As almost everyone knows, the most important category of plants that can potentially be Medium impact under CIP v5 is those plants that meet Criterion 2.1 of Attachment 1 of CIP-002-5.1. These are, without exception, huge plants with lots of potential BES Cyber Assets, and to fully comply as Medium impact will be very expensive.
Fortunately, there is a provision in 2.1 that allows plants to “segment” themselves so that no BES Cyber System can impact more than 1500MW of capacity. This provision was also in CIP v4. I have heard some refer to it as a “loophole”; but it’s really not, as I’ll show now.
Any plant this size will have multiple units of say 3-600MW each. Let’s say that each of those units were set up as its own plant with a fence around it. Clearly, none of these smaller plants would be Medium impact (unless they met another Medium criterion like 2.3). Let’s say you take out all the fences around the individual “plants” and instead run one big fence around all of them. Voila! All of a sudden they turn into one plant of greater than 1500MW, with completely segmented units (of course, this is a bit of an exaggeration, but not by much). Without the special provision in 2.1, all of their BCS would become Mediums, just because the fence was changed. This is clearly not fair, and it is why this provision is in there. Having a multi-unit plant with complete segmentation is not—in principle—any different than having each unit be its own plant. The risk to the BES of one unit (or small plant) being lost is the same in either case. The same generation capacity is lost.
But I’m not writing this post to justify Criterion 2.1. I’m writing it because almost every compliance person from a generation entity I have ever heard talk about this says that, by segmenting a 1500 plant, they change it from being Medium to Low impact. In fact, I have heard NERC staffers say the same thing. The problem with this is it is wrong. The plant doesn’t cease to be Medium impact[i] when you segment it. Rather, it ceases to have Medium BCS, or as 2.1 says, BCS that “could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.”[ii]
Of course, the result is substantially the same, no matter which way you say it: You will have a large plant with no Medium BCS, only Low BCS. Since a Low asset is “defined” as one that contains Low BCS, the plant will need to be listed on your list of Low assets. But most people say the plant will itself become Low impact when it no longer has Medium BCS. This is wrong. It is still Medium impact, and will remain so until its total output capacity drops below 1500MW. Is this just an academic question that doesn’t make a difference for your compliance program? Hardly. I can think of two areas where it does make a difference, one not-so-profound and the other profound.
To address the not-so-profound area first, I call your attention to Criterion 1.4 of Attachment 1 of CIP-002-5.1, which says “Each Control Center or backup Control Center used to perform the functional obligations of the Generator Operator for one or more of the assets that meet criterion 2.1, 2.3, 2.6, or 2.9.” In other words, if you have a plant that meets criterion 2.1, a control center that controls that plant will be High impact. Does it make a difference if you’ve segmented the plant and you don’t have Medium BCS there? No, it doesn’t. The Control Center is still High impact.[iii]
Now the profound reason: One appeal of having an asset be Low impact rather than Medium is that the work required for coming into compliance, as well as what is required to maintain compliance, will be much less. This is primarily because CIP-002-5.1 says in two places that there is no obligation to inventory Low impact BES Cyber Systems.
But this statement doesn’t apply in the case of a 2.1 plant that has all Low BCS because it has been segmented. Again, since the plant is Medium impact, it is up to the entity to demonstrate that the BCS have all been relegated to Low status; moreover, the entity has to do that every 15 months to comply with CIP-002 R2.
How do you show there are no Medium BCS? It will take network diagrams that show no single network, if completely brought down, would affect more than 1500MW. It also will take engineering diagrams for the physical systems, to show they don’t affect more than 1500MW. Both of these types of documents will have to be updated and made available each year, to demonstrate that no changes have been made that would create any Medium BCS.
But you also can’t rule out having to identify your Low BCS at the plant, which means going through the same process as for Medium and High impact assets: identify Cyber Assets (including documenting your definition of “programmable”), identify BES Cyber Assets (including documenting how you are interpreting “adverse impact” on the BES), group these into BCS, etc. (a light version of my methodology is available here).
If an auditor doesn’t think your network diagrams are comprehensive enough – and in large coal plants there are sometimes thousands of devices that aren’t linked by IP and may not be on network diagrams in the first place – they might require your BCS list. And remember, you can’t point to the statement about an inventory of Low BCS not being required. Your BCS will be presumed Medium until you prove them to be Low.[iv] And you will need to do that every year.
Of course, I still feel it is worthwhile for most entities with 1500+MW plants to make the effort to segment their systems. It’s a good security and reliability practice as well.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] Of course, strictly speaking there is no such thing as a Medium plant, Medium substation, High Control Center, etc. While CIP-002-5.1 R1 and Attachment 1 are contradictory, the wording favors the idea that the criteria apply to BES Cyber Systems, not to assets. There are Medium and High impact BCS, but not High or Medium assets (on the other hand, there are Low assets as well as Low BCS, but the latter are deliberately not dealt with by the requirements, at least not at the moment). As I’ve stated repeatedly, I am unaware of anybody complying in this way or of the regions teaching compliance in this way. Everyone I’ve talked to is following the approach of first identifying High, Medium and Low impact assets, then classifying the BCS according to the asset’s classification, despite the fact that the words of the requirement don’t read that way. I discussed this situation in a recent post, and others before that.
[ii] You may think the words “in a single Interconnection” are fairly fanciful. After all, how many single plants serve more than one Interconnection? Well, I know of at least one, in Wyoming. Some of its units serve the Western Interconnection; others serve the Eastern Interconnection.
[iii] This makes sense, of course. The Control Center presumably controls the whole plant, not just one unit. If the Control Center is compromised by somebody or some system with ill intent, the plant could presumably be brought down in its entirety, whether or not it is segmented.
[iv] I may be making the auditors sound tougher than they really will be; they may not require all of this. But they could require it, and since it’s very possible that FERC may be your CIP v5 auditor, you should not rely on your previous experience with your region’s auditors. You should be prepared for FERC – although it’s possible that, when FERC’s official announcement comes out, they will give an idea of who might be audit targets and who wouldn’t be. On the other hand, they may decide it’s more effective to leave every NERC entity wondering who they’ll be audited by. This may be great for sales of antacids, but not so great for the sanity of CIP compliance professionals.