Hello all. Missed a week but have been really busy! Today I am happy to report we have a fresh update from our man in the field Tom Alrich. What you read below is the first of two reports on specific developments last week. The SDT team met in Taylor Texas last week and by all accounts is sounds like significant progress is being made! What follows is Tom’s report in its entirety. These are 100% Tom’s observations and are therefore 100% his view and not that of any person, company or organization. Now it is a lengthy read but for those who know CIP, it is not a simple subject. As always we welcome your thoughts and observations. Now grab a fresh coffee and settle in:
NERC CIP Version 5: Progress to Report
Note: The opinions expressed in this open letter are those of the author, not those of Honeywell International or any of its divisions).
I’ve just returned from the NERC CSO706 (CIP) Standards Drafting Team in Taylor, Texas. This was the best-attended SDT meeting in two years, with something like 25-30 industry observers, plus almost all of the SDT members. The purpose of the meeting was to start on the road to recovery from the overwhelmingly negative first ballot on CIP Version 5, by starting to develop a new draft that will pass on the next ballot (which is scheduled to start with posting of the new draft in late March). I am pleased to report that the SDT did make a lot of progress, and I am almost certain the second draft of Version 5 will be much more acceptable to the NERC membership than was the first draft.
Because there was concrete progress, I would like to discuss what I see as the most important steps that were taken. Because asset identification (CIP-002) is the foundation for the rest of the CIP standards, and because I (along with about two thirds of the other observers) attended the CIP-002 subgroup meetings, that is what I will focus on.
Below are, in my opinion, the most important proposed changes in CIP Version 5 that came out of the meeting. I do want to emphasize that none of them are set in stone, because something could always change between now and the end of March (and of course, FERC will have the final say on what is in CIP Version 5!). It did seem like the SDT and its leadership were generally agreed on all of the items below.
I. Inventory for Low-Impact Assets
Many commenters pointed out (and rightly so) that the first draft of Version 5 would require NERC entities to conduct an inventory of all of their cyber assets, including those that would fall into the Low-Impact classification – in spite of the SDT’s statement in the first draft that this would not be the case. The reason for this is that one or two of the requirements for Lows in the first draft required actions to be taken on the individual cyber assets, meaning they had to be inventoried. The commenters argued that the security gains from those two actions would be more than offset by the burden of conducting an entire inventory and then visiting every cyber asset to make the one or two required changes.
The SDT agreed that this didn’t make sense, especially since they had been saying all along that the requirements on the Lows would be almost entirely programmatic. So it is highly likely that the next draft of V5 will have no requirements that would lead to an inventory being required for Lows.
II. Asset Identification
During the comment period, we had argued in the blog (and others had pointed out in their comments as well) that the asset identification process in the first draft of V5 was fatally flawed, mainly because it required a first step – going through each asset and identifying the BES Reliability Operating Services it supports – that was very burdensome, completely unnecessary, and unauditable. However, when I came to the meeting I was fully expecting there to be some pushback from the SDT on this assertion, since this process had been in Version 5 for at least two years and one would expect inertia alone to make the members reluctant to remove it.
I and a few others were very pleasantly surprised to find, within the first hours of the meeting, that the CIP-002 subgroup had already agreed to take this out entirely. That is, the asset identification process will no longer start with an audit of the BES Reliability Operating Services performed by every cyber asset that touches the BES.
As per last weeks discussions, the new proposal is that the Version 5 asset identification process will now start with the facilities themselves – the generation stations, control centers, substations – just as it did in Versions 1-4 (where the process started with identification of Critical Assets). The entity will first go to Appendix I to see if it has any facilities that meet the bright-line criteria for High- and Medium-Impact. If it has any such facilities, it will then identify the BES Cyber Systems “used for the reliable operation of” those facilities. These will then all inherit the classification of the facility, High or Medium. This is very similar to the process in CIP Versions 1-4, where the entity starts at the Critical Asset, then identifies the Critical Cyber Assets associated with it.
Low-Impact facilities will still be identified as they were in the first draft: they are BES facilities (and Systems) that don’t meet the bright-line criteria for High- or Medium-Impact facilities. If an entity has a Low facility, it will need to follow the requirements for Lows at that facility (whether or not it also has High or Medium facilities). As mentioned above, the Low-Impact requirements will not require an inventory of cyber assets, or that any measures be taken on individual cyber assets.
III. DPs and LSEs
Version 5 is the first version that applies to Distribution Providers. Versions 1-4 applied to Load Sharing Entities (although it’s doubtful many entities with just that designation had to comply with all of CIP-002 through -009); LSEs are still in scope for Version 5.
Some entities that only have DP or LSE designation had commented on the fact that they could at most have only Low-Impact BES Cyber Assets (and many would have no BES Cyber Assets at all), yet they would still have to put in place a full CIP compliance program like the big guys do. This anomaly would be heightened because of the new improved asset identification process just discussed. There weren’t any pure DP/LSEs at the meeting this week, but their case was eloquently argued by other attendees (especially those from G&T coops, whose member coops often only have those designations).
The SDT leadership agreed that this was a great example of a big paperwork burden that would produce little reliability benefit. Accordingly, the Applicability section of each standard (Section A, Paragraphs 4.1.2 and 4.1.6) has been modified to show that only DPs and LSEs that have facilities or systems that meet one or more of the bright-line criteria (i.e. they have High- or Medium-Impact facilities) will have to take any compliance steps under Version 5.
IV. TO Control Centers
Another comment that appeared a lot was that Transmission Owners should not be on the hook for CIP compliance at their control centers, since it is the TOPs (Transmission Operators) that actually run them (and since TOPs are already on the hook, that means that two entities would be responsible for compliance even though only one actually runs the facility). The SDT agreed with this reasoning. The proposed revision to the bright-line criteria for control centers will no longer apply to TOs.
V. Blackstart plants
It was argued both in the comments and at the meeting that making all blackstart plants Medium-Impact would be extremely counterproductive and would produce a negative impact on reliability. This is because generators have the choice whether to have their plants be in a regional blackstart plan or not. While they are paid to be in the plan, the cost is certainly well below the cost of complying with CIP Version 5 as a Medium-Impact facility (which they are per Appendix I, paragraph 2.4). The result will be a large withdrawal of blackstart units nationwide.
While this might seem like blackmail, it is simply economics. Generators are mostly unregulated, and therefore can’t pass compliance costs to their ratepayers as regulated utilities can do. A meeting participant from a large generation entity told me that they have scoped out the cost of implementing CIP compliance at up to $5MM for their larger facilities (of course, blackstart plants are usually not large, but even if their compliance cost is one tenth of that, it would far exceed any revenue from being in the blackstart plan).
This participant said he had talked with generators across the country and that this process is already happening. Since generators typically have to sign up for two years as a blackstart resource, they are even now telling the RTOs that they will withdraw from the plan as of the end of their contract. I can verify that one entity has told me they will withdraw all but two of the twelve or so plants they currently have in their regional blackstart plan. This is not good.
The proposed solution to this problem was not to simply remove Appendix I, Paragraph 2.4. Instead, it was proposed that blackstart plants without external routable or dialup connectivity not be Medium-Impact (they will still be Lows), on the theory that it would be much harder for them to be victim of a coordinated cyber attack on the grid.
If you’re also a NERC CIP junkie, you probably realize this is déjà vu all over again. CIP Versions 1-4 excluded facilities lacking external connectivity from having Critical Cyber Assets (and thus from complying with almost all of CIP-003 through -009). One of the selling points of Version 5 – to FERC and Congress anyway – is that that particular exemption has been removed. Now it would be back for all blackstart plants that want to take advantage of it (and let’s face it, there will be some plants that rip out their current routable connections, just as happened with some substations under Versions 1-3. To be under blackstart, a plant has to be manned when needed for blackstart anyway, so ripping out IP wouldn’t impair its ability to be in the program). In fact, there was discussion of whether this provision should be extended to substations that were part of the blackstart cranking path as well.
When this proposal was discussed in the full session on Thursday morning (it had been worked out in the CIP-002 subgroup on Wednesday), the question also came up: Why don’t we just do this for every other bright-line criterion? That is, why don’t we just go back to how Versions 1-4 read? The answer, of course, is that because of the special nature of blackstart (that an owner can withdraw from the plan), it is virtually certain that there will be a negative impact on reliability if the change is not made. The same argument cannot be made for other bright-line criteria (except perhaps for substations in the blackstart cranking path, in Attachment 1, paragraph 2.5).
But even though Attachment 1 paragraph 2.4 has now been changed to reflect this provision, I don’t want to say it is certain to happen. I believe the SDT as a whole wants this change to happen, but there are others at NERC – and ultimately FERC – who will have the final say.
VI. 1500 Megawatts
As almost everyone knows, both CIP Versions 4 and 5 have a 1500MW threshold for a power plant (not blackstart) to be mandated to be included in scope for compliance (in Version 4 as a Critical Asset, in Version 5 as a Medium-Impact facility). It might not be quite as well known that both versions state that cyber systems that don’t have an impact on 1500MW of capacity at the plant will not be in scope (as Critical Cyber Assets in V4, Medium-Impact BES Cyber Systems in V5).
This last fact is important because it significantly reduces the “footprint” of compliance for 1500MW plants. Very few have a single DCS that controls the entire plant. Usually, there will be two or more DCSs, each controlling one or two units in the plant (and these will often be different models and even from different vendors, since new units are added to a plant sometimes 10-20 years after it originally opened). Because there is no system whose compromise can bring the whole plant down, the argument for this provision is that the impact on the BES of an attack on one DCS (or other system) that controls say 5-800MW within a 1500MW+ plant is no more than that of an attack on a standalone plant of 5-800MW (which of course would not be covered by the bright-line criteria).
The bottom line is that it is likely that there will be few medium-impact BES Cyber Systems at 1500MW plants (and of course, these are the only plants other than blackstart that would be Mediums under V5. All others would be Lows). Why is this a potential problem? Because FERC (and Congress behind them) got very upset a few years ago when they found out that very few power plants were declared Critical Assets under CIP Version 1. The bright-line criteria resulted from this. It isn’t likely they will be too happy when they realize that, even though all 1500MW plants are technically in scope, few have any cyber assets that are (they already do realize this anyway, of course, since there are FERC and Congressional staffers who come from the industry and know its ins and outs well. There are always two or three FERC staffers at every SDT meeting, and they heard discussions about this issue this week as well as previously).
I believe it is likely that FERC will do something about this. I don’t think they’ll change the provision that a system has to control the entire amount of the threshold (now 1500MW) in order to be in scope. I think it is more likely they will try to address the issue by simply lowering the 1500MW threshold. This would also address another problem that FERC sees, which is the general lack of plants that are in scope other than blackstart (in fact, this is more likely to be the primary reason that the threshold is lowered, rather than the single-DCS issue).
What will they lower it to? At least to 1000MW, maybe even below that. Don’t shoot me, I’m just saying what I think will happen.
 It did seem that the other standards didn’t have anywhere near the level of “problems” that CIP-002 did, and the other subgroups also reported a lot of progress at the end of the meeting on Thursday.
 It would also have the same effect on Lows as the first problem would: requiring an inventory of all cyber assets.
 Note the phrase “used for the reliable operation of” replaces the phrase “essential to the operation of”, which was how Critical Cyber Assets were identified in CIP Versions 1-4 – those that were essential to the operation of a Critical Asset. I believe this is a big improvement. There is no equivalent phrase in the first draft of Version 5, since BES Cyber Assets were supposed to be identified before the facilities themselves.
 You may wonder whether there could be a mixture of classifications at a facility – i.e. some cyber assets would be High or Medium, while others would be Low. The answer is no. Any cyber asset that meets the new definition of a BES Cyber Asset will inherit the classification of its facility. Any cyber asset that doesn’t meet the definition isn’t a Low-Impact BES Cyber Asset, it is no BES Cyber Asset at all (there were a lot of comments suggesting there be a new category of “no-impact” cyber assets. That’s not necessary. A cyber system that has no impact on the BES is by definition not a BES Cyber Asset at all. 15 minutes is the cutoff for determining what “impact” means).
 One FERC staff member at the meeting expressed the opinion – not the Commission’s! – that this was a step backwards due to its resemblance to asset identification in CIP V1-4. The fact is, the asset identification process in the first draft of V5 would never have worked, period. The process outlined here is workable, but it still fixes the biggest problem with CIP-002 in V1-3: that an entity pretty well could decided for itself what its critical assets were.
 The exact reason for this is kind of complicated, but if you want to email me I’ll let you know how I think the argument runs.
 Of course, there are many TO/TOPs for whom this is a moot point. There is only one entity involved anyway.
 Even for regulated utilities, there is always pushback from the PUC, and it may take years for it to go through.
 This is a good example of what I call the Elephant in the Room for Version 5: a lot of the arguments about what should be required really come down to dollars, not what is good security. I will expand on this idea in a subsequent blog post.
 And if you’re of the belief that FERC can’t change the standards once they are approved by NERC, send me an email and I’ll be glad to explain how they can.