Last week I
participated in a phone meeting of a subcommittee of the NERC CIPC, where we
were marking up a document that will be submitted soon to NERC (not a draft
standard, of course). At one point in the document, I noticed that one of the
participants had deleted the word “assets” and replaced that with “Facilities” –
which was capitalized, even though it wasn’t at the beginning of a sentence.
I asked why
she had done this, and she pointed out that “asset” isn’t a NERC-defined term,
even though it plays a very important role in the CIP standards, while “Facilities”
is NERC-defined. She had substituted Facilities because she preferred to have
something with a precise definition. Nothing wrong with that, of course. I’m all
for precision, which is unfortunately lacking in many places in the CIP
standards.
However, I
pointed out to her that if she uses Facilities, she would radically change the
meaning of what was written. This is because asset, while officially undefined,
is in fact “defined” (as far as CIP is concerned) in CIP-002 R1.1, where there
is a list of six “assets” that are in scope for CIP: transmission substations,
Control Centers, etc. However, the NERC definition of Facility reads “A set of
electrical equipment that operates as a single Bulk Electric System Element
(e.g., a line, a generator, a shunt compensator, transformer, etc.).” So things
like lines, generators, etc. are Facilities. This is very far from transmission
substations, generating stations and Control Centers.
She readily
agreed with me, and reversed her change. But I want to point out that a lot of
the applicability of the CIP standards, from version 5 on, is based on a misuse
of the word Facilities. This is because all of those standards – from v5
through CIP-003-7, which comes into effect 1/1/20 - contain Section 4, titled Applicability,
near the beginning. This has two sub-sections: 4.1 Functional Entities and 4.2
Facilities. Clearly, 4.1 tells you what NERC entities have to comply with CIP,
and 4.2 tells you which of their facilities – in the generic sense of “structures”
or “locations of equipment” – are in scope. Clearly, substations, generating
stations and Control Centers are all little-f facilities. Up to this point, one
can assume that the word “Facilities” in 4.2 is capitalized only because it’s
the first (and last) word of that title.
However, in
Section 4.2.1, discussing Distribution Providers, Facilities is capitalized,
meaning that it refers to things that meet the NERC definition. However, what’s
listed below it aren’t substations or Control Centers, but UVLS, UFLS, SPS,
RAS, cranking paths, etc. – all items that probably do meet the NERC definition. No problem so far.
But now we
get to Section 4.2.2, which is titled “Responsible Entities listed in 4.1 other
than Distribution Providers”. These are of course close to 99% of the entities that
have to comply with CIP in general (since only DP’s that own Facilities listed
under 4.2.1 have to comply, and I believe that number is pretty small), and
literally 100% of entities with High or Medium impact assets. And what are the
facilities that need to be in compliance? “All BES Facilities”. No mistaking
what this says: For every non-DP NERC entity that has to comply with CIP, their
scope is what meets the Facilities definition: lines, generators, shunt
compensators, etc. Nothing about…you know, stuff like Control Centers,
substations and generating stations. So how do you reconcile 4.2.2 with the
fact that CIP-002 R1.1 says that these latter three assets are what’s in scope –
and in fact I’m sure that over 99% of the assets that are now under CIP
compliance fall into one of these types?
For
substations and generating stations, you can kind of bridge the gap by pointing
out that these two asset types both contain lots of items – transformers,
lines, buses, etc. – that actually meet the definition of Facility (or of Element,
which is closely related). So it’s not too much of a stretch to say that 4.2.2
makes sense as far as those two asset types are concerned. In fact, Criteria
2.3 through 2.8 of Attachment 1 of CIP-002 all apply to Facilities, although
they’re almost universally interpreted – by entities and auditors – as applying
to generating stations (2.3) or substations (2.4-2.8).
But how
about Control Centers? They clearly don’t meet the definition of Facility. Does
a Control Center contain any Facilities – lines, generators, buses, etc? Of course
not. Facilities are all high-voltage devices. Servers and workstations are all
low-voltage, although they are obviously used to operate or monitor true
Facilities at other locations. Thus, it seems that 4.2.2 makes it clear that
Control Centers are out of scope for the CIP standards!
So I’m sure
the many NERC entities that own Control Centers will be pleased to learn that
they really don’t have to bother with CIP compliance anymore. If those pesky auditors come around wanting to
look at a bunch of compliance evidence, just tell them you haven’t collected
any since you read this post, and stick Section 4.2.2 in front of their noses.
Tell them that if “Facilities” weren’t capitalized in 4.2.2, you would be more
than happy to entertain them and their nosy questions, but since it is capitalized, it’s clear that you were
never meant to comply with CIP…and by the way don’t let the door hit you on the
way out.
Of course, I’m
not suggesting that you try this at home, kids. Because it’s quite clear from
other wording in the CIP standards that Control Centers are very much in scope.
Clearly, Facilities is capitalized in Section 4.2 because the drafting team for
CIP v5 (these “preamble” sections in each CIP standard first made their
appearance in v5) thought they were being nice and precise by using a defined
term rather than “assets” in Section 4.2, when in fact they had just undercut
the strict legal foundation of all of the CIP standards. Of course, CIP hasn’t
fallen into disuse because of this, but it’s also true that in the 7 or 8 years
since that language was first drafted, it has never been corrected (despite a
few mentions in my blog early on, including in the section “Questions of Scope”
from this
post of May 2014).
Why am I
bringing this up, since clearly no Control Center is going to stop complying
with CIP? I’m trying to make the point – now and in other posts – that the supposed
legal foundations of the NERC CIP standards are in fact only held in place
because of a lot of “Don’t ask, don’t tell” understandings between NERC
entities and auditors. And there are many, many other examples of this
situation, including examples discussed in this
post and this
one, as well as just about every post I wrote in 2014 and 2015 (after which
I gave up this quixotic quest in exhaustion and went on to write about other
things).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013; we also work with security product or service vendors that need help
articulating their message to the power industry. To discuss this, you can
email me at the same address.
No comments:
Post a Comment