On July 16, 2015, FERC issued a new Notice of Proposed Rulemaking (NOPR)[i]. Since they have had the eight CIP version 6 standards on their desk for approval since February, it was widely anticipated that this document would discuss v6, which it certainly does. However, what was not widely anticipated was the form this document would take, as well as the other issues that are discussed in it.
For a little background, FERC could have issued two types of documents regarding v6. A NOPR (such as the one they issued in April 2013 stating they were going to approve CIP version 5) solicits comments on a rule that FERC is considering approving – in this case, the CIP v6 standards. Once FERC has gathered the comments, it makes its decision on whether or not to approve the rule, then issues an Order approving them (such as Order 791, which approved the v5 standards as submitted but then asked for four significant changes. Implementing these changes resulted in the eight v6 standards, which now need to be approved).
However, what I (and others) anticipated was that FERC would simply issue an Order approving v6, not a NOPR requesting comments. It seemed to me that, since CIP v6 was developed specifically to address the four changes FERC had asked for in Order 791, and since FERC staff members had observed – and commented on[ii] – the Standards Drafting Team meetings, there shouldn’t have been any big surprises when v6 was submitted in February. If there were a few points that they wanted changed, they could still have ordered NERC to make those (as they did in Order 791); these changes would become CIP version 7. But CIP v6 would have become the law of the land, and any entities who still had doubts whether it would be approved would have at long last had certainty.
However, FERC once again showed that anticipating what they will do is dangerous. They hinted strongly (in the very first sentence in paragraph 1, page 1[iii]) that they will approve the v6 standards as written; however, they also asked for comments on a number of issues that are either new or ones they don’t think NERC has adequately addressed. These are quite interesting, and I’ll discuss them at length below, and in part II of this post (which should follow in a day or two).
Before I do that, I want to emphasize the main takeaway of the NOPR: The CIP v6 standards will be approved as written, although once again there will be new and revised requirements (and probably a new CIP standard for supply chain security) coming in the future[iv]. And if v6 is approved at FERC’s October meeting[v], this means the compliance dates for the v6 requirements won’t be pushed back from what is shown in the v6 Implementation Plan.[vi]
The remainder of this post, and Part II, deals with topics on which FERC is soliciting comments. These may or may not result in revised requirements; one may result in an entirely new CIP standard.
CIP-006-6 R1.10 – “Communications Networks”
This is clearly an important topic for FERC; it is discussed in Section D of the NOPR, starting on page 27. CIP-006-6 R1.10 was added to CIP-006 in response to FERC’s directive in Order 791, which ordered NERC to develop a requirement to protect “the non-programmable components of communication networks”[vii]. By this they mean cabling and devices like dumb hubs and switches that might be physically tampered with to cause loss or alteration of communications between CIP-protected devices.
NERC chose to interpret this FERC directive to refer to a fairly narrow domain: cabling and non-programmable components between Cyber Assets within an ESP, when that cabling exits a PSP. R1.10 specifically addresses protecting such cabling and components. There are two other domains that are not addressed by R1.10. The first is cabling and components within the ESP that are also enclosed within a PSP. The SDT argued – and FERC agreed – that such items were now physically protected by the fact that all the Cyber Assets (BCS and PCAs) within a PSP already have physical protection. Thus, as long as the wiring between those Cyber Assets doesn’t exit the PSP, it is already protected. FERC doesn’t dispute this assertion.
The second domain is cabling and components that facilitate communications between ESPs. The fact is that these aren’t protected by CIP v5 at all now; it seems FERC believes they should be. This is a very interesting problem, and it wasn’t at all helped by the fact that NERC mistakenly claimed, in the Petition for approval of v6 filed in February, that this domain is already protected. Let me elaborate on this last point.
FERC says in paragraph 51 on page 34 “NERC further states that Part 1.10 only applies to nonprogrammable components used for connection between applicable Cyber Assets within the same Electronic Security Perimeter because Reliability Standard CIP-005-5 already requires logical protections for communications between discrete Electronic Security Perimeters.”
When I first read this, I thought FERC had to be wrong, since all of the CIP v5 and v6 standards include (in Section 18.104.22.168) an exclusion for “Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.”[viii] But then I realized that this exclusion doesn’t cover the cabling and components that FERC is talking about; rather, it just covers cyber assets like routers that are between ESPs.
I then thought FERC had to be simply misquoting NERC. NERC couldn’t have said that CIP-005-5 requires logical protections for communications between ESPs, could they? Because this is certainly not the case. But when I looked at page 49 of the Petition (cited by FERC), I saw this: “…Reliability Standard CIP-005-5 already requires logical protections for communications between discrete ESPs. For instance, under CIP-005-5, Requirement R2 responsible entities must do the following for Interactive Remote Access into an ESP: (1) use an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset; (2) use encryption that terminates at an Intermediate System; and (3) require multi-factor authentication for all Interactive Remote Access sessions.”
In other words, NERC said in their petition that the fact that there are protections for Interactive Remote Access means there is protection for “communications between discrete ESPs”. There is only one problem with this statement: it’s false. The whole idea of IRA is it is communications into an ESP from a system that is outside of any ESP (e.g., if I use my laptop in my living room to monitor or control systems within an ESP), not from one ESP to another. FERC points this out in paragraph 56 on page 35. I find it quite odd that NERC would have made this mistake, but let’s move on.
FERC goes further to state (paragraph 57) that they are concerned about protecting communications between ESPs, in particular communications between control centers; they are clearly considering ordering such protections, and want to hear comments on this topic. Given what this will entail if it becomes a requirement, I anticipate there will be a lot of comments.
To speed up the comment process, FERC concedes one point. They state in paragraph 58, “We also recognize that third-party communication infrastructure (e.g., facilities owned by a telecommunications company) cannot necessarily be physically protected by responsible entities.” But they go on to say that logical controls could be applied (and point out that CIP-006-6 R1.10 does allow for logical protections if physical protection isn’t possible).[ix]
They conclude this discussion in paragraph 59, where they state, “...we propose to direct NERC to develop a modification to proposed Reliability Standard CIP-006-6 to require responsible entities to implement controls to protect, at a minimum, all communication links and sensitive bulk electric system data communicated between all bulk electric system Control Centers.”
I don’t think I need to tell you that this is going to be a huge issue. It will certainly be an interesting discussion.
Here is Part II of this post.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] To find it, go to www.ferc.gov and click on Documents, then eLibrary. Choose General Search and search for docket “RM15-14-“. Or drop me an email at email@example.com and I’ll send it to you.
[ii] Of course, FERC staff members always preface any comments they make at any meeting by saying, “I don’t speak for the Commissioners….” And that’s true – the five Commissioners don’t reveal their thoughts or plans on future actions to anybody else (including each other. I’ve always wondered what they talk about in the lunchroom. Must be the weather).
[iii] In this post, page numbers will refer to the actual page numbers in the document, not to the page number of the PDF file.
[iv] These will of course be numbered as CIP version 7; they will require a new Standards Drafting Team (unless the current team feels like doing this again – my guess is they won’t), new ballots, new NERC Board approval and finally new FERC approval. My fervent hope is that this time – unlike with v6 – NERC won’t just revise the standards that actually have changes, but will instead “rev” all of them to CIP version 7. Having to comply with two different CIP versions at the same time (v5 and v6) is causing – and will cause – lots of completely unnecessary confusion. Let’s not compound that by adding a third version, v7, to the mix.
[v] Here’s why October is the latest FERC can approve v6, without the implementation dates being pushed back: The dates shown in the v6 Implementation Plan for each v6 standard are all qualified by “or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority...” Since “approval” usually refers to the date 60 days after the Order is published in the Federal Register (and since it will take a few days for the Order to be published), this means that October is probably the last month in which FERC can approve v6 in time for it to be “approved” in Q4. In the Implementation Plan, the compliance dates for the standards themselves (although there are a lot of exceptions for particular requirements, or even parts of requirements) are all April 1, 2016. This happens to be exactly the date that would result from the above qualification, if approval is in the fourth quarter. I believe the 60-day delay is to give Congress the chance to object to the Order, although my guess is that NERC CIP version 6 won’t be at the top of Congress’ mind in the fourth quarter and they will pass on this great opportunity. I want to thank an auditor friend who explained this to me.
[vi] I will be very shortly posting a new post that raises the question whether FERC may actually delay approving v6, thus forcing the v5/v6 implementation date past 4/1/16.
[vii] Paragraph 46, page 28
[viii] In a webinar I did in June with EnergySec, we had a big discussion on this exclusion, although this was in the context of NERC’s April Memorandum on Network Devices.
[ix] They add, “Also, if latency concerns mitigate against use of encryption as a logical control for any inter-Control Center communications, our understanding is that other logical protections are available, and we seek comment on this point.” I’m sure there will be a lively technical debate on this issue.