I’m now
getting in the habit of reading Lew Folkerth’s column in the RF newsletter as
soon as the newsletter appears. So when I got notice of the May-June
newsletter, I didn’t let it sit in my inbox for days, but immediately
downloaded it and went to Lew’s column – called, as always, The Lighthouse. As
usual, it was very rewarding to read the column, and I think you’ll agree with
me when you read it (unless you don’t give a d___ about NERC CIP, but then why
are you reading this blog in the first place?).
Lew covered
multiple topics in this column, and did a good job on all of them except the
last one. Since I’m naturally jealous of anyone who has such a good knowledge
of everything having to do with NERC CIP, I will of course make a big point of
calling attention to his error. But I’ll start at the beginning:
First, he discusses
the compliance date for CIP-003-7. Of course, this agrees completely with what I
said about the same topic, at much greater length. But in my opinion, I
said it with a lot more flair than he did. So there.
Second, he
provides a great analysis of the meaning of something FERC ordered in Order 843
(which approved CIP-003-7), which is a study of how the revised electronic
access control requirement in CIP-003-7 is implemented (I had frankly skimmed
through that part of the Order). He points out that FERC, in their NOPR on
CIP-003-7 last year, had sounded like they were going to order beefed-up
electronic access controls when they approved CIP-003-7 (as I had discussed in my
post soon after the NOPR appeared).
But FERC was
evidently persuaded by the comments received on the NOPR that they should hold
off on doing this for now, and instead ordered NERC to conduct the study once
audits begin on CIP-003-7 (and since they won’t begin until after 1/1/20, the
report probably won’t be out until 2021). Lew points out three expectations
FERC has for how entities will comply with the new requirement:
- Responsible Entities are expected to be able to provide a
technically sound explanation as to how the electronic access controls
meet the security objective.
- NERC and the Regional Entities will have the ability to
assess the effectiveness of the electronic access control plan required by
CIP-003-7 R2.
- NERC and the Regional Entities will have the ability to
assess an entity's adherence to its electronic access control plan.
You can bet the auditors will be looking for these three things as well. So make sure you know how you are going to address them as you’re implementing (or reviewing) your electronic access control program for your Low impact assets. I do want to point out that “effectiveness” is something Lew has emphasized is very important all along: When the requirement just tells you the objective to achieve, not how you are to achieve it, the auditors are going to want to make sure whatever control you do implement is effective. So you can’t say you decided that repeating an ancient chant once a day was the best way to control electronic access to your Low impact assets. Sorry to disappoint you on that.
Lew also
pointed out that you can expect that, when you do get audited on this
requirement starting in 2020, the auditors will ask more questions than they would
normally need to, in order strictly to determine compliance with the
requirement. Don’t get upset about this, since they’re doing it mostly because
FERC wants this information. But definitely be prepared to answer those
questions.
Lew’s third
topic is the impact of Criterion 2.4 of Attachment 1 of CIP-002-5.1 on Low
impact BCS. He did this in response to a question whether the presence of a
single 500kV line at a transmission substation brings “the entire substation”
to the Medium impact level. Lew starts his answer by pointing out that criterion
2.4 (and indeed, all of criteria 2.4 through 2.8) applies to “Facilities” with
a capital F, meaning it’s a NERC Glossary term.
Lew points out
that each line, transformer, bus, etc. in the substation is a Facility. So in the
case of a substation with one 500kV line, that line is the only Medium impact
Facility at the substation, meaning only the BES Cyber Systems that control
that line (primarily relays, of course) will be Medium impact.
Note: An auditor wrote in to me after this appeared and made the following comments on the above paragraph. Of course, I stand corrected and appreciate his pointing this out to me: You stated “Lew points out that each line, transformer, bus, etc. in the substation is a Facility. So in the case of a substation with one 500kV line, that line is the only Medium impact Facility at the substation, meaning only the BES Cyber Systems that control that line (primarily relays, of course) will be Medium impact.” You are not technically correct in your statement. The Medium Impact Facilities include the breakers, switches, transformers, etc., that are operated at 500 kV (essentially connected in some fashion to the 500 kV line). The relays do not “control” the line, they control the equipment connected to the line. If you are monitoring the line (or more likely the bus), that brings in the relays connected to the CTs and PTs (Current and Potential Transformers).
Note: An auditor wrote in to me after this appeared and made the following comments on the above paragraph. Of course, I stand corrected and appreciate his pointing this out to me: You stated “Lew points out that each line, transformer, bus, etc. in the substation is a Facility. So in the case of a substation with one 500kV line, that line is the only Medium impact Facility at the substation, meaning only the BES Cyber Systems that control that line (primarily relays, of course) will be Medium impact.” You are not technically correct in your statement. The Medium Impact Facilities include the breakers, switches, transformers, etc., that are operated at 500 kV (essentially connected in some fashion to the 500 kV line). The relays do not “control” the line, they control the equipment connected to the line. If you are monitoring the line (or more likely the bus), that brings in the relays connected to the CTs and PTs (Current and Potential Transformers).
The rest of
the BCS will be Low impact, unless the substation also meets Criterion 2.5. Lew
points out that “In order to meet IRC 2.5, a substation must connect at 200kV
or higher to three other substations… If this aggregate weighted value exceeds
3000, then the BES Cyber Systems
associated with Facilities at that substation receive a medium impact
rating (my emphasis).”
I do want to
point out a slight infelicity (I won’t call it an error. Heaven forbid!) in the
italicized phrase in the last sentence above. This seems to say that, if the
substation does meet criterion 2.5 as well as 2.4, then all BCS in the
substation will be Medium impact. In fact, criterion 2.5 says that only
Facilities operated at 200-499kV will be Medium impact. This means that, if
there’s a 138kV line also at the substation, it will be Low impact and the
relays associated with it will also be Lows.
During the
period in 2014 and 2015 when NERC entities were trying to figure out how to
identify and classify BES Cyber Systems, I pointed out a few times – including this
post – that, for criteria 2.4 - 2.8, entities don’t have to classify all BCS at
the asset in question at the Medium level. But I also talked to some entities
about whether any of them were taking advantage of this. The universal answer
was no (and I talked to a few very large entities, who would presumably have a
lot of BCS that might be reclassified Low rather than Medium impact). The
reasons included:
- It would be too confusing to require the substation
technicians to treat some BCS differently than others at a single substation;
- Many, if not most, substations don’t have their networks
segregated according to the voltage level of the lines or transformers
controlled by the different systems on the network. It would be a lot more
expensive and time-consuming to try to separate the networks than to leave
them connected. Of course, what this means is that, even though some BCS
at the substation might be Low impact, since they’re on the same network
as Medium BCS they’ll end up being Medium Protected Cyber Assets anyway –
and they’ll be subject to almost all the same requirements as Medium BCS;
and
- Go away, you’re asking too many questions.
My guess is
reason number 2 is probably the most important of these three reasons. But I
would be interested in hearing from anybody who did actually take advantage of
the “Facilities” language to treat some of their BCS at a “Medium impact substation”
as Lows.
Lew’s fourth
topic is also quite interesting. Someone asked “Is a list of low impact BES
Cyber Systems required?” Of course, a lot of people in the NERC CIP community
ask that question. Even though the CIP standards say in two places that such a
list isn’t required, some of the regions have given noises otherwise, and all
of the regions have made it clear they wouldn’t mind seeing such a list.
Lew’s answer
is quite straightforward: No, it isn’t required, as long as you’re willing to
have your physical and electronic access controls at the Low asset apply to
every Cyber Asset located in the asset. But if you have, say, a firewall that
only protects some of the Cyber Assets but not others (and those other assets
are connected routably to the outside world), you will need to be able to show
that all BCS have been protected by the firewall.
The last
question that Lew addresses is “Does the approval of CIP-003-7 alter the
required date for the first test of my Cyber Security Incident response plan
for low impact BES Cyber Systems?” And here Lew made his mistake. His reply
included “Section 4.5 requires a test of the plan every 36 months. Section 4’s
effective date was April 1, 2017. Therefore the first test of your incident
response plan for low impact BES Cyber Systems must be completed by April 1,
2020.”
However, an
auditor from another region read Lew’s column and noted that the initial
performance date for the Low impact CSIRP in CIP-003-6 was April 1, 2017;
indeed, I had pointed this out in a post
two weeks before that date. So Lew changed his response to say “No, the first
test of your incident response plan was due on April 1, 2017. This is not
changed by CIP-003-7.” If you want to verify this for yourself, go to the NERC
spreadsheet that I linked in this
recent post (which pointed out that the initial performance date for the initial
test of a High impact CSIRP is 7/1/18. In other words, the Lows had to have
their CSIRP tested 15 months before the Highs did! How’s that for fair
treatment?).
The same auditor pointed out to me that my statement ".. the initial performance date for the initial test of a High impact CSIRP is 7/1/18." is wrong, since the High CSIRP date was 7/1/2017. I was thinking about the initial performance date for the high impact recovery plan test, which I'd written about in the recent post linked above and has an initial performance date of 7/1/18. Again, I stand corrected and thank the auditor for pointing this out.
.
So it turns out that both Lew and I screwed up here. I just hope the auditor doesn't give me a PNC for these mistakes! I can't afford to pay a $1 million fine.
So Lew
screwed up. I suggest he be given a stay of execution for this offense, on the
grounds that he has no previous record, he’s a nice guy, he’s a good family
man, etc. But don’t let it happen again, Lew! J
Note from Tom 6/26: Lew asked me to point out that anyone who downloaded his article a week ago or more should re-download it, since he has corrected the problem noted.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post. And if you’re a security vendor
to the power industry, TALLC can help you by developing marketing materials,
delivering webinars, etc. To discuss any of this, you can email me at the same
address.
No comments:
Post a Comment