The CIP V4 Rationale and Implementation Reference Document

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Every entity that is facing compliance with CIP Version 4 should read the document entitled (somewhat ponderously) CIP-002-4 – Cyber Security – Critical Cyber Asset Identification.  Rationale and Implementation Reference Document.  It is available here.

This document was drafted by the Standards Drafting Team and was included in the final Version 4 “package” that was approved by the NERC membership and Board of Trustees (and ultimately by FERC).  As such, it constitutes the closest thing you will find to official guidance on the Version 4 bright line criteria (it also includes a discussion of the two implementation plans for Version 4, the Implementation Plan itself and the IPNICCANRE.  I’m glad to say that it seems to support my interpretation of those two documents, outlined in this blog post).

This is of course not a document that you can be audited against; nor is it something you can point to in order to trump an auditor’s opinion that seems to contradict it.  However, since it does represent the SDT’s views on these matters, it is definitely worth studying (in CIP Version 5, the SDT included guidance with the standards themselves).

However, this is not the CIP-002-4 guidance document whose development I have been advocating since last September.  I’m beginning to believe that the chances of that happening soon are about the same as the chances of the Cubs winning the World Series this year (or any year in the next twenty, for that matter).  So you have to do the best with what you have.

The main problem with using this document for BLC guidance is that it really wasn’t developed primarily for that purpose.  Rather, it was developed to outline the SDT’s reasons for decisions they made while developing the bright line criteria (1500MW, 500kV, etc).  However, it is certainly better guidance than anything else (of an official nature) that an entity has available now, or is likely to have in the future.

Here are some nuggets of guidance from the document.  I recommend you 'mine' it for more.

1. In the recent Honeywell/EnergySec webinar on CIP Version 4, the question was asked how an asset should be designated if its two (equal) owners disagreed on whether it is critical or not.  The rationale document says (page 7) “A Critical Asset should be listed by only one Responsible Entity. Where there is joint ownership, it is advisable that the owning Responsible Entities should formally agree on the designated Responsible Entity responsible for compliance with the standards.”  In other words, work it out between you, guys.
2. There is a very interesting discussion of Criterion 1.15 on page 11 of the Rationale document.  Criterion 1.15 begins “Each control center or backup control center used to control generation at multiple plant locations…”  The SDT was concerned that the words “control generation” would be interpreted to apply only to control centers that literally have AGC for one or more generating stations.  They say “The monitoring and operating control function includes controls performed automatically, remotely, manually, or by voice instruction.  An example of monitoring without direct control that is subject to the Cyber Security Standards is a Reliability Authority that receives data from Critical Cyber Assets to a state estimator.”  In other words, as long as a control center can provide any type of control of generation (even just by telephone), it will be a Critical Asset if it meets the rest of the 1.15 criterion.
3. On page 15, in the discussion of control centers, you will find this sentence: “It should be noted that Cyber Assets essential to the operation of a control center may be located at a data center that is not co-located with the control center itself.”  So make sure you’re not leaving any such cyber assets off your CCA list (although this does then raise the question of how you will draw your ESP around such assets, whether they’ll be protected by a PSP at the data center, whether the employees at the data center who manage the assets will have PRA’s and cyber security training, etc).