On July 16, 2015,
FERC issued a new Notice of Proposed Rulemaking (NOPR)[i]. Since
they have had the eight CIP version 6 standards on their desk for approval since
February, it was widely anticipated that this document would discuss v6,
which it certainly does. However, what was not widely anticipated was the form
this document would take, as well as the other issues that are discussed in it.
For a little
background, FERC could have issued two types of documents regarding v6. A NOPR
(such as the one
they issued in April 2013 stating they were going to approve CIP version 5)
solicits comments on a rule that FERC is considering approving – in this case,
the CIP v6 standards. Once FERC has gathered the comments, it makes its
decision on whether or not to approve the rule, then issues an Order approving
them (such as Order 791,
which approved the v5 standards as submitted but then asked for four
significant changes. Implementing these changes resulted in the eight v6
standards, which now need to be approved).
However, what
I (and others) anticipated was that FERC would simply issue an Order approving
v6, not a NOPR requesting comments. It seemed to me that, since CIP v6 was
developed specifically to address the four changes FERC had asked for in Order
791, and since FERC staff members had observed – and commented on[ii] – the
Standards Drafting Team meetings, there shouldn’t have been any big surprises
when v6 was submitted in February. If there were a few points that they wanted
changed, they could still have ordered NERC to make those (as they did in Order
791); these changes would become CIP version 7. But CIP v6 would have become
the law of the land, and any entities who still had doubts
whether it would be approved would have at long last had certainty.
However,
FERC once again showed that anticipating what they will do is dangerous. They
hinted strongly (in the very first sentence in paragraph 1, page 1[iii]) that
they will approve the v6 standards as written; however, they also asked for
comments on a number of issues that are either new or ones they don’t think
NERC has adequately addressed. These
are quite interesting, and I’ll discuss them at length below, and in part II of
this post (which should follow in a day or two).
Before I do
that, I want to emphasize the main takeaway of the NOPR: The CIP v6 standards will be approved as written, although
once again there will be new and revised requirements (and probably a new CIP
standard for supply chain security) coming in the future[iv]. And if
v6 is approved at FERC’s October meeting[v], this
means the compliance dates for the v6 requirements won’t be pushed back from
what is shown
in the v6 Implementation Plan.[vi]
The
remainder of this post, and Part II, deals with topics on which FERC is
soliciting comments. These may or may not result in revised requirements; one
may result in an entirely new CIP standard.
CIP-006-6 R1.10 – “Communications Networks”
This is
clearly an important topic for FERC; it is discussed in Section D of the NOPR, starting
on page 27. CIP-006-6 R1.10 was added to CIP-006 in response to FERC’s
directive in Order 791, which ordered NERC to develop a requirement to protect
“the non-programmable components of communication networks”[vii]. By
this they mean cabling and devices like dumb hubs and switches that might be
physically tampered with to cause loss or alteration of communications between
CIP-protected devices.
NERC chose
to interpret this FERC directive to refer to a fairly narrow domain: cabling
and non-programmable components between Cyber Assets within an ESP, when that
cabling exits a PSP. R1.10 specifically addresses protecting such cabling and
components. There are two other domains that are not addressed by R1.10. The
first is cabling and components within the ESP that are also enclosed within a
PSP. The SDT argued – and FERC agreed – that such items were now physically
protected by the fact that all the Cyber Assets (BCS and PCAs) within a PSP
already have physical protection. Thus, as long as the wiring between those
Cyber Assets doesn’t exit the PSP, it is already protected. FERC doesn’t
dispute this assertion.
The second
domain is cabling and components that facilitate communications between ESPs.
The fact is that these aren’t protected by CIP v5 at all now; it seems FERC
believes they should be. This is a very interesting problem, and it wasn’t at
all helped by the fact that NERC mistakenly claimed, in the Petition for
approval of v6 filed in February, that this domain is already protected. Let me
elaborate on this last point.
FERC says in
paragraph 51 on page 34 “NERC further states that Part 1.10 only applies to
nonprogrammable components used for connection between applicable Cyber Assets
within the same Electronic Security Perimeter because Reliability Standard
CIP-005-5 already requires logical protections for communications between
discrete Electronic Security Perimeters.”
When I first
read this, I thought FERC had to be wrong, since all of the CIP v5 and v6
standards include (in Section 4.2.3.2) an exclusion for “Cyber Assets
associated with communication networks and data communication links between
discrete Electronic Security Perimeters.”[viii]
But then I realized that this exclusion doesn’t cover the cabling and
components that FERC is talking about; rather, it just covers cyber assets like
routers that are between ESPs.
I then
thought FERC had to be simply misquoting NERC. NERC couldn’t have said that
CIP-005-5 requires logical protections for communications between ESPs, could
they? Because this is certainly not the case. But when I looked at page 49 of
the Petition (cited by FERC), I saw this: “…Reliability Standard CIP-005-5 already
requires logical protections for communications between discrete ESPs. For
instance, under CIP-005-5,
Requirement R2 responsible entities must do the following for Interactive Remote
Access into an ESP: (1) use an Intermediate System such that the Cyber Asset
initiating Interactive
Remote Access does not directly access an applicable Cyber Asset; (2) use
encryption that terminates at an Intermediate System; and (3) require
multi-factor authentication for all Interactive
Remote Access sessions.”
In other
words, NERC said in their petition that the fact that there are protections for
Interactive Remote Access means there is protection for “communications between
discrete ESPs”. There is only one problem with this statement: it’s false. The
whole idea of IRA is it is communications into
an ESP from a system that is outside of any ESP (e.g., if I use my laptop in my
living room to monitor or control systems within an ESP), not from one ESP to
another. FERC points this out in paragraph 56 on page 35. I find it quite odd
that NERC would have made this mistake, but let’s move on.
FERC goes
further to state (paragraph 57) that they are concerned about protecting
communications between ESPs, in particular communications between control
centers; they are clearly considering ordering such protections, and want to
hear comments on this topic. Given what this will entail if it becomes a
requirement, I anticipate there will be a lot of comments.
To speed up
the comment process, FERC concedes one point. They state in paragraph 58, “We
also recognize that third-party communication infrastructure (e.g., facilities
owned by a telecommunications company) cannot necessarily be physically
protected by responsible entities.” But they go on to say that logical controls
could be applied (and point out that CIP-006-6 R1.10 does allow for logical
protections if physical protection isn’t possible).[ix]
They
conclude this discussion in paragraph 59, where they state, “...we propose to
direct NERC to develop a modification to proposed Reliability Standard
CIP-006-6 to require responsible entities to implement controls to protect, at
a minimum, all communication links and sensitive bulk electric system data
communicated between all bulk electric system Control Centers.”
I don’t
think I need to tell you that this is going to be a huge issue. It will
certainly be an interesting discussion.
Here is Part II of this post.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
To find it, go to www.ferc.gov and click on
Documents, then eLibrary. Choose General Search and search for docket
“RM15-14-“. Or drop me an email at talrich@deloitte.com
and I’ll send it to you.
[ii]
Of course, FERC staff members always preface any comments they make at any
meeting by saying, “I don’t speak for the Commissioners….” And that’s true –
the five Commissioners don’t reveal their thoughts or plans on future actions
to anybody else (including each other. I’ve always wondered what they talk
about in the lunchroom. Must be the weather).
[iii]
In this post, page numbers will refer to the actual page numbers in the
document, not to the page number of the PDF file.
[iv]
These will of course be numbered as CIP version 7; they will require a new
Standards Drafting Team (unless the current team feels like doing this again –
my guess is they won’t), new ballots, new NERC Board approval and finally new
FERC approval. My fervent hope is that this time – unlike with v6 – NERC won’t
just revise the standards that actually have changes, but will instead “rev”
all of them to CIP version 7. Having to comply with two different CIP versions
at the same time (v5 and v6) is causing – and will cause – lots of completely
unnecessary confusion. Let’s not compound that by adding a third version, v7,
to the mix.
[v]
Here’s why October is the latest FERC can approve v6, without the
implementation dates being pushed back: The dates shown in the v6
Implementation Plan for each v6 standard are all qualified by “or the first day
of the first calendar quarter that is three calendar months after the date that
the standard is approved by an applicable governmental authority...” Since
“approval” usually refers to the date
60 days after the Order is published in the Federal Register (and since it will
take a few days for the Order to be published), this means that October is
probably the last month in which FERC can approve v6 in time for it to be “approved”
in Q4. In the Implementation Plan, the compliance dates for the standards
themselves (although there are a lot of exceptions for particular requirements,
or even parts of requirements) are all April 1, 2016. This happens to be
exactly the date that would result from the above qualification, if approval is
in the fourth quarter. I believe the 60-day delay is to give Congress the
chance to object to the Order, although my guess is that NERC CIP version 6
won’t be at the top of Congress’ mind in the fourth quarter and they will pass
on this great opportunity. I want to thank an auditor friend who explained this
to me.
[vi]
I will be very shortly posting a new post that raises the question whether FERC
may actually delay approving v6, thus forcing the v5/v6 implementation date
past 4/1/16.
[vii]
Paragraph 46, page 28
[viii]
In a webinar
I did in June with EnergySec, we had a big discussion on this exclusion,
although this was in the context of NERC’s April Memorandum on Network Devices.
[ix]
They add, “Also, if latency concerns mitigate against use of encryption as a
logical control for any inter-Control Center communications, our understanding
is that other logical protections are available, and we seek comment on this
point.” I’m sure there will be a lively technical debate on this issue.
No comments:
Post a Comment