I had an email conversation two days ago with a knowledgeable person about my post on the emails sent to generators by ISO New England. The post pointed out that the emails advised the generators that their AVR systems and associated RTUs would be Medium impact BES Cyber Assets according to Criterion 2.6 in Attachment 1 of CIP-002-5.1. However, the wording of 2.6 doesn’t support this assertion – rather, 2.6 seems to require the entire unit be Medium impact (and perhaps the entire plant).[i]
I implied in the post that ISO NE (and probably NPCC, who participated in this discussion) didn’t really understand how R1 and Attachment 1 work. The criteria don’t tell you what BCS are Medium impact; they tell you what assets or Facilities are Medium impact. The entity then classifies BCS associated with those assets/Facilities as Mediums.
This party – who understands the nuances of CIP-002-5.1 R1 very well - tried to convince me in his email that in fact ISO NE’s position could be correct if you first attach the preamble to the criteria in Section 2 of Attachment 1 to Criterion 2.6 itself. Criterion 2.6 will now read “Each BES Cyber System associated with generation at a single plant location or Transmission Facilities at a single station or substation location that are identified…”
He then made several transformations to this “sentence” (adding a couple commas, assuming “are” should really be “is”, making a change due to how NE ISO calculates IROLs, etc), and voila! He came out with “Each BES Cyber System associated with generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”
In other words, he’s saying the NE ISO analysis – designating two particular cyber assets as Medium BCS, but nothing else at the plant - makes sense if you just do this “simple” little manipulation of the wording of Criterion 2.6. I told him that he deserved a medal from NERC for “Extraordinary Effort in Defense of the Wording of CIP-002-5.1”, but that he still hadn’t convinced me – for reasons which I won’t bother to put down here (since I’m determined to keep this post short, for a change).
But even if I didn’t have any objection to his logic, I would still have rejected it as a defense of ISO NE. If they had really been thinking in the same lines as my friend, they would have put everything he said in their email; however, they didn’t. The email didn’t even think to provide a justification for the designation of the two cyber assets as BES Cyber Assets; it was clear ISO NE didn’t understand CIP-002-5.1 R1 well enough to know they were wrong.
My point here isn’t to bash ISO NE. In fact, a post I’ll do very soon will point out that not understanding CIP-002-5.1 R1 is by far the rule among all parties – NERC, the regions, the NERC entities – not the exception. My point is that any standard that forces people to go through such contortions in order to identify its true meaning – requiring at least a Masters in Linguistics, a double E degree, and an intimate knowledge of how different ISO’s operate - is clearly not a “standard” at all. NERC entities can’t apply it with any sort of certainty that they’re doing the right thing, and auditors can’t assess penalties for “violations” of wording that is as transparent as mud.
Of course, other than that, I have no issues with CIP-002-5.1. I think the font it’s written in is wonderful.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] As I said in the other post, I actually agree that the only option that makes sense is the one that ISO NE chose – just designating the two devices as Medium impact BCAs; however, this can’t be done while following the wording of Criterion 2.6. The point of the post was that more and more decisions are being made by NERC and the regions (NPCC seems to have participated in this decision) in a purely ad hoc manner, because frankly that’s the only way that most decisions on the bright-line criteria will have to be made. And probably a lot of the decisions on other parts of CIP v5 as well (in fact, of course, the whole idea that NERC or the regions are making “decisions” on v5 is not in accordance with NERC’s rules. Lessons Learned at least have some semblance of legitimacy in the Rules of Procedure; “decisions” have none).