Location, Location,
Location
…
Things
fall apart; the centre cannot hold;
Mere
anarchy is loosed upon the world,
…
The
best lack all conviction, while the worst
Are
full of passionate intensity.
…
And
what rough beast, its hour come round at last,
Slouches
towards Bethlehem to be born?
W. B. Yeats, The
Second Coming (1919)
Let me start
by admitting the above quotation has nothing to do with this post. I was just struck by the remarkable fact that Yeats eerily
foreshadowed the 2016 US election campaign almost a hundred years ago!
Now to my
topic: I’ve realized for a while that one of the biggest sources of confusion
in CIP v5 and v6 is the concept of Location. As with other sources of confusion
in v5, the cause of this isn’t that people are stupid, but that there are
contradictions and missing definitions in CIP-002-5.1 R1 and Attachment 1. I
can’t do anything about those contradictions and missing definitions, but perhaps
the Standards Drafting Team can. In this post, I’ll try to describe the
following:
- How almost all NERC entities, regions, and NERC itself are
interpreting the concept of location in CIP-002 R1;
- What I (aided by
one or two Interested Parties) interpret the words regarding location to
really mean; and
- How I think the words of R1 and Attachment 1 might be
rewritten to make CIP-002 R1 both more understandable and (perhaps) more
enforceable than it now is.
I.
The Prevailing Understanding
As I discussed in this
post, the general understanding of how Location works in CIP-002-5.1 R1 is that
the entity needs to start with the list of six asset types in R1, then “run”
this list through the Attachment 1 criteria to identify High, Medium and Low
impact assets. Once this has been done, the entity needs to identify BES Cyber
Systems located at High or Medium assets. These BCS become subject to the High
or Medium impact requirements of CIP-003-6 through CIP-011-2. Meanwhile, Low
impact assets (aka “assets containing Low impact BCS”) are subject to CIP-003-6
R1.2 and R2. I can count to ten and include all of the individuals – whether
employees of NERC entities, NERC regions, or NERC itself – who have stated
within my hearing that this isn’t actually how R1 and Attachment 1 are written.
Of course, this isn’t how R1 and Attachment 1
are written, as I discussed in the above-linked post. But I also pointed out that
this isn’t necessarily a bad thing. In fact, I don’t see any other way that
entities can reasonably be expected to comply with R1 except by taking this approach. And I certainly don’t think they
should receive PVs because they didn’t follow the exact meaning of the words of
R1, since that meaning is very difficult to ascertain, as I’ll describe next.
The problem this causes is that it makes R1 (and perhaps all of the other CIP
requirements) unenforceable in the strict sense that a fine for violating it is
unlikely to be upheld if appealed to the court system.
II.
How I Interpret the Words
There are two main problems with the Prevailing
Understanding of Location. The first is that Attachment 1 explicitly states
that the High and Medium impact criteria are for classifying BES Cyber Systems,
not assets, so the six asset types listed in R1 must serve another purpose than
the one assumed in the PU. The second is that the “preamble” to Section 2 of
Attachment 1 states that the entity needs to identify BES Cyber Systems
“associated with” the Medium impact criteria in that section. In practice, this
means that a BCS doesn’t have to be physically located at the asset in order to
be Medium impact due to that asset.[i]
Let’s deal with the first problem first
(although you’ll see that in dealing with that problem we’ll also end up
dealing with the second one). Why is the list of six assets in R1, since it
isn’t there to do what the Prevailing Understanding thinks it does – furnish
the set of assets that is run though the Attachment 1 criteria? An Interested Party
explained this mystery to me a couple of years ago, pointing out that this list
is actually the six types of locations
where BES Cyber Systems that are subject to the requirements of CIP v5 can be
found; if they are located anywhere else, they aren’t in scope for v5.[ii]
Here’s an example. Suppose someone uses a remote computer system to make changes to settings of physical systems in a generating plant
that has been designated as “necessary to avoid an Adverse Reliability Impact…”
as described in Criterion 2.3. Since the loss, misuse, etc. of this computer
could “adversely impact” the BES within 15 minutes, this means this system is a
BCS. But is it a Medium impact BCS?
Let’s say this system is located at a
generating plant, which is otherwise Low impact. Since that plant falls under
one of the six asset types in R1, this means the system would be a Medium BCS,
because it is located at one of the six asset types and because it is
associated with an asset meeting criterion 2.3.
As
an aside, you might or might not consider the entire plant a “Medium” one. If
you could physically and logically protect the single Medium BCS in the plant
so that it complied with all of the appropriate v5 requirements, without
involving any other systems that might be in the plant, then you might still
consider the plant simply a Low one with one Medium BCS. Otherwise, you’d have to say
the plant is both Medium and Low impact – and if your Regional Entity is
requiring a list of Medium assets, you would need to include the plant on that
list, as well as the list of Low assets. In either case, you would need to
include the one Medium BCS on the list of Medium BCS.
Now suppose that the system is located in
somebody’s living room. Since a living room (or the house that contains it)
isn’t one of the six asset types, that system won’t be a Medium BCS. In fact,
it won’t be a Low BCS either, since Low BCS also have to be located at one of
the six asset types. It might theoretically still be a BCS, but that is a
purely academic question; you don’t have to deal with this computer in CIP
v5. Of course, since it is being used for
Interactive Remote Access, its use will
be subject to CIP-005 R2 and the systems in the ESP located at the Medium plant
will presumably be protected that way.
In practice, I believe that the only serious
cases of BCS at Low impact assets, that might have become Medium impact, were
“far-end relays”. This became a big issue in 2014. I wrote this
post describing the problem, and this
post describing an Interested Party’s solution to the problem. In fact, the
IP’s solution was so good that NERC later adopted it wholesale for their Lesson
Learned on this issue.
The IP’s argument was very specific: This
problem only comes up in the case of substations subject to criterion 2.5.
Since there is very specific language in 2.5 that protects against exactly this
situation, it isn’t a problem. In this case, the words “associated with” don’t
reach out to BCS located at Low impact assets and make them Medium impact. But
can it happen elsewhere? That is, are there cases where the “associated with”
wording will lead to BCS at Low assets becoming Medium impact? To be honest, I
haven’t found any cases where that will happen, although I admit I haven’t
conducted a survey to identify if there are such cases.[iii]
III.
How I Would Rewrite the Words
How would I rewrite the wording of CIP-002-5.1
R1 and Attachment 1 to address these two issues? To address the first issue –
regarding the six asset types – I would rewrite that section of R1 so that it
made clear that the six asset types are only locations at which BCS can be
found, not the “raw material” that gets fed into the Attachment 1 process in an
effort to classify Medium or High impact assets (or BCS).[iv]
Regarding the second problem of “associated
with”, it seems to me that, even though there may be a few BCS at Low assets
that could become Medium impact due to that wording, it isn’t worthwhile
requiring entities to do the extra work needed to identify these BCS (they will
still be protected at a Low level where they are). I think Medium BCS should be
identified just like High ones are: they are BCS located at a High or Medium asset (or Facility). Of course, to do
this would require v5 purists to admit that there are actually such things as
High and Medium impact assets – even though the strict wording of CIP-002-5.1
doesn’t countenance such things.
However, as I’ve said many times, virtually
all NERC entities and regions are acting as if High and Medium assets (or
Facilities) are real – so I suggest the purists get over this. Similarly, if I
thought that unicorns were very important to help lots of people get through
their day, I’d be the first to suggest we simply say they’re real and move on.
Life is too short to worry about finer points of wording when everyone agrees
on what it means – even if everyone is wrong.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
You may notice that there is a direct contradiction here. I just got through
pointing out that Attachment 1 says the High and Medium criteria are for
classifying BCS. Yet by saying that a BCS is Medium because it is “associated
with” one of the Medium criteria, the original SDT was admitting that the criteria
really apply to assets in some way! This is because R1 and Attachment 1 were
written at different times from two different viewpoints, and they were never
reconciled with a set of consistent wording. This clash of contradictory
viewpoints is what I have called the fundamental problem of CIP-002; it
manifests itself in a number of places in the wording.
As a further note, this issue doesn’t appear for High
impact BCS. The preamble to Section 1 of Attachment 1 says that High BCS are
those “used by and located at” a Control Center that meets one of the four High
criteria. So High BCS can only be located at a Control Center that meets one of
criteria 2.1 to 2.4.
[ii]
I won’t take the time to try to prove this to you, but I’m sure it’s right –
even though the wording of R1 seems to go out of its way to obscure this point.
I will point out that you can get a good clue that this is the case by
considering the fact that the wording of 1.2 would contradict the words
“associated with” in Section 2 of Attachment 1, if the word “asset” in 1.2 referred
to the asset that meets one of the Medium criteria. So “asset” in 1.2 must
refer to one of the six asset types, thus making 1.2 (and 1.1 and 1.3) refer to
the locations where Medium BCS can be found. This resembles the word puzzles I
used to enjoy doing as a boy; unfortunately, it’s not a wonderful practice to
build a regulatory framework with potential million-dollar-a-day penalties on a
foundation of word puzzles, as seems to have been done in the case of CIP
version 5.
[iii]
I initially thought that Automated Generating Control (AGC) systems that
controlled Medium generating plants might be located at Low impact plants or at
substations, and thus be themselves Medium impact. But nobody has told me they
know of an example where this actually is the case.
[iv]
In stating this, I’m conveniently (for me) leaving out the much bigger problem
– the fact that Attachment 1 (and parts of R1) is written assuming that BCS
themselves are first identified, then run through the criteria to classify them
High or Medium, while almost every NERC entity and auditor – from what I have
seen – approaches R1 in the same way they did CIP-002 in version 3. That is,
they first classify the “big iron” (High, Medium or Low assets in v5; Critical
vs. non-critical Assets under v3), then they classify the Cyber Assets that are
critical to the asset with the same classification as the asset itself (H/M/L BCS
in v5, and Critical vs. non-critical Cyber Assets under v3). Fixing this
problem will require a complete rewrite of CIP-002-5.1, and from what I’ve seen
there is no appetite on NERC’s part to do this. And as I’ve recently said,
I no longer think it’s worthwhile trying to come up with a comprehensive fix
for the problems of CIP versions 5 and 6. I think CIP needs to move in a
different direction, a sustainable one.