Tuesday, August 25, 2015

The News from Texas

On Tuesday August 11, 2015, I had the good fortune to listen and watch the webcast of “Chapter 1” of what will be a series of meetings (over the next few months) on CIP v5 run by the Texas Reliability Entity, Inc. (TRE). The series is entitled “The Hitchhiker’s Guide to CIP version 5”, and is being presented as a series of one-day meetings. You can find the slides from Chapter 1 here; there was no recording made.

The presentations were all very good, touching on various topics in CIP v5 compliance (I assume the remaining Chapters will be similar); the only problem was some audio issues for those of us on the phone, which I hope will be fixed before the next Chapter is presented. I don’t believe the date for Chapter 2 has been set. I did just notice that the webcast was only promised for Chapter 1; I certainly hope the remaining Chapters are also webcast.

This post lists the points I found most interesting – I’m grouping these simply by the order in which they occurred in the webcast, not on some judgment of their relative importance.

1.       One of the first presentations was on CIP-002, and it brought up a topic I’ve made the subject of two posts (here and here): the fact that an entity isn’t required to use the same grouping of BES Cyber Assets into BES Cyber Systems for all CIP v5 requirements. That is, the entity can do the grouping one way for one requirement and another way for another requirement. The TRE speaker brought up a good example – that I had also provided in the second of the above posts - of how this could be advantageous. Say you have a lot of devices (perhaps relays) that are all going to have to take a TFE for a particular requirement. Rather than have to do the TFE paperwork for each of those relays, they could all be declared one BCS for the purposes of that requirement; hence only one TFE is needed. You can see other examples of how this might help in the two posts linked above.
2.       Note: This wasn’t said in the TRE meeting, but – because I realize that the above example might require the “Relay BCS” to span ESPs - I’d like to point out that it is fine for BCS to span ESPs, as long as all communications between ESPs goes through an EAP. If that were not to happen, then the cyber assets in the communication path would need to be protected as at least PCAs, since they would be within a single ESP. I want to thank an Interested Party for explaining this to me.
3.       While only a list of BCS is required, it is a good idea to have a list of BCAs, since otherwise you can’t prove that all BCAs are in a BCS. I’ll take that one step further: It’s also a good idea to have a list of Cyber Assets, to show you have considered every one of them to determine whether or not it is a BCA.
4.       Note: This also wasn’t said at the meeting, but I want to point out that, in my “top down” approach to identifying BCS found in this post – not to be confused with TRE’s “top down” approach discussed at the meeting, which is a different thing – you don’t have to identify every BCA, because you start by identifying BCS. You do still need to list all of the components of the BCS, so that you can prove that cyber asset-specific requirements like patch management have been comprehensively applied. But this means there is no need to look at each BCS component to figure out whether it meets the BCA definition; that analysis isn’t required for each component, once it has already been determined to be part of a BCS. The same Interested Party explained that to me, although it was a while ago.
5.       You need to detail how you designed your ESPs, not simply show them on a network diagram.
6.       Similarly, you need to document the process you used to identify EAPs, not just list them. This process should include identifying the traffic that needs to cross the EAP.
7.       In what will I’m sure be a controversial statement, it was said that low entities should document their Low impact BCS, mainly because they won’t be able to prove whether or not they are subject to LERC (Low impact External Routable Connectivity) without this. I discussed this topic in this post, and also during my webinar with EnergySec on Wed. Aug. 19th. I pointed out that, if an entity wants to argue that a Low impact asset doesn’t have LERC, despite having a routable connection coming into it, this will inevitably result in a list of Low BCS being required; without such a list, they could never prove they didn’t have LERC. This means you will definitely need a list if you are going to make such a claim, but I don’t think you will otherwise.[i]
8.       There was a very good discussion of virtualization; it starts on slide 49 of the presentation. Some of the points that were made included: 1) Mixed-trust virtualization (in which both ESP and non-ESP devices are virtualized on the same virtual server) is allowed (and the speaker said that NERC had admitted this was the case) - however, it is important to justify why this was done; 2) In general, you need to consider how virtualization will affect compliance with each requirement – for example, are the hypervisor and the client device in the same PSP? (They need to be); and 3) If your hypervisor hosts a BCA or BCS, it must itself be a BCA.
9.       During a discussion of scripts and Interactive Remote Access, the TRE auditors confirmed what I and others have been saying for a while (and NERC now agrees with us): that, to address the many areas of uncertainty in CIP v5, the entity needs to determine on its own what is the best way to resolve this uncertainty (after examining all of the available guidance on the issue in question). But what is most important is that the entity document how they came to whatever conclusion they reached.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] My point in the post and the webinar was that it might be better for NERC to simply give up the idea of having any exceptions to LERC. This is because FERC clearly doesn’t like NERC’s current interpretation of LERC, as it is illustrated in Reference Model 6 in the Guidance to CIP-003-6. IMHO, if the rule is made that LERC is present whenever there is a routable connection coming into the Low asset, this will eliminate the need for a list of Low BCS. What was said at the TRE workshop only confirms me in this opinion.


  1. I have just been informed that the tentative dates for the remaining three Chapters of The Hitchhiker's Guide to CIP Version 5 are Sept. 29, Nov. 10 and Dec. 8. To get further information, email information@texasre.org

  2. Regarding 8 above, you mention the hypervisor and 'client device' need to be in the same psp. I assume by this you mean the client software which interacts and manages the hypervisor? If you have multiple psp would it be prohibited to have a single client in a psp manage hypervisors in other psps?

  3. Thanks, fromnewark. I'm not sure about this myself, but I'll forward this to TRE to answer. I'll do a new post when I get their answer.

  4. Fromnewark, I've just heard from TRE that they will answer your question in the next Hitchhiker's Guide meeting, tentatively scheduled for Sept. 29. You can watch on their site for the announcement, but I will also try to put it in my blog. They should be webcasting this as well.