Friday, December 21, 2018

Be careful how you use the Facilities



Last week I participated in a phone meeting of a subcommittee of the NERC CIPC, where we were marking up a document that will be submitted soon to NERC (not a draft standard, of course). At one point in the document, I noticed that one of the participants had deleted the word “assets” and replaced that with “Facilities” – which was capitalized, even though it wasn’t at the beginning of a sentence.

I asked why she had done this, and she pointed out that “asset” isn’t a NERC-defined term, even though it plays a very important role in the CIP standards, while “Facilities” is NERC-defined. She had substituted Facilities because she preferred to have something with a precise definition. Nothing wrong with that, of course. I’m all for precision, which is unfortunately lacking in many places in the CIP standards.

However, I pointed out to her that if she uses Facilities, she would radically change the meaning of what was written. This is because asset, while officially undefined, is in fact “defined” (as far as CIP is concerned) in CIP-002 R1.1, where there is a list of six “assets” that are in scope for CIP: transmission substations, Control Centers, etc. However, the NERC definition of Facility reads “A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.).” So things like lines, generators, etc. are Facilities. This is very far from transmission substations, generating stations and Control Centers.

She readily agreed with me, and reversed her change. But I want to point out that a lot of the applicability of the CIP standards, from version 5 on, is based on a misuse of the word Facilities. This is because all of those standards – from v5 through CIP-003-7, which comes into effect 1/1/20 - contain Section 4, titled Applicability, near the beginning. This has two sub-sections: 4.1 Functional Entities and 4.2 Facilities. Clearly, 4.1 tells you what NERC entities have to comply with CIP, and 4.2 tells you which of their facilities – in the generic sense of “structures” or “locations of equipment” – are in scope. Clearly, substations, generating stations and Control Centers are all little-f facilities. Up to this point, one can assume that the word “Facilities” in 4.2 is capitalized only because it’s the first (and last) word of that title.  

However, in Section 4.2.1, discussing Distribution Providers, Facilities is capitalized, meaning that it refers to things that meet the NERC definition. However, what’s listed below it aren’t substations or Control Centers, but UVLS, UFLS, SPS, RAS, cranking paths, etc. – all items that probably do meet the NERC definition. No problem so far.

But now we get to Section 4.2.2, which is titled “Responsible Entities listed in 4.1 other than Distribution Providers”. These are of course close to 99% of the entities that have to comply with CIP in general (since only DP’s that own Facilities listed under 4.2.1 have to comply, and I believe that number is pretty small), and literally 100% of entities with High or Medium impact assets. And what are the facilities that need to be in compliance? “All BES Facilities”. No mistaking what this says: For every non-DP NERC entity that has to comply with CIP, their scope is what meets the Facilities definition: lines, generators, shunt compensators, etc. Nothing about…you know, stuff like Control Centers, substations and generating stations. So how do you reconcile 4.2.2 with the fact that CIP-002 R1.1 says that these latter three assets are what’s in scope – and in fact I’m sure that over 99% of the assets that are now under CIP compliance fall into one of these types?

For substations and generating stations, you can kind of bridge the gap by pointing out that these two asset types both contain lots of items – transformers, lines, buses, etc. – that actually meet the definition of Facility (or of Element, which is closely related). So it’s not too much of a stretch to say that 4.2.2 makes sense as far as those two asset types are concerned. In fact, Criteria 2.3 through 2.8 of Attachment 1 of CIP-002 all apply to Facilities, although they’re almost universally interpreted – by entities and auditors – as applying to generating stations (2.3) or substations (2.4-2.8).

But how about Control Centers? They clearly don’t meet the definition of Facility. Does a Control Center contain any Facilities – lines, generators, buses, etc? Of course not. Facilities are all high-voltage devices. Servers and workstations are all low-voltage, although they are obviously used to operate or monitor true Facilities at other locations. Thus, it seems that 4.2.2 makes it clear that Control Centers are out of scope for the CIP standards!

So I’m sure the many NERC entities that own Control Centers will be pleased to learn that they really don’t have to bother with CIP compliance anymore.  If those pesky auditors come around wanting to look at a bunch of compliance evidence, just tell them you haven’t collected any since you read this post, and stick Section 4.2.2 in front of their noses. Tell them that if “Facilities” weren’t capitalized in 4.2.2, you would be more than happy to entertain them and their nosy questions, but since it is capitalized, it’s clear that you were never meant to comply with CIP…and by the way don’t let the door hit you on the way out.

Of course, I’m not suggesting that you try this at home, kids. Because it’s quite clear from other wording in the CIP standards that Control Centers are very much in scope. Clearly, Facilities is capitalized in Section 4.2 because the drafting team for CIP v5 (these “preamble” sections in each CIP standard first made their appearance in v5) thought they were being nice and precise by using a defined term rather than “assets” in Section 4.2, when in fact they had just undercut the strict legal foundation of all of the CIP standards. Of course, CIP hasn’t fallen into disuse because of this, but it’s also true that in the 7 or 8 years since that language was first drafted, it has never been corrected (despite a few mentions in my blog early on, including in the section “Questions of Scope” from this post of May 2014).

Why am I bringing this up, since clearly no Control Center is going to stop complying with CIP? I’m trying to make the point – now and in other posts – that the supposed legal foundations of the NERC CIP standards are in fact only held in place because of a lot of “Don’t ask, don’t tell” understandings between NERC entities and auditors. And there are many, many other examples of this situation, including examples discussed in this post and this one, as well as just about every post I wrote in 2014 and 2015 (after which I gave up this quixotic quest in exhaustion and went on to write about other things). 


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013; we also work with security product or service vendors that need help articulating their message to the power industry. To discuss this, you can email me at the same address.

No comments:

Post a Comment