June 22: I haven't posted my comments to FERC yet, but will by Monday. I'm glad I haven't, because I received a very important email this week from Armin Boschmann of Manitoba Hydro. He pointed out that I had missed two things in CIP-002-5-taf. One is an error I made, that is described and rectified in the discussion of Requirement R3 below. The other is (another) serious error the Standards Drafting Team made (and everyone who has reviewed CIP-002-5 missed it, including me). This is described and rectified in the discussion of Section 4.2 below. I wish to thank Armin for both of these important corrections!
You can see the exact text I will submit on Monday here.
Introduction
I recently wrote my longest post so far, describing how I would rewrite Version 5 of CIP-002 to change what I see as fatal imprecision in the language of that standard. However, I decided to leave part of the required changes for another post, since I wanted to think about them a little more before writing it. Here is that post. It presents my final version of what I am calling Tom Alrich Fantasy CIP-002-5, or CIP-002-5-taf.
In the previous post, I reasoned there are two main areas that need substantial wording changes in CIP-002-5: identification of “big iron” and of “little iron”. [i] Big iron refers to the facilities that are in scope for Version 5: generating stations, control centers, etc. Little iron refers to the cyber assets that are in scope. The goal of CIP-002-5 (and note that CIP-002-5 without the “-taf” refers to the “real” version submitted to FERC by NERC in January) is for the entity to identify their cyber assets in scope for V5 (called BES Cyber Systems). However, in order to do this, the entity first has to identify and classify their facilities (or assets) in scope, so that the BES Cyber Systems can inherit the facility classifications.
The first post provided a CIP-002-5-taf that I think is much more coherent than CIP-002-5, as far as identification of little iron is concerned. However, I punted on the changes that are needed for big iron identification, and just inserted the term “asset/Facility” as a placeholder wherever CIP-002-5 uses either “asset” or “Facility”. I will now (note - without using a net!) remove that placeholder by fixing the big iron wording problem in CIP-002-5, resulting in my final version of CIP-002-5-taf.
However, this new post will be shorter than the previous one, since I have already discussed the big iron problems in CIP-002-5 and provided an idea of what the cure could be. I did this in an earlier post titled “My Comments to FERC on CIP Version 5, Part I”.[ii] If you haven’t read that post, I recommend you do it now, since I don’t intend to repeat the arguments here, although I will summarize them.
As discussed in the previous post, the “big iron” problem in CIP-002-5 is found in the use of the two terms “asset” and “Facility”. To summarize the argument of that post:
- Section 4.2 of CIP-002-5 (which comes before the actual requirements) states that NERC functional entities listed in Section 4.1 must include all of their “BES Facilities” (Facilities is a defined term in the NERC Glossary) in scope for Version 5[iii].
- However, when you come to Requirement R1, you find it talks only about “assets” (which isn’t defined in the Glossary or the Version 5 Definitions document); you’re left to guess that the assets may in some way correspond to the BES Facilities (R1 does list six types of assets that must be included, including control centers, generating stations, etc. This constitutes an operational definition but not a formal one). R1 essentially tells you to take your list of assets and run it through the “bright-line” criteria in Attachment 1, to classify the assets as High, Medium or Low impact (meaning impact on the BES).
- As you start this process, you find that when you come to criterion 2.3, the term Facility reappears. And it supplants “asset” in 2.3 through 2.8, although asset makes a triumphant comeback in the third section of Attachment 1, which discusses Low impact assets.
- I believe the reason Facility is used in criteria 2.4 – 2.8 is that those criteria have to do with substations. Substations often include both Transmission and Distribution elements. Since only the Transmission elements are subject to CIP, it will be very helpful for entities to be able to “slice and dice” the substation into separate Transmission and Distribution Facilities, one of which is a BES Facility and the other not; that way, the entity’s compliance “footprint” is much smaller. The problem is that CIP-002-5 itself doesn’t make this clear, although the idea is discussed in the Guidance.[iv]
Section 4.2
We clearly need to start with Section 4.2. It currently reads:
4.2. Facilities: For the purpose of the requirements contained herein, the following Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicable. For requirements in this standard where a specific type of Facilities, system, or equipment or subset of Facilities, systems, and equipment are applicable, these are specified explicitly.
(the remainder of this section mainly indicates that all BES Facilities are in scope for all entity registrations listed in Section 4.1, except DP’s)
At the very end of the “My Comments..” post, I list what I think needs to be done: "There needs to be a definition of asset, as well as some sort of statement that an asset can have multiple Facilities associated with it."
(the following section was inserted on June 22) Now I want to bring up what Armin Boschmann said about the use of Facilities in Section 4.2. Armin points out that the NERC definition of Facility includes the defined term Element. That definition reads:
Any electrical device with terminals that may be connected to other electrical devices such as a generator, transformer, circuit breaker, bus section, or transmission line. An element may be comprised of one or more components.
A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)
Armin raises an interesting question about this. Given that Section 4.2 claims to designate the entire set of a NERC entity's stuff (to avoid the term asset or facility) that is subject to CIP Version 5, and given that control centers are definitely intended to be in scope, how in the world can a control center fit in with these two definitions? To quote Armin, "I don’t think a Control Center can be thought of as a Facility. The Glossary definition for “Bulk Electric System” essentially says electrical equipment at 100 kV and above. The Glossary definition for Element says an electrical device with terminals to be connected to a generator/transformer/breaker/bus/line. So, a BES Element would be an Element at 100 kV. So a Facility is defined as a set of 100 kV Elements. No Control Center would have 100 kV equipment in it."
In other words, in Section 4.2 as written by the SDT, no control center would ever be subject to CIP Version 5! Kind of a small oversight, no? Of course, when you get to R1, it specifically calls out control centers as being in scope, and it was clearly the SDT's intent that control centers be included in Section 4.2. But an entity could certainly make the argument that, since Section 4.2 logically precedes R1, R1 is really just operating on the list that came out of 4.2. So if there's no control center on that list, it can't suddenly be added back in R1.
Now I strongly doubt any auditor wouldn't say that control centers are covered in CIP Version 5. But were an entity to take them to court on this, I think NERC would have a hard time making that case. So this is just another example of how the poor wording in CIP-002-5 will likely lead to all sorts of headaches - for NERC entities and auditors - down the line, if not fixed before then.
To address this issue, we need to define Asset as a more general term than Facility, that will include Control Centers (which is of course defined in the V5 Definitions document). However, I don't think Facilities should be rejected just because it doesn't include Control Centers. We need the Facilities concept to handle the problem with substations. Therefore, I propose the following definition of Asset. This should presumably be included in the V5 Definitions document, but I guess could alternatively appear in Section 4.2 itself:
In other words, in Section 4.2 as written by the SDT, no control center would ever be subject to CIP Version 5! Kind of a small oversight, no? Of course, when you get to R1, it specifically calls out control centers as being in scope, and it was clearly the SDT's intent that control centers be included in Section 4.2. But an entity could certainly make the argument that, since Section 4.2 logically precedes R1, R1 is really just operating on the list that came out of 4.2. So if there's no control center on that list, it can't suddenly be added back in R1.
Now I strongly doubt any auditor wouldn't say that control centers are covered in CIP Version 5. But were an entity to take them to court on this, I think NERC would have a hard time making that case. So this is just another example of how the poor wording in CIP-002-5 will likely lead to all sorts of headaches - for NERC entities and auditors - down the line, if not fixed before then.
To address this issue, we need to define Asset as a more general term than Facility, that will include Control Centers (which is of course defined in the V5 Definitions document). However, I don't think Facilities should be rejected just because it doesn't include Control Centers. We need the Facilities concept to handle the problem with substations. Therefore, I propose the following definition of Asset. This should presumably be included in the V5 Definitions document, but I guess could alternatively appear in Section 4.2 itself:
An Asset is a Control Center or a group of one or more Facilities at a single location.
You're not happy with this? I'm not either. But I can't think of a nice elegant word that will encompass both the concept of a Control Center and a Facility / Facilities. And I submit that it was a concern more for the elegance of the language than for its auditability that has led to the current mess in CIP-002-5.[v]
So the only change required in Section 4.2 is the addition of the definition of Asset, and that might be more appropriate in the Definitions document anyway.[vi]
The Requirements
Now we go down to the requirements. Here are the four requirements in my previous CIP-002-5-taf that replace R1 in CIP-002-5:
Fantasy R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following assets/Facilities for purposes of Requirement R2:
(here, the same list of six asset types will appear as is found in the ‘real’ CIP-002-5 R1)
R1.2 Develop a list of its assets/Facilities including each asset/Facility type listed in R1.1.
Fantasy R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Facilities/assets in parts 1.1 through 1.3:
2.1 Using the criteria in Attachment 1, Section 1, identify its High impact Facilities;
2.2 Using the criteria in Attachment 1, Section 2, identify its Medium impact Facilities;
2.3 After removing High and Medium impact Facilities from the list of assets developed in R1.2, identify the remaining Facilities as Low impact.
Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset/Facility. All BES Cyber Assets associated with an Asset/Facility shall take the impact level of that Asset/Facility.
Fantasy R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets.
I’ve boldfaced all of the words we need to look at and possibly replace. However, I think “Assets or Facilities” is the best replacement in each case. This is simply because some of the criteria in Attachment 1 apply to Assets, others to Facilities. So we get:
Fantasy R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets or Facilities [vii] for purposes of Requirement R2:
(here, the same list of six asset types will appear as is found in the ‘real’ CIP-002-5 R1)
R1.2 Develop a list of its Assets or Facilities including each type listed in R1.1.
Fantasy R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Assets or Facilities in parts 1.1 through 1.3:
2.1 Using the criteria in Attachment 1, Section 1, identify its High impact Assets or Facilities;
2.2 Using the criteria in Attachment 1, Section 2, identify its Medium impact Assets or Facilities;
2.3 After removing High and Medium impact Assets or Facilities from the list of Assets or Facilities developed in R1.2, identify the remaining Assets or Facilities as Low impact.
Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility. All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.
Fantasy R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets.
(This paragraph inserted June 22) We have now replaced R1 of CIP-002-5 with R1 - R4 of CIP-002-5-taf. However, R3 will need to be modified because of the second problem that Armin Boschmann pointed out to me in his email (the one that was my fault). I can't discuss that until after the discussion of Attachment 1, though.
There is one other requirement, R2, in CIP-002-5. This needs to be renumbered to R5 in CIP-002-5-taf, along with the italicized wording changes:
Fantasy R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.
Attachment 1
Now we have to address Attachment 1. Let’s restate the problem with Attachment 1, as discussed in the “My Comments…” post:
- In R1, the entity is told to bring a list of “assets” into the Attachment 1 criteria for classification.
- Most of the criteria refer simply to types of assets – “Control Center”, “Commissioned generation”, “BES reactive resource”, etc. In the third section (regarding Low impact assets), the word “asset” is explicitly used. So there is no problem regarding any of these criteria – they all cover Assets (as I have defined the term in my discussion of Section 4.2 above. Note that, being defined, we will need to capitalize it in CIP-002-5-taf).
- However, in six of the criteria the word “Facility” is used, including all five that refer to substations (2.4 – 2.8). This creates a problem, since CIP-002-5 R1 requires the entity to classify “assets” in Attachment 1. If an entity were given a PV for not counting any substations as Medium impact under Version 5, they could (if they’re enterprising) challenge this by saying they’re supposed to be classifying something called “assets” in Attachment 1, not “Facilities”. Given the amount of money that will have to be spent on V5 compliance for substations, it isn’t a big stretch to think that one or more entities will try this, possibly leading to all substations across NERC being classified as Low impact.[viii] If that happens, I hope the other NERC TO’s and TP’s throw those entities a party.
I clearly need to change the language that introduces the first two sections of Attachment 1 to explicitly state the criteria apply to Assets or Facilities. Here is the language from my previous CIP-002-5-taf Attachment 1:
Fantasy 1. High Impact Rating (H)
Facilities that meet one or more of the following criteria are High impact:
(followed by criteria 1.1 – 1.4)
Fantasy 2. Medium Impact Rating (M)
Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by criteria 2.1 – 2.13)
Fantasy 3. Low Impact Rating (L)
BES Assets/Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above:
(followed by the same list of types of facilities as in CIP-002-5 Attachment 1 part 3. I wish to thank Bob Case of Black Hills Corp. for suggesting improved wording for this part)
Here is my proposed new wording for CIP-002-5-taf Attachment 1:
Fantasy 1. High Impact Rating (H)
Assets or Facilities that meet one or more of the following criteria are High impact:
(followed by criteria 1.1 – 1.4)
Fantasy 2. Medium Impact Rating (M)
Assets or Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by criteria 2.1 – 2.13)
Fantasy 3. Low Impact Rating (L)
Assets or Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3.
(Added June 22) Now it’s time to address Armin Boschmann’s other point, regarding an error I made. Armin says 'CIP-002-5 Attachment 1 has a difference in its opening sentences for Sections 1 and 2. Section 1 says ”used by and located at”, while Section 2 says “associated with”. I may not be remembering everything correctly about Drafts 1 and 2, but the impression I was left with was that the phrase “used by and located at” was there to clarify that the BES Cyber Systems of High Impact Control Centers were to include only cyber assets at the Control Centers, and to explicitly exclude cyber assets in the field such as RTUs. The concern was that an RTU could be said to be “associated with” a Control Center – after all, an old-fashioned hard-wired RTU typically is used only for remote control, and therefore to serve the Control Center, and it is not involved in any way with local controls at a station. So the RTU could be said to be more associated with a Control Center than with the station itself. In CIP-002-5-taf, the opening sentences of Attachment 1 have essentially been moved to R3, and the wording has been boiled down to just “associated with”, so I think that ambiguity gets re-introduced.'
This was an excellent observation, and it also points to the remedy. We need to amend CIP-002-5-taf R3 to include the italicized sentence:
Fantasy R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility. Only BES Cyber Assets located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset. All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.
Summary
Believe it or not, we’re done! To get my CIP-002-5-taf, you do the following to CIP-002-5:
- Add my definition of Asset into either Section 4.2 or the Definitions document.
- Replace R1 with my Fantasy R1-R4 above;
- Replace R2 with my Fantasy R5; and
- Replace the wording at the beginning of the three parts of Attachment 1 with the wording shown above.
As I said in the previous post, I don’t expect FERC or NERC to simply impose my version, or even parts of it. However, I do hope they will consider these suggestions as they try to make CIP-002-5 much more understandable and enforceable than it is today.
I welcome any comments on this. You can leave them below (if you have a Gmail account or want to open one), or email them to me at tom.alrich@honeywell.com. As usual, if someone wants me to post their comment anonymously, I’ll do that.
P.S. Be sure to sign up for Honeywell’s upcoming webinar with EnergySec, “Covering your Assets in CIP Version 5”. You can sign up for it here. The webinar is on August 21st 10:30CDT. If you can’t make the webinar but want to see the video, sign up anyway. You’ll get the link to the video as soon as it is posted after the webinar.
[i] Of course, saying these are the only two problem areas in CIP-002-5 is like saying the only problem areas in the Gospel of John are the references to Jesus. The whole purpose of CIP-002-5 is to identify big and little iron, and if it doesn’t do this reliably it has failed.
[ii] When I wrote that post, I thought I would just provide comments on CIP-002-5, not rewrite it. But when I started to write Part II, I realized that continuing to make a bunch of comments wouldn’t be very helpful. The problems in CIP-002-5 are so severe that it needs to be completely rewritten. So Part II turned into the Fantasy CIP-002-5 post, although with an asterisk to indicate it was still incomplete. In other words, this post is actually the third in a series on the comments I intend to submit to FERC regarding the NOPR (I’ve also decided what I submit to FERC will be simply CIP-002-5-taf itself, along with links to these three posts for explanation on why I made the changes I did).
[iii] With the exception of Distribution Providers, which only have to include four types of Facilities.
[iv] I think having the ability to “slice and dice” an asset into Facilities also has a bearing in Criterion 2.3;
Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year.
The fact that this says “generation Facility” rather than “Generating asset” or something like “Generating station” means that, if a PC or TP says that a single unit or maybe a couple units at a plant is “necessary”, the GO/GOP only has to designate those unit(s) as a medium impact Facility. The other units can be low impact, since they could be considered a separate Facility. However, this is entirely my own interpretation. This points to the need for a guidance document to be developed on Attachment 1 of CIP-002-5 (just as there were guidance documents on Critical Asset and Critical Cyber Asset identification in CIP Versions 1-3. I also pushed for a guidance document on Attachment 1 of CIP-002-4, although nobody listened to me. That is just as well, since V4 is now just a historical curiosity). I would put out a post about that and get all worked up in righteous indignation that it wasn't being done, except for one thing: nobody can even write a good guidance document on CIP-002-5 as it currently stands. It would be like trying to nail Jell-O (tm) to the wall. Hopefully we’ll be able to do this in about a year, once FERC issues their order approving Version 5 and mandating the changes they want to see in a compliance filing.
[v] I am also not sure whether there shouldn’t be some statement having to do with the network topology of the Facilities and the Asset. If the cyber assets in an Asset are all on one large network, you really can’t separate the Asset into Facilities. This is because all of the cyber assets on that network, that were not part of the BES Facility, would still have to be protected in the same way as those that are part of the BES Facility (i.e. they would be Protected Cyber Assets in Version 5, the equivalent of “non-critical” cyber assets within the ESP in Versions 1-4). I think there should probably be a further statement that the networks in the different Facilities within the Asset need to be separated, but writing that statement won’t be easy. Fortunately, that’s above my pay grade.
[vi] I must also admit I’m uneasy about the “Facilities, systems and equipment” language in 4.2. Why do we need "systems" and "equipment"? I think including these terms literally could lead to entities having to consider each piece of equipment or system at, say, a control center or generating station as possibly meeting one or more of the Attachment 1 criteria all by itself (and document the whole process, of course). I suspect this language is yet another relic of the fact that the first draft of Version 5 really did require the entity to identify BES Cyber Systems before Facilities/assets. Even though the standard was officially changed so that Facilities were identified first, remnants of that first draft still live on in CIP-002-5, and are the main cause of the problems I’ve expended so many words discussing lately. I call this the Original Sin of CIP-002-5. For more on this, see footnote x in the Asset Identification post.
[vii] You may point out that it is redundant for me to say “Assets or Facilities”, since the definition of Asset includes Facilities. This is more my judgment that the ability to slice and dice substations might be lost if all of Attachment 1 were based on Assets alone. I’m not set in stone on this point, however.
[viii] Here’s an interesting anecdote of another instance where an entity took advantage of a simple wording error in CIP. Those who remember the CIP Version 1 rollout will recall there were four Tables which determined your compliance dates. Table 1, which had the earliest dates, was listed as applying to entities that “were required to comply with Urgent Action 1200” (the predecessor to CIP). One entity who had complied with UA1200 realized that even then, they were not required to comply with it. In fact, nobody was “required” to comply with UA1200 since compliance with it, as well as with all NERC standards before the Federal Power Act of 2005, was voluntary! So this entity got another year or so to comply with CIP Version 1 by falling under Table 2, due to some quick thinking by their compliance person. That person recently verified this story for me, since I’d heard it from a third party.
No comments:
Post a Comment