First of all, for those of you who like to know about subjects other than NERC CIP, I have two offerings:

• NPRA Webinar on the use of Unidirectional Communications (read: Data Diodes).  Webinar is Dec 6 and you can register here. 
• The ICSJWG recently released the Cross-Sector Roadmap for Cybersecurity of Control Systems, which you can get here. 

The webinar should be an interesting discussion of alternatives to traditional firewalls.  Not sure I personally agree with their use in response to regulatory requirements (see this blog for more on that), but as a technology they are pretty interesting.  And of course the roadmap is always a good starting point for those just wading into how to get started on a security program.

Now as for the CIP v5 debate, this is getting interesting.  As you may already know, we have a webinar scheduled for Dec 8 and our intent is to share tactical steps, suggestions and recommendations as to where to start with building your CIP program.  The idea is to share our opinion on what will be required (regardless of which version we end up with).  We will not be discussing the intricacies of the similarities and differences between current and proposed versions but they will, undoubtedly, be a part of the show. 

In the interim I wanted to expand a little on something we introduced last time and that is with respect to the Bright-Line Criteria.  In the current wording for v5 there is a clear statement defining what is in scope.  Now, there are multiple levels of clarification and different aspects to the electric grid that are or are not affected, but the focus of this examination is on Generation facilities.  If you recall from our webinar with Dave Norton (who at the time was on the SDT), the problem with versions 1 through 3 was a lack of participation.  In fact, a generally accepted approximate number (from WECC reports) is that only 17% of the grid is currently participating in NERC CIP controls.  The intent in future versions of the standard therefore was to remove the ambiguity of CIP 002 and provide clear guidance as to what was in or out of scope. 

Fast forward to the current version of 002.  In it we see the following language (with respect to clarifying inclusion of Generation facilities) “…cyber asset or cyber system that could render inoperable…… for Generation with an aggregate highest rated net real…..greater than or equal to 1500 MW.”  If you interpret this literally then you may conclude that a single DCS (cyber system) needs to control that much capacity to push this facility into Medium Impact.  Not High Impact, Medium.  And if you have multiple DCS systems controlling a host of capacity, then you are NOT in scope!  (Note:  This is an extrapolation for the sake of argument!  Do NOT use this perspective as the basis for your 2012 CIP planning!) 

Now that can’t possibly be what the SDT had in mind, can it?  Well, it turns out it is.  The SDT held a webinar earlier this week and that exact question and answer were offered.  (I would offer the link to the recording here but the NERC site is VERY adept at hiding its “confidential” information!!  Just kidding.  Watch our twitter feed for the link when it is posted.)  The SDT has confirmed that a single DCS controlling an aggregate amount of capacity greater than or equal to 1500 MW is the only way you get classified as Medium.  Otherwise you are considered Low Impact. 

Let’s test this for a second.  In most facilities I have been in, separate DCS systems control various amounts of capacity but many of these facilities have way more than 1500 MW of capacity.  Moreover, these facilities have multiple DCS systems but most, if not all, supporting technologies and electronic pathways and networks are shared and interconnected.  In other words, a virus that makes its way into most facilities I have been to that has access to the DMZ level can span across all instances of DCS network.  I don’t get the SDT’s position. 

Now the other shoe that I am waiting to drop is with respect to the survey data that NERC sent to FERC in support of current bright-line levels (meaning their data that shows how much more of the non-participating 83% would be included in this version).  From a very non-scientific but straight from the horse’s mouth survey I recently completed (I phoned a few CIP people at power clients of ours), it is clear that the average owner/operator responded to the NERC survey about Generation levels as an aggregate measure of the facility as a whole.  None that I spoke to answered the survey from the perspective of the number of DCS systems.  Therefore, if the entities answered from an aggregate perspective but the SDT meant from a system-specific perspective, then the survey data is woefully inflated.

Either way this should be pretty interesting to watch unfold.  What do you think?  Am I missing something here?  Let’s hear it!

Hello all.

Yes, you read that headline correctly: the 5th version of CIP is now posted for review and comment.  You can see the whole list of sections, supporting documentation and an implementation plan here.  The initial ballot window is open from Dec 16, 2011 to Jan 6, 2012.  The formal comment period is open now (from Nov 7, 2011) until January 6, 2012. 

There are a couple of interesting things to note (in my opinion, anyway).  The most interesting is the language from the implementation plan (and copied into the introduction of each section of CIP as well) which states two things.  First: The effective date will be either Jan 1, 2015 OR first calendar day 7 quarters after the date of the order providing applicable regulatory approval, whichever is later.  In other words, we have a (relatively) specific time frame now.  The second interesting aspect of the implementation plan is the presence of this statement:  “Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.”

In other words, we should go straight from v3 to v5!  Now whether or not this happens remains to be seen but it is right there for all to comment on.  Another interesting thing is the much more significantly detailed explanation and positioning.  It was to be expected, but there has been a lot of work by the SDT to really nail down more specific language.  Whether or not it holds up to the expected level of scrutiny will be the true test but there is a lot more meat to this version. 

Now the question(s) I want to leave you with is this:  Is the “Bright-Line“ criteria appropriate?  According to my reading, I see specific functional entities listed at High Impact and then very specific requirements to be included as Medium Impact.  The specific requirements are quite empirical in that actual numbers are used, such as 1500 MW or 200KV or higher, etc.  What will be interesting is what FERC feels about these specific levels.  If you recall, we wrote about the FERC data request in which they requested recent survey data from NERC to assess just how much of the grid gets included in the Medium Impact category.  No word yet on the direction FERC will take but the discussion should be interesting.  And for those entities that are considering splitting their control rooms and effectively splitting large generation facilities into two separate (at least electronically) entities to keep combined generation under 1500 MW make sure you read clarification 2.1 of Medium Impact rating for Generation.  It states: “Generation with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection.”  To me this says that the effort to split your facility is wasted effort if, once you generate the power, it flows into a single switchyard and a single interconnection.

Maybe I am misreading.  What do you think?  Will we see v4?  Is the bright-line criteria going to be approved by FERC?  Is 2.1 attempting to remove a loophole?  Let’s hear what you think.

P.S. Don’t forget to sign up for our webinar on V5 titled “Proactive Payoff: Getting Ready for NERC CIP V5″ on December 8th at 930 am MT.

Hello all.

Many things on the go right now but I want to take this opportunity to point out a few significant developments related to NERC CIP.  If you have been following this space, you’ll already know that we have a number of opinions on the subject, ranging from philosophical to regulatory.  This update combines a couple of them.  Let’s work from the future backwards for today’s discussion.  First is the recent announcement from the Standards Committee Quality Review Advisory Working Group (QRAWG).  In a letter from NERC staff to the NERC CSO706 SDT Plus list it was announced that:

“They [the QRAWG] approved the submission for posting, and the Version 5 CIP Cyber Security Standards are expected to be posted for industry review on Monday, November 7, 2011, through January 6, 2012.  The formal posting will be for 60 days, with a concurrent ballot during the final 20 days of the posting.   There will be an official NERC announcement when the standards are posted, and at that time, the standards will be available for access and review.”

In other words, v5 is going to be posted for comment and soon.  Stay tuned and we will point you to the source when they are posted.  Make sure you read and comment on the next version!

One step back from that, the SDT also met this week and worked through a number of the posted comments on v4.  Remember that the SDT MUST review all comments as part of their mandate.  And in case you were interested, this last version of the standard generated over 600 pages of comments!  Seems the v4 language has drawn significant discussion!  Now, we are still up in the air on whether v4 ever sees the light of day.  In our original opinion we had thought there was no sense in posting v4 and expecting adherence if v5 was right around the corner.  And in conflicting reports from various sources we have heard both sides:  namely that v4 will be withdrawn and/or rejected, and the alternative—that it will be put through.  Perhaps the option to simply declare to the auditors that ‘we are working on v5′ will allow entities to bypass v4 altogether?  We will have to wait and see.

Final point for the day is one of (I think) the most interest.  I have long campaigned for entities to just start working on a security program as it is inevitable.  I have argued with engineers over the intent of the standard, we have written whitepapers on the need to change our culture.  Tomes exist as to how we should treat “security” in the same vein as we do our safety programs.  I mean, security is really ensuring safe, reliable, expected operation of our facilities.  So it has NEVER been in my repertoire to use FUD to sell nor do I applaud the stick over the carrot in getting greater participation.  But when many who disagree want to wait and see a monetary justification for acting, then what I say today has to be it.

It has been my personal opinion all along that NERC started small and light with fines.  After all, the auditors can’t always even agree on the interpretation of the existing standards.  Version 5 is intending to introduce concepts that allow for credit to those who try as opposed to simply right or wrong, compliant or not.  Maybe we even get a proper appeal process in the next version to make this more co-operative.  Who knows what will finally get into the end game.  One thing, for sure, is that once the language and behavior becomes more clearly defined and accepted, I am willing to bet the fines go up in significance.  Today I saw just that. On their site today, NERC posted a significant fine for violating CIP to the tune of $275,000.  This is, to date, the single largest CIP-only fine.  (There are larger fines with CIP components but those larger fines have traditionally been for other regulatory violations.)  The report itself is very detailed and I am certain this particular story is far from over. 

However, if you go to the enforcement page in general for NERC and filter on CIP 002-009 for violations, you will see two things:  1) larger fines  are becoming more numerous and 2) the total dollar value in fines levied to date sits now well into the millions.  Important to note: the fines spreadsheet you can download does let you filter on CIP violations but the monetary fines are not split, so that a combined fine for CIP and non-CIP violations does not get broken down when you filter on just CIP components.  However, If you filter on CIP and then sum the total fines, they are over $72M, but this does include some non-CIP violations.  Regardless of how much of that $72M is CIP, compliance is becoming costly and CIP violations are increasing in cost.  Is this real?  Is there a good chance it will cost money?  I think so.  What do you think?