Feb. 18: It turns out I was missing an important point when I wrote this post last week. It isn't wrong per se, but it isn't the whole story. See this new post - which you'll be glad to know is mercifully short compared to most of my posts.
Perhaps I find pleasure in strange activities, but I admit I found it quite pleasurable to attend WECC’s CIP Version 5 Workshop in Salt Lake City recently. The main reason for this was that the WECC CIP auditors and enforcement people who spoke had done an excellent job of really thinking about all the standards and providing useful information. Of course, the fact that there are so many of them (there were at least nine speakers) allowed each one to treat his or her topic quite thoroughly.
Perhaps I find pleasure in strange activities, but I admit I found it quite pleasurable to attend WECC’s CIP Version 5 Workshop in Salt Lake City recently. The main reason for this was that the WECC CIP auditors and enforcement people who spoke had done an excellent job of really thinking about all the standards and providing useful information. Of course, the fact that there are so many of them (there were at least nine speakers) allowed each one to treat his or her topic quite thoroughly.
If you
missed the workshop, don’t despair. You
can download the entire “presentation package” here. However, before you click on it, keep in mind
that the package is 33 megabytes (fortunately, Geoff Warnock of Gainesville Regional Utilities has come to the rescue and divided the file up into the presentations on each of the standards. If you would like me to send them to you - in a few emails, depending on how much you can receive at one time - contact me at tom.alrich@honeywell.com.I do wish to make the suggestion to WECC that
it might be a good idea to start breaking those packages up into at least two
or three parts. Herein ends my criticism
of WECC (for this post, anyway).
I found a
lot of the points that were made to be very interesting, and I hope to do a
post soon that will address a number of these.
However, this post will focus on a question that was asked during the
CIP-002-5 presentation and the discussion that followed. The presenter for CIP-002-5 was Dr. Joe
Baugh, a kind of rock star[i] among
CIP auditors, who I wrote
about for the first time almost two years ago (he was just Joe at the time,
not Dr. Joe).
Before I get
to this discussion, I do want to say that Joe provided a very good description,
and flow chart, of two alternative methodologies for achieving compliance with
CIP-002-5 R1. And guess what? They correspond fairly closely to the two
methodologies I outlined in a recent series of three posts (the first is here)
– one mine and one that of a friend who happens to be an auditor (not in
WECC). Joe referred to these as the “top
down” and “bottom up” approaches. The
former corresponds roughly to my methodology, the latter to the auditor’s.[ii]
Even better,
he recommended the top-down approach (i.e. mine) as the better one to pursue.[iii]Should
I be surprised that Dr. Joe came to the same conclusion as to the best
methodology for CIP-002-5 R1 compliance as I did? Not at all; I know him to be a very
intelligent person – this only confirms that.
Now to the
discussion I found so interesting. An
attendee asked whether an EMS workstation that was located remotely from a High
or Medium impact control center would itself take the classification of the
control center itself. Dr. Joe said it
would, and further stated that there might have to be a special asset defined
to house that remote workstation (he didn’t go into detail, but I presume that
asset would be a type of High or Medium control center). Of course, this would have to be done because
in his preferred methodology (and mine), assets (i.e. the “big iron”) are
classified first, then BES Cyber Systems are identified at the High and Medium
assets. So you can’t have a High or
Medium impact BCS without a corresponding High or Medium asset.
However, in
this case Dr. Joe gave an answer that, while not wrong, was incomplete; it was
incomplete on two counts. Always being
eager to help, I pointed out one of those counts; it was only later that I
realized there were two. You might say I
missed my chance to point both out at the meeting, but this is the great
advantage of having a blog: you can always have the last word. So this post will be devoted to describing
what Dr. Joe missed; indeed, he missed two entire steps (or at least sub-steps)
in the process of BCS identification.[iv] And I now realize that NERC entities (and
auditors!) could make a lot of classification mistakes if they don’t understand
these steps.
The issue
revolves around the wording of CIP-002-5 R1.1 and 1.2. These two parts – and R1.3 - constitute what
could be called the “payload” of R1, since when you come down to it, everything
that R1 explicitly tells you to do is contained in these three parts. Here is the wording of R1.1 and R1.2[v], along
with the first phrase of each of the sections in Attachment 1 that each part
refers to:
High
Impact
1.1. Identify each of the high
impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each
asset;
Refers
to Section 1: Each BES
Cyber System used by and located at any of the following:
Medium
Impact
1.2. Identify each of the medium
impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each
asset;
Refers
to Section 2: Each BES
Cyber System, not included in Section 1 above, associated with any of the
following:
Let’s just consider
the High and Medium impacts now. Note
that for Highs, R1.1 says you must identify “high impact BES Cyber Systems…at each asset”, and Section 1 says these
systems must be “used by and located at…”
assets that meet the criteria in Section 1.
Offhand, this seems to be quite consistent – both use the word “at”
(note the italicizations are mine). A
High impact BES Cyber System must be physically located at the High impact
asset that uses it. So if the questioner
at the WECC meeting was asking about a remote workstation for a High impact
control center, there isn’t any question that it wouldn’t be a High BCS, since
it isn’t located at the control center itself.
Let’s now
look at the Mediums. R1.2 says you need
to identify “medium impact BES Cyber Systems…at each asset”. However,
Section 2 says simply “associated with any
of the following”. Going back to the WECC
workshop question, and assuming we’re now talking about a remote workstation
for a Medium impact control center, it seems like R1.2 would say the remote
workstation isn’t a Medium BCS, since it’s not “at” the control center. But Section 2 seems to say it is a Medium BCS, since it is “associated
with” the control center. Is this a
contradiction?
When I first
noticed this difference between how High and Medium impact BCS are treated, I assumed
it was simply a mistake – that the SDT hadn’t noticed the discrepancy for
Mediums. However, late last year I
discussed this with an Interested Party who has studied CIP-002-5 R1 very
closely. He pointed out to me that a
proper reading reveals there is no discrepancy.
I have come to agree with him, although the language could certainly
have been made a lot more explicit.[vi]
The
Interested Party explained to me that R1.1 - R1.2 and Sections 1-2 of
Attachment 1 are actually doing two different things. R1.1 – R1.2 are telling you the universe of
systems that need to be considered as High or Medium BCS; that universe
consists of systems located at “each
asset”, meaning assets corresponding to the six types that are listed right
above this – control centers, transmission substations, etc. Note that neither R1.1 nor R1.2 is saying
that High or Medium BCS must be located at either a High or Medium asset, only
that they must be located at one of the six types of assets, regardless of its
classification as High, Medium or Low impact.
Going back
to the WECC question, if the remote workstation is located in somebody’s home
or in the company headquarters (probably not good security practice, of course),
it will definitely not be a BES Cyber System at all – it will presumably have
to be treated as a remote access user, and have to go through an Intermediate
System (with a VPN to that IS) like other remote users. If it is located in one of the six asset
types, then it could be a BCS; but we now need to go to Attachment 1 to decide
for sure whether or not this is the case.
It is in
Attachment 1 that the difference comes out between High and Medium impact BES
Cyber Systems. Since Section 1 uses the
words “used by and located at”, it is clear that a High BCS can only be
physically located at the High impact control center that uses it. If it is located anywhere else, it probably
won’t be a High BCS[vii].
However,
since Section 2 says “associated with”, it is very possible that an EMS
workstation located remotely from a Medium impact control center could be a
Medium BCS. But since R1.2 restricts
Medium BCS to systems located “at” one of the six asset types, it would need to
be located at another control center, a generating station, etc. As was just said, it couldn’t be in somebody’s
home or in the corporate headquarters.
You may find
this surprising, and I think Joe Baugh would have as well. In fact, there was a follow-on to the first
question, in which a different person asked if the user of the remote
workstation could be classified as an interactive remote user, so that the
workstation they were using wouldn’t be a BCS.
Joe said this was fine as long as the workstation wasn’t “controlling”
the EMS or SCADA system in the control center.
He said that if the “full suite of EMS applications” were installed on
the workstation, then it would have to be a BES Cyber System.[viii]
However, I
think Joe’s answer needs to be qualified to say that:
a) For
a High impact control center, the only way the remote workstation could itself
be High impact would be if it were located at another High control center. Joe briefly alluded to the idea that the
entity might have to declare the location of the workstation to be an asset in
itself. For this to apply in the case of
a High, the new “asset” would have to itself be a High control center; and this
might be a pretty burdensome thing to do (you’d have to have a PSP with two
types of physical access control, as well as comply with all of the other
requirements for Highs); I see no alternative to simply declaring the workstation
(or rather its user) as a remote user and applying the protections (VPN,
Intermediate System) required for remote users.[ix]
b) For
a Medium impact control center, the remote workstation would have to be located
at one of the six asset types (per R1.2), but it could still be a Medium BCS,
since it’s associated with the Medium control center. Again, if it were not located at one of the
six asset types, it would be a remote user.
So here is
the answer to the original question whether a remote EMS workstation takes the
classification of the control center with which it is associated:
- If the control center is High impact, the workstation will have to be treated as a remote user, unless it is declared to be part of a separate High impact control center.
- If the control center is Medium impact and the remote workstation is located at one of the six asset types, it will be a Medium BCS (of course, cyber assets networked to it will have to be treated as Medium impact Protected Cyber Assets).
- If the control center is Medium and the remote workstation isn’t located at one of the six asset types, it will have to be treated as a remote user.
Revised CIP-002-5 R1 Methodology
Let’s
generalize this from just an answer to one question to a correction to the CIP-002-5
R1 compliance methodology itself. We’ll
start with Dr. Joe’s “top-down” methodology shown on slide 45 of the WECC
presentation packet. The first step (in
blue) is to classify your assets as High, Medium and Low impact using the
criteria in Attachment 1. The next step
after that (in green) reads:
Use the inventory of BES Cyber
Assets at the High (R1.1) or
Medium (R1.2) Facility to identify
and list BES Cyber Systems
(BCS) at each such facility
This step
should be replaced with the following two sub-steps:
- For High impact assets, identify BES Cyber Systems that are “used by and located at” the asset.
- For Medium impact assets, identify BES Cyber Systems that are “associated with” the asset. These must exist at one of the six types of assets shown in CIP-002-5 R1, including the Medium impact asset itself.
Postscript
I've just documented a complex wrinkle in the process for identifying BES Cyber Systems in CIP v5; one that probably limits the number of BES Cyber Systems below what some auditors may think will be the case. The bigger question is whether this is really what the SDT intended. I believe the answer to that is it was an unintended byproduct of well-intentioned provisions they included in v5.
In particular, the provision that High BCS are limited to those "used by and located at" a High impact asset was almost certainly not put there with this consequence in mind. I think it was put in because the SDT wanted to remove the possibility that every RTU, etc. controlled by a High or Medium impact control center would by that very reason be High or Medium. This wording prevents that from happening, but also of course prevents a remote workstation from becoming a High impact BCS and forces it to become a remote interactive user.
I'm not sure anyone made a mistake here; it's more a function of the complexity of the requirement. But NERC entities need to be aware that "there be dragons" lurking in CIP-005-2 R1. Since I've already written maybe 15 posts on just that requirement, I should know.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i] I do wish to
point out now that the frequent rumors that Dr. Joe will be named Sexiest Man
Alive for 2014 are without foundation.
However much he may deserve the title, he’s far too modest to accept it.
[ii]
Note that I wrote in this
post about two methodologies for identifying BES Cyber Systems, which I
also labeled “top down” and “bottom up”.
These aren’t the same thing as what we’re talking about here. In that post, “top down” meant basing your
identification of BES Cyber Systems on an analysis based on the BES Reliability
Operating Services (described in detail in the Guidance and Technical Basis
section published with CIP-002-5), while “bottom up” meant basing the
identification solely on cyber assets that complied with the definition of BES
Cyber Asset. I suggested in that post that
the best approach would be to combine these two approaches, coming at your
identification of BCS from both directions so as not to miss any. Joe said the same thing in his presentation.
[iii]
He actually said either one would be acceptable from an audit point of
view. But he pointed out that the
bottom-up approach (corresponding to what I call the auditor’s approach) would
require much more work on the part of the entity, since it involves - in some
way - prior identification of all BES
Cyber Systems at all assets owned by the entity, whether they are ultimately
classified as High, Medium or Low impact.
And that added work – i.e. identifying BCS at Low impact assets - would
essentially be a waste of time. He
pointed out dryly that it isn’t likely too many NERC compliance departments,
rushing to become compliant with CIP Version 5 by April 1 2016, have lots of
extra time on their hands.
[iv]
I will admit that I glossed over these steps as well in the post
where I outlined my methodology, although I had discussed the concept earlier
in the previous post
(in part D of “The Auditor’s Methodology”).
[v]
Note I’m not dealing with R1.3 here.
This is because, in my CIP-002-5 R1 compliance methodology and WECC’s,
there is no need to identify Low impact BES Cyber Systems, so the
considerations of “at” and “associated with” don’t apply at all.
[vi]
Please note that for once I’m not saying the problem is caused by inconsistent
wording in CIP-002-5 R1 – there are certainly other problems where that is the
case! However, since I missed this point
in my first 100 or so readings of the requirement, I definitely think the
wording could be much more explicit.
This does bring up another criticism I have made about CIP-002-5 R1: it
tries to compress way too much into way too few words. Much of the requirement
is not stated explicitly but is just implicit in the meanings of the words. This is wonderful if you’re writing haiku,
but not so great if you’re writing requirements with potentially huge fines for
non-compliance.
[vii]
Except in the scenario that it is located at another High control center and is
“used by” that control center as well as the one in question. I don’t know how likely this is, though.
[viii]
I wish to thank Scott Kardos of Chelan Public Utility District in
Washington. He asked the follow-on
question, and clarified my memory of Joe’s response to the question.
[ix]
Of course, if the goal is really to prohibit people from setting up remote EMS
workstations outside of regular BES assets, this might be accomplished by some
sort of directive from NERC or the regions.
It would say there can be no remote EMS workstations for High or Medium impact
control centers that are not themselves part of a High or Medium impact asset. But like a lot of other things, this assumes
the agency issuing the directive has adopted my (and WECC’s) methodology for
complying with CIP-002-5 R1; only if that is the case do the terms “High impact
asset” and “Medium impact asset” even make sense.
No comments:
Post a Comment