Questions from Webinar “Covering your Assets in CIP Version 5”
-
With Answers by Tom Alrich, Honeywell
[email protected]
Q: You said low inventories might take years. You reckon that will be the case at most utilities?
A: Most of the entities (utilities and IPP’s) I have talked with have said as much, although I
haven’t done a scientific sample. I know someone from a large US agency that operates dams in
the West estimated at a WECC meeting that they had 350,000 cyber assets at their BES facilities
(presumably mostly uninventoried).
Please note that I have recently come to believe FERC will not require inventories for Low
impact facilities.
Q: Can I get a copy of your presentation?
A: It’s available at the same site as the recording.
Q: In your opinion, what are the biggest changes that FERC will request for v6?
A: 1) Removal of “Identify, Assess and Correct” from 17 requirements
2) Specific controls for Lows (and inventory)
3) Two changes in the definition of BES Cyber Asset (removal of the “15-minute” criterion
and of the sentence exempting laptops used for less than 30 days within the ESP)
These are only guesses, of course. For a further discussion, see this blog post. Also, please note
that, although that post suggests FERC may not have to require an immediate CIP Version 6 to
be developed, I am now coming back to believing that Version 6 will be the next CIP version that
NERC entities have to comply with – as I asserted in the webinar. I will soon have a new blog
post out about this.
Q: For GOPs, won't many cyber systems at Medium facilities come in as low if they don't
impact 1500MW of generation?
A: Yes, I believe that will be the case, but Attachment 1 doesn’t specifically say they’ll be Lows
(one of many pieces of interpretation needed for Version 5). The networks will need to be
separated; otherwise, even though there might be just one system that impacts 1500MW (i.e. one
BES Cyber System), all the other assets on the network will be Protected Cyber Assets and need
to be protected almost the same way as the BES Cyber System (i.e. as Mediums).
Q: I.e. should it be within the EPS or in a DMZ network?
A: Sorry, I don’t know the context of this question. If you want to email me, I’ll try to answer it.
Q: There are some situations where the systems such as historians systems are used for business
purposes. How would you address such systems?
A: If a historian is accessed by general business users, it should be in a DMZ, not within the
ESP. Let me know if that isn’t what you were asking.
Q: If two separate control houses are used to control different HV parts of a substation, do the
bright line criteria apply to the whole substation, or just to the facilities controlled by each BCS
independently?
A: If both parts of the substation are HV and meet the criteria for Medium impact, I would
assume the criteria apply to the whole substation. I don’t think you can “slice and dice” a
transmission substation into two transmission subs (you can do that with a combined
transmission and distribution substation, as long as you separate the networks).
I also think you may not understand what a BES Cyber System is. It certainly doesn’t control a
facility; it’s just a group of one or more BES Cyber Assets. It’s really the V5 equivalent of
Critical Cyber Asset.
Q: When do you expect to have some clarification on the definition of BES Cyber Asset? The
interpretation of this can mean massive differences in what must be secured and to what extent.
The concern here is budgeting and engineering required to comply by deadlines.
A: NERC expects FERC to approve Version 5 – and order any changes they want – this year,
including the definition for BES Cyber Asset. Given the tone of their NOPR, I believe it is likely
they will order that the 15-minute provision and the sentence exempting assets connected for less
than 30 days be removed. I now believe this can be done simply by ordering NERC to make a
change to the Glossary (where the V5 Definitions now officially reside); it won’t in itself require
a new version of CIP. However, FERC may decide that removing the “Identify, Assess and
Correct” language from Version 5 does require a new Version 6 – so this will probably still be
the next version everyone has to comply with (as I stated in the webinar).
Q: Should we start our inventory for H, M and L with our BES Asset list?
A: Well, now you got me going. You start your inventory of BES Facilities with the list of all
your BES Facilities from Section 4.2 of CIP-002-5 (essentially, every BES Facility you have
unless you’re only a DP). Once you know whether the Facility is High, Medium or Low impact
(from Attachment 1), you inventory all of your cyber assets associated with the Facility. Those
that meet the definition of BES Cyber Asset are your BES Cyber Assets.
However, this is my opinion; I know there are others who assert that CIP-002-5 allows for
classification of BES Cyber Systems as High, Medium or Low impact, independently of the
Facility’s rating as H/M/L. While I admit there is some language in R1 and Attachment 1 that
would make this seem to be the case, I don’t see how this could happen given the rest of CIP002-5; I believe it to be a relic of the first draft of V5, which actually did use that approach. I
would like to see FERC order this language be clarified, but I’m afraid they won’t. So I think
NERC really needs to develop in-depth guidance on CIP-002-5.
I’m kind of skipping over a number of nuances in this. I’d be glad to have a conversation with
you to go into more detail.
Q: In NERC CIP v5, is it mandatory to collect logs on a real time basis?
A: For Lows, it’s not mandatory now. For Highs and Mediums, it is mandatory that logs be
collected real time, but they don’t have to be analyzed in real time (i.e. SIEM) – only every 15
days. However, Highs and Mediums with external routable connectivity do have to alert in real
time for detection of malicious code or failure of the logging system. See CIP-007-5 R4.
Q: When identifying a Cyber System, what are some of the considerations for SCADA systems
that are shared across Transmission and Distribution? Are the components associated with
Transmission "in" and all others "out" and how do we make the distinction?
A: Steve Parker and I both addressed this question in the webinar. Neither of us sees any
practical way an entity could separate out the Transmission and Distribution elements of a
SCADA system. Steve pointed out that one problem is you would have to have firewalls
wherever there was a separation, and those create more problems than they solve in this case.
Q: How would an entity who has shared Cyber Assets within one control house (owned by one
of the entities), simplify compliance associated with the new CIP standards? Would a
Coordinated Functional Registration CFR be an appropriate way to deal with jointly owned
assets?
A: Good question, but this is above my pay grade. I know there needs to be at least some
agreement in place that one entity will be in charge of CIP compliance (perhaps all NERC
compliance).
Q: What about my communications facilities (microwave towers, etc)? Are they BES facilities?
Does the exception for communication networks linking discrete ESPs notion still exist in v5?
A: Yes, see CIP-002-5 Section 4.2.3. FERC did complain about this in their NOPR (in relation
to the fact that the definition of Cyber Asset in the V5 Definitions document excludes
“communications networks” (which had previously been in the definition). However, since
actually trying to include communications assets in CIP would be a huge change, it’s highly
unlikely FERC will order NERC to do anything about it in Version 5.
Q: For your senior manager to approve your list every year as required ... regardless of what is
said you need a list (Low or no impact items).
A: This question (actually, statement) refers to the fact that CIP Version 5 states in two places
that an inventory of Low impact BES Cyber Systems isn’t required. The questioner points out
that this seems to contradict CIP-002-5 R2.2, which requires each responsible entity to “ Have
its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at
least once every 15 calendar months, even if it has no identified items in Requirement R1.”
This is a good point. However, I think the fact that the sub-requirement cited says
“identifications required by Requirement R1” is probably NERC’s out. R1 doesn’t require Lows
to have a list of their Low impact BES Cyber Systems (although in my opinion, Section 3 of
Attachment 1 does require Lows to have this – one of many problems I see with CIP-002-5 that I
hope NERC will address in a Guidance document, even if FERC doesn’t require they be fixed).
Note that I have changed my thinking since the webinar and am no longer sure FERC will
require an inventory of Low impact cyber assets.
Q: Tom, are you saying that a printer currently located outside of a V3/4 ESP, where the AP has
a rule allowing a CCA to print to this printer, would need to be considered a PCA?
A: I’m not sure what statement of mine this was referring to, but no, I wouldn’t consider the
printer a PCA in that situation. As long as it’s legitimately outside the ESP, I don’t see that as a
problem. However (and this is a big however), I would think you might get into a data diodetype question with your auditor, having to prove there couldn’t be any communications from the
printer back into the ESP – and this might be impossible, since I assume any printer or print
server has to communicate back to the machine doing the printing. In that case, the printer
would need to be within the ESP.
Q: If thirty day clause is removed, what is a PCA?
A: This question refers to the last sentence of the definition of BES Cyber Asset, which exempts
devices used within the ESP for less than 30 days from being considered as BES Cyber Assets;
FERC may order this sentence be removed. However, its removal doesn’t affect the concept of
Protected Cyber Asset. Those are cyber assets that are on the same network as BES Cyber
Systems but are not themselves BCS.
With the sentence removed, those less-than-30-day devices could be BES Cyber Assets if they
met the BCA definition; otherwise, they would be PCA’s. But that isn’t any different from any
cyber assets that are permanently in the ESP – they also can be either BCA’s or PCA’s.
Q: The "30 day" verbiage was added to alleviate the issue with maintenance type systems being
connected for a brief period of time. What type of provision do you think should be put in for
these types of systems, if any?
A: Excellent question. My opinion doesn’t matter, but FERC’s does. I don’t think it’s likely that
FERC will allow NERC to make any special distinction for maintenance type systems (remember
that CIP Exceptional Circumstances can trump all of this, so you don’t have to worry about BES
Cyber Systems or ESP’s in an emergency).
In other words, maintenance assets should be compared to the definition of BES Cyber Asset to
determine whether or not they’re a BCA. If they’re not, but if they’re connected on the same
network as one or more BES Cyber Systems (and they presumably are, since they’re being used
in the ESP), then they need to be treated as Protected Cyber Assets. In practice, of course, the
requirements that apply to PCA’s include almost all of the requirements that apply to BES Cyber
Systems, so the entity will have to do the same sorts of things to them.
One document that should be considered in this regard is FERC’s Order of March 21 remanding
the NERC Interpretation requested by Duke Energy. This made it clear that an asset that could
be used to control a Critical Asset had to be considered a Critical Cyber Asset, even if it wasn’t
normally used for that purpose. Of course, this applied to CIP Version 3, but I’d say it’s safe to
assume that, if the maintenance laptop can be used to control the facility, or if it in any other
way meets the definition of BES Cyber Asset (minus the last sentence and also the 15-minute
clause, which FERC is also likely to order removed), then auditors will consider it a BCA,
whether or not it is ever normally used for that purpose. This is another reason why NERC
needs to provide guidance.
Note that I am no longer completely convinced that FERC will require the sentence about 30
days be removed from the BES Cyber Asset definition.
Q: Can you discuss differences required for routable networks versus non-routable connections?
A: What V5 (and V1-3) treat differently is cyber assets that participate in external routable
connectivity. That’s what the “exemption” was about in V1-3; in V5, that “exemption” has been
removed, but there are some requirements that only apply to cyber assets that have external
routable connectivity. Internal routable connectivity (i.e. within the facility) makes no difference
as far as CIP-002-5 is concerned; all cyber assets have to be considered as possible BES Cyber
Assets, no matter how they’re connected internally (of course, a cyber asset that isn’t connected
to anything else internally won’t presumably have external routable connectivity. It would still
be a BCA but wouldn’t have as many requirements apply to it).
One thing to keep in mind is something that was brought out in NERC’s Guidelines for
identifying Critical Cyber Assets: Even cyber assets that are only connected serially within the
facility can be considered to participate in External Routable Connectivity if there is some type
of gateway device that communicates over a routable connection externally but “hands off”
these communications to the appropriate device internally via a serial connection. Of course,
this doesn’t strictly apply to Version 5, but my guess is that auditors will still think this way. And
this points to the need for asset identification guidance for V5, as I think I’ve said 20 times
already.
Q: Steve...so, in conclusion, would you expect the IAC language to survive into v5, with all of
the discussed NERC guidance, training, etc.?
A: I’m sure Steve Parker will also address this, but my opinion is that IAC won’t survive into V5at least not in the way most people want to see it work (i.e. removing the need to report every
single violation, no matter how inconsequential, of the 17 requirements that have IAC language).
It could survive as a mitigating factor for penalties – so an entity with a robust IAC program will
be treated much less harshly than one that doesn’t have one. You can see this blog post for a
further discussion of this.
I also want to point out that, even if FERC does order IAC removed from V5, the idea isn’t
necessarily dead. NERC is working on their Reliability Assurance Initiative, which will in
essence provide IAC for all NERC standards (not just CIP), without requiring any standard be
rewritten. So, should RAI come to pass, CIP Version 5 would end up with IAC anyway. FERC
said in their NOPR that their obvious dislike for IAC shouldn’t mean they are prejudging RAI
(they didn’t use that term, but it was clear what they were talking about); however, this doesn’t
mean they won’t object to it when it’s ready in a year or two. RAI will be a big topic at just
about any NERC meeting you attend in the next couple years – you might want to prick up your
ears the next time you hear it mentioned (plus you can read about it now on the NERC website).