you will identify BCS in the first place. I have written a lot about this problem, including in this post.

[v] I have developed a list of implicit requirements over the last five or six months, and I am continually adding to it. We at Deloitte Advisory provide it as part of the free CIP v5 workshops we have done with a number of entities in the past few months – and are continuing to do now. If you might be interested in doing this, please email me at

No comments:

Post a Comment