Wednesday, August 28, 2013

"Facilities, systems and equipment"


All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Honeywell and EnergySec recently put on a very successful webinar on CIP Version 5; you can view the recording here.  My job in that webinar was to discuss CIP-002-5: specifically, how an entity goes about identifying its assets in scope for Version 5 (both the “big iron” aka facilities like control centers, and the “little iron” aka cyber assets).

In putting together my presentation, this wasn’t the first time I’d set out to describe the V5 asset identification process.  My first time was after FERC’s NOPR in April, when I set out to write a series of posts on how an entity actually complies with Version 5.  I started with CIP-002-5 (of course), but as I began to write my post, I started to realize something pretty disturbing: There is no way an entity could sit down with this standard and learn what it needs to do to comply with CIP Version 5.  A corollary to that statement is that there is no way (as far as I can see) that an auditor could strictly follow the standard to determine whether an entity was in compliance with it.

This post led to a series of three more in which I went into the problems in CIP-002-5 in more depth.  The fifth post in this series (and I’d never planned it as a series, of course) was comments that I submitted to FERC (as part of the NOPR comment period that ended in June), in which I rewrote CIP-002-5 in a way that I believe makes it a usable standard.[i]

As I started working on my webinar presentation, I revisited my previous efforts to make sense of the CIP-002-5 standard as written.  But I noticed something I hadn’t noticed before: the phrase “Facilities, systems and equipment”, which plays a big role in the standard, should simply never have been used at all.  Either because I just didn’t see this the first time around, or more likely because I was already overwhelmed with the other problems in the standard and thought this one was a little less pressing, I missed this in my previous posts (mainly in this post), as well as in the comments I submitted to FERC.

“Facilities, systems and equipment” appears in Sections 4.1 and 4.2 of the standard.  These sections, which are intended to be a precursor to the actual requirements that follow, provide a guideline for a NERC entity to decide whether it does have assets (“big iron”) that will fall under CIP Version 5.  Essentially, if an entity has a NERC functional classification (BA, TOP, etc) that is listed in Section 4.1, all of its owned “Facilities, systems and equipment” are in scope. 

Section 4.2 starts with this paragraph:

Facilities: For the purpose of the requirements contained herein, the following Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicable. For requirements in this standard where a specific type of Facilities, system, or equipment or subset of Facilities, systems, and equipment are applicable, these are specified explicitly.

“Facilities” is capitalized because it is a defined term in the NERC Glossary.  Here is the definition:

A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)

Now that I look at it more closely, I see two problems with Section 4.2:

  1. If taken literally, the phrase “Facilities, systems and equipment” requires the entity to evaluate every Facility (per the definition), every system, and every piece of equipment it owns for applicability in CIP Version 5.  Leaving aside Facilities for the moment, it implies that the entity needs to list every computer system it owns (whether it’s an EMS balancing load and supply in an entire city or a system sitting on an account clerk’s desk, used for dealing with late bill payers), as well as every piece of equipment it owns (each truck, each pair of wire cutters, etc).  You can imagine this would be a pretty long list in the case of Duke Energy.

  1. Now with regard to “Facilities”, look at the examples shown in the definition: “a generator, a shunt compensator, a transformer”.  Again, following the literal wording of Section 4.2, the entity needs to develop a list of every generator (not a generating station, but presumably every unit in that station, as well as every backup diesel generator in the warehouse), every shunt compensator (I don’t know what that is, but I have a strong feeling that it should never be considered as an asset in CIP Version 5), and every transformer.  And the auditor should ding them if they can’t prove they’ve done that.

Of course, this is nonsense.  It was never the intent of the SDT for the entity to have to develop these lists.  In fact, when the entity gets to Requirement 1, they see this:

Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning]

  i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

Since parts 1.1 through 1.3 take the entity through Attachment 1, what the above is really saying is this: “Forget all the stuff we said in Section 4.2 about Facilities, systems and equipment.  What we really want you to do is consider each of these six types of assets[ii] in Attachment 1.”  Is your response the same as mine:  “Why did you make us go through the effort of listing every Facility, system or piece of equipment we own in Section 4.2, if we really only need to consider these six assets?  Why didn’t you just tell us in 4.2 that these six assets are everything that is in scope for CIP Version 5?  Why even mention ‘Facilities, systems and equipment’ in the first place?”[iii]

I don’t have a good answer for this question, to be honest.  It seems to me the SDT had one meeting too few: before they developed the final draft of V5, they should have called one final meeting just to try to fix the problems in CIP-002-5 (not just this, but all the problems I’ve previously discussed).  The fact that they didn’t do that has left the industry with a standard that nobody can strictly follow and nobody can strictly audit.  There have been a lot of problems with interpreting and auditing CIP Versions 1-3, but the standards themselves don’t lead to logical dead ends like CIP-002-5 does.  My hope is that FERC will order NERC to rewrite CIP-002-5 to address these problems, along with the other changes in Version 5 they are probably going to require.

This is why, in the webinar, I recommended that NERC entities simply disregard the “Facilities, systems and equipment” language in Section 4.2 and instead substitute the six asset types in Section R1.  But if FERC doesn’t order any changes in CIP-002-5, let’s hope the auditors don’t feel inclined to take the wording of Section 4.2 too seriously when it comes time to edit this; let’s hope they have a good sense of humor and consider “Facilities, systems and equipment” to be the SDT’s little joke.  But this isn’t exactly how auditors are supposed to think, is it?

In the rest of this post, I’m going to rewrite my version of CIP-002-5 that I submitted to FERC, to accommodate this change (there are other changes required as well, due to the fact that Facilities reappears in Attachment 1). 


My Original Version
This is what I submitted to FERC as my replacement for CIP-002-5 (for the reasons why I used this wording, see the series of posts):

(I first provided the following definition of Asset, for insertion either in Section 4.2 or in the V5 Definitions document:
An Asset is a Control Center or a group of one or more Facilities at a single location.
(Then I continued with the requirements themselves)

R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets or Facilities for purposes of Requirement R2:
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

R1.2 Develop a list of its Assets or Facilities including each type listed in R1.1.
R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Assets or Facilities in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact Assets or Facilities;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact Assets or Facilities;
2.3  After removing High and Medium impact Assets or Facilities from the list of Assets or Facilities developed in R1.2, identify the remaining Assets or Facilities as Low impact.
R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility.  Only BES Cyber Assets located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset.  All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.
R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.

(I then proposed this replacement for Attachment 1)

1. High Impact Rating (H)
Assets or Facilities that meet one or more of the following criteria are High impact:
(followed by existing criteria 1.1 – 1.4)
2. Medium Impact Rating (M)
Assets or Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by existing criteria 2.1 – 2.13)
3. Low Impact Rating (L)
Assets or Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3) 


My New Version
These are the changes that need to be made in the above:

  1. The definition of Asset now isn’t needed.  We are going to “define” asset as simply the six types of assets listed in R1.
  2. I will take “Facilities, systems and equipment” out of Section 4.2 and replace it with the list of six asset types (since “Facilities, systems and equipment” appears multiple times in 4.2, I have reproduced the whole section below and changed those references).  This will allow me to remove that same list from R1.
  3. We will replace all of the “Assets or Facilities” with just “assets”.  Again, since we’re no longer specifically defining the word, it isn’t capitalized.  It just means the six types of thingamajigs now listed in Section 4.2.
  4. I’m kind of glossing over one problem in Attachment 1 that I discussed at length before: the fact that “Facilities” rears its head again in Criteria 2.3 – 2.8 in Attachment 1.  As I pointed out then, I believe the main reason the SDT did this was to allow entities to separate out distribution from transmission elements at substations that have both.  To be honest, I can’t see any real purpose in trying to figure out a way to word these six criteria that doesn’t include “Facilities” – so I’m not going to suggest any changes in these criteria (or any of the other criteria, for that matter).  The SDT did do a good job of describing their intent to let the entities “slice and dice” their substations in the Guidance and Technical Basis of the standard.  Hopefully, the auditors will consider that enough authorization for this practice.

Here is my new version:

4.2.       Facilities: For the purpose of the requirements contained herein, the following assets are those to which these requirements are applicable. For requirements in this standard where a specific type of asset or subset of assets is applicable, these are specified explicitly.
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 below.

4.2.1. Distribution Provider: One or more of the following assets owned by the Distribution Provider for the protection or restoration of the BES:
4.2.1.1. Each UFLS or UVLS System that:
4.2.1.1.1. is part of a Load shedding program that is subject to one or more requirements in a NERC or Regional Reliability Standard; and
4.2.1.1.2. performs automatic Load shedding under a common control system owned by the Responsible Entity, without human operator initiation, of 300 MW or more.
4.2.1.2. Each Special Protection System or Remedial Action Scheme where the Special Protection System or Remedial Action Scheme is subject to one or more requirements in a NERC or Regional Reliability Standard.
4.2.1.3. Each Protection System (excluding UFLS and UVLS) that applies to Transmission where the Protection System is subject to one or more requirements in a NERC or Regional Reliability Standard.
4.2.1.4. Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s) to be started.

4.2.2. Responsible Entities listed in 4.1 other than Distribution Providers:
All BES assets.
4.2.3. Exemptions: The following are exempt from Standard CIP-002-5:
4.2.3.1. Cyber Assets at assets regulated by the Canadian Nuclear Safety Commission.
4.2.3.2. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
4.2.3.3. The systems, structures, and components that are regulated by the Nuclear Regulatory Commission under a cyber security plan pursuant to 10 C.F.R. Section 73.54.
4.2.3.4. For Distribution Providers, the systems and equipment that are not included in section 4.2.1 above.
(Now I skip down to R1)

R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the assets from Section 4.2 for purposes of Requirement R2.
R1.2 Develop a list of its assets including each type listed in Section 4.2.
R2. Each Responsible Entity shall identify its High, Medium and Low impact BES assets in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact assets;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact assets;
2.3  After removing High and Medium impact assets from the list of assets developed in R1.2, identify the remaining assets as Low impact.
R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact asset.  Only BES Cyber Assets physically located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset.[iv]  All BES Cyber Assets associated with an asset shall be classified with the impact level of that asset.[v]
R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.

(I now propose this replacement for Attachment 1)

1. High Impact Rating (H)
Assets that meet one or more of the following criteria are High impact:
(followed by existing criteria 1.1 – 1.4)
2. Medium Impact Rating (M)
Assets that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by existing criteria 2.1 – 2.13)
3. Low Impact Rating (L)
Assets meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3) 

This is the CIP-002-5 I wish I’d submitted to FERC in June, not the other one.  I don’t believe I can amend my official comments, so I’m not sure how I’ll get this to the attention of the Commissioners.  Maybe I’ll sneak in and post it in their bathroom (of course, that doesn’t reach the one female Commissioner.  Maybe I’ll wrap this post around a rock and throw it through her window).  Or maybe they’ll read the post.








[i] Note that, in all of this, I’m not contesting what I believe to be the intention of the Standards Drafting Team in writing CIP-002-5.  I’m just saying those intentions were poorly translated into words.  I have tried to do that translation myself.

[ii] Of course, the fact that R1 refers to assets (a term that is undefined in both the NERC Glossary and the V5 Definitions) is a problem in itself.  What the h___ happened to Facilities?  This becomes more of a problem when Facilities suddenly reappears in some of the criteria in Attachment 1.  I deal with that later in this post.

[iii] Note that, even though CIP does ultimately deal with systems (BES Cyber Systems, to be exact), listing them as in scope in Section 4.2 isn’t needed.  4.2 is where you find out what “big iron” (aka assets) is in scope.  Once you’ve run all of those assets through Attachment 1, you then identify the BES Cyber Systems associated with those assets.  You don’t even think about systems before then.

As always when I get into these religious questions, I need to point out that many knowledgeable people (including SDT members) don’t agree with me on this.  They seem to think there is some independent evaluation of a cyber asset’s H/M/L impact level on the grid – different from the evaluation of the asset’s (big iron) impact.  On the other hand, I have never heard a clear explanation of how this will happen, although I can certainly see why the wording of CIP-002-5 leads these people to believe that.  This is why I rewrote the standard – to eliminate this type of confusion.

[iv] In case you’re wondering why this sentence is in here, I refer you to this post.  If you go to right before the Summary at the end, you’ll see a section that was added June 22.  This is where I explain why I put that sentence in.  It has to do with the fact that the SDT (rightfully) wanted only cyber assets physically located at control centers to be BES Cyber Assets, while for other assets like generation that isn’t the case.

[v] I admit I still have a lot of problems with this sentence.  It’s in there because this is another of those religious issues I discussed in a previous footnote.  Going hand-in-hand with the idea that there is an independent H/M/L impact analysis of each cyber asset is the idea that you can have differing impact levels of cyber assets at each asset – e.g. a control center could have High, Medium and Low impact assets.  I admit there are at least a couple cases where this is likely.  One is at a 1500MW generating station where some of the cyber systems don’t themselves affect 1500MW of capacity.  Another is when an entity creates separate networks at a High or Medium impact asset, with some networks containing BES Cyber Systems and others not containing any.  I think all the cyber assets on the former would be High or Medium (in line with the asset itself), and all of the cyber assets on the latter would be Lows.  This is one of many reasons I strongly recommend a V5 asset identification guidance document be written (in fact, I think I must have said that about ten times in the webinar).  To get back to the sentence in question, it would be nice if it were modified to allow for these two exceptions (and there may be others as well), but this may be too awkward and it might have to go.  But I do want some sentence in CIP-002-5, or at least the Guidance, stating clearly that, in general, all cyber assets take the value of the asset (big iron) they’re associated with.

No comments:

Post a Comment