As always, Tom is nothing if not detailed and thorough. What follows is his latest offering, verbatim. Sorry for the length but this is not your average water cooler topic. And as usual, the comments, thoughts, observations and projections are solely those of Tom and his personal and professional opinion. This is not an official corporate position or interpretation in any way. Grab a cup of caffeine and enjoy!
CIP Version 5: About those Large Plants…..
Tom Alrich, email@example.com
The opinions expressed in this article are those of the author, not necessarily of Honeywell International, Inc.
It is time to talk about CIP-002-5 Attachment 1 paragraph 2.1, the “bright-line” criterion in CIP Version 5 that brings large generation stations into scope as Medium Impact facilities. This reads (in the draft sent out on Feb. 17, and appending the preamble):
Each BES Cyber System, not included in Section 1, above, associated with the following:
2.1 Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection.
There are two big issues related to this, and they’re intertwined:
- Will FERC let the 1500MW threshold stand when they approve Version 5?
- What does the second sentence mean, and what does it imply for the number of Medium Impact plants that will have BES Cyber Systems under Version 5? Will FERC be satisfied with this number?
Both of these questions have big implications for the amounts that owners of large generating stations will have to spend to comply with CIP Version 5 (and Version 4 as well if that is the next version, since it contains similar language on both questions). And other questions need to be considered in answering these two. Let’s start with the first question.
I. The 1500MW Threshold – will it stand?
The question whether 1500MW will be a low enough threshold to satisfy FERC is certainly one I can’t answer. I can point to the NERC survey results from last year that showed that, excluding blackstart units (which is a separate discussion. See our recent blog post), approximately 7.2 percent of total US generating units would be part of Critical Assets under the Version 4 bright-line criteria (which are essentially identical to the Version 5 criteria for non-blackstart generating plants to be Medium Impact facilities).
If FERC does lower the threshold, what will they lower it to? 1000MW? 750MW? Even 500MW? Unfortunately, the survey data don’t allow us (or FERC) to draw any conclusions about the number of additional plants or units that will come into scope with this change. So at the moment, the main question is whether FERC will be pleased with 7.2 percent of non-blackstart generating units being part of a plant that will be a Medium Impact facility under CIP Version 5 or a Critical Asset under Version 4.
II. What about the Cyber Systems in the Plants?
How many Medium Impact generating stations will have BES Cyber Systems under CIP Version 5? This second question is very similar to the question in last year’s survey, about the number of generating units that are part of plants that both are Critical Assets and have Critical Cyber Assets. In the survey, that number was 4.4% of total generating units.
Of course, since Version 5 deals with BES Cyber Systems instead of Critical Cyber Assets, we really want to ask, “How many non-blackstart plants will be Medium Impact facilities with BES Cyber Systems under Version 5?” Putting aside the difference between a CCA and a BES Cyber System (which probably isn’t big enough to make a huge difference in itself in the answer to this question), the important question is the impact of the second sentence of criterion 2.1 above (“For each group….”).
Just to be clear, what this second sentence says is that a cyber system (such as a Distributed Control System) in a 1500MW+ generating station has to by itself control generation in excess of 1500MW. And since a cyber system controls “generation” by virtue of its controlling one or more generating units, what this really means is that the system has to control a number of units whose total generating capacity exceeds 1500MW.
The catch here, of course, is that there are few cyber systems at 1500MW+ plants that by themselves control more than 1500MW; in fact, it is possible there aren’t any at all in the US. This is because there are few if any large plants whose units are all controlled by the same DCS. We have found that usually a DCS will control one or at most two units at a large plant (this is often because units were installed at different times). Since the units are typically between 250 and 500MW, this means very few DCS will control 1500MW. And practically, that means there will be few if any 1500MW+ plants that – under CIP Version 5 – will actually have to apply anything more than the procedural controls that apply to all Low Impact facilities.
If you saw our November post on this question, you know that we (myself and Donovan Tindill) considered this situation to be very dangerous – i.e. inviting drastic action by FERC or even Congress to “correct” this issue. I have since modified my opinion after talking with others in the industry. They point out that, assuming proper separation of the cyber systems, there is no difference between a 1600MW plant with say four 400MW units each controlled by its own DCS, and four 400MW stand-alone plants. I certainly agree with that point, but then the question turns to “proper separation”. And when you start thinking about that, it gets more interesting (and much less clear).
At this point, I want to say that I am not advocating any particular course of action on the Version 5 bright-line criteria. And I’m not saying that they are currently “too weak” from the point of view of securing the grid against cyber attack. What I do want to discuss is what FERC’s reaction will be if criterion 2.1 is left as is vs. if changes are made.
Of course, discussing FERC’s possible reaction is inherently a speculative process. Let’s go to the assumption of proper separation of the DCS systems (or rather, of the networks on which they are implemented). It goes without saying (but I will anyway) that the only way a 1600MW plant (with four DCS each controlling 400MW on its own network) can be as cyber-safe as four 400MW plants is if there is no connection at all between the networks.
Now, FERC certainly knows this, given the number of power industry cyber security experts they have on staff, and the fact that staff members attend all of the SDT meetings and actively participate in the conversations. And the five Commissioners never reveal how they’re thinking to their own staff, let alone to outsiders. But what will be their reaction if criterion 2.1 makes its way to them unchanged from what is in the current draft?
If I were a FERC staff member advising the Commission, I would ask several questions (again, I’m sure they’ve already thought of these):
- Let’s say the owner of a large generating station asserts that they don’t have BES Cyber Systems, because they don’t have a single system that controls 1500MW of generation as required by criterion 2.1. How do you know they are telling the truth? There is no auditing of this assertion in the current V5 draft.
- But let’s say FERC gets beyond this point, and has no reason to believe the entity is lying about how much generation a DCS controls. The next question is, “Are the networks on which each DCS is implemented sufficiently separated so that a cyber attack will never propagate to the other networks?” Because if that isn’t the case, then it doesn’t matter if the DCS controls just 400MW or not – if the networks aren’t separated and the DCS is attacked, the attackers can still bring down the rest of the plant. Again, there is no provision in the current Version 5 draft to be able to answer this question. Not that there couldn’t be, just that there isn’t now.
- And let’s now say that FERC is satisfied that the networks are separated. They will finally ask, “How can you guarantee that the networks won’t – through deliberate act or mere misconfiguration – be linked up again in the future?” This is certainly a reasonable question, since I know that we see this happening all the time on industrial networks – someone just plugs a cable into a switch that connects to a device on a supposedly separate network. What this might require is new CIP requirements for maintaining separation of internal networks, when the ‘exemption’ in criterion 2.1 is claimed. And, of course, regular auditing to see those requirements are being met.
As I said, I’m not advocating a course of action here. But if nothing is done and Criterion 2.1 is approved by NERC and goes to FERC as written, I believe FERC will take some action to address the three questions above. What action could they take?
One thing they could do is reject CIP Version 5 altogether and send it back for more work. Given the amount of time they’ve been waiting for Version 5, that doesn’t seem likely. Another would be to approve Version 5 but at the same time require that this issue be addressed (probably by putting in new requirements and measures to address the three questions above) in a new version (CIP Version 6!). The third would be to just make changes themselves before approving Version 5.
If they do go for the third option, they could then a) develop their own new requirements to verify the scope of control of a DCS, and to ensure network separation is implemented and maintained; b) strike the second sentence out of criterion 2.1; or c) simply lower the 1500MW threshold.
I don’t think a) is likely, because it would be a lot of work to develop the new requirements themselves. I think b) is possible, but I think c) is the most likely scenario. However, if they do lower the threshold in MW, it’s very unlikely they’ll stop at 1000MW (since that may not add a single plant to the category of “large generating station with Medium Impact BES Cyber Systems).
Rather, I think FERC will bring the criterion 2.1 threshold down to 750 or even 500MW. At those levels, they will finally start to get some Medium Impact BES Cyber Systems being reported at large generating stations. Of course, the “collateral damage” of all this will be that any plant rated at 500 or 750MW or higher will now be a Medium Impact one. But this could also be part of their intention all along (this gets back to the first question at the top of this post, of course). I have now reached the limit of how far I’ll go in trying to guess FERC’s future actions.
How can such action by FERC be averted? I think that would require the SDT to squarely address the three questions listed above – which means probably new requirements and measures, perhaps even in a new standard like CIP-012. However given that it is late February now and the SDT has to finalize the standards in advance of the late March posting date for the second ballot; they have neither the time nor the inclination to address this.
The moral of this story? I think it very likely FERC will lower the MW threshold in CIP-002-5 Attachment 1, criterion 2.1 to 750 or even 500MW, before approving Version 5. The best outcome that can be hoped is that they will also promise to raise it again (probably not back to 1500, though) if a new version of CIP that addresses the three questions above (and perhaps others that FERC will raise in their approval order) is developed. So Version 6 is coming!
 This link is to our (corrected) blog post about the survey results. I just tried in vain to find the actual NERC document on the NERC web site, but – as with most of my searches on that benighted site – I couldn’t find it. If you want to see the document, email me and I’ll send it to you.
 Of course, a single plant can have up to ten units, with the average being maybe two or three. But since the plants that these units might be part of are mostly larger ones, it stands to reason that the percent of generating stations that would be Critical Assets under Version 4 (or Medium Impact under V5) would be much lower than 7.2 percent. This is because the numerator would be divided by a figure like 5 or 6, while the denominator would be divided by 2 or 3.
 In both Versions 4 and 5, there are two criteria that apply to non-blackstart plants: the 1500MW criterion and a criterion that corresponds roughly to “Reliability Must Run” plants. The wording for both criteria is very similar between the two versions.
 I wish the survey had covered plants, not generating units, since only a plant can be a Critical Asset (or a Medium Impact facility under Version 5).
 Again, this will result in a much lower percentage of plants that are Critical Assets with Critical Cyber Assets.
 CIP-002 Version 4 has a similar ‘exemption’, although it is stated not in the criteria in CIP-002-4 Attachment 1, but in requirement R2.
 For those who are familiar with the draft of Version 5 that was voted on in December but have not followed the discussion since then, the SDT has decided to be consistent and have all requirements apply to BES Cyber Systems, not BES Cyber Assets. The latter are still defined, and that definition is still fundamental to Version 5. But the entity can group these cyber assets into systems of one or more cyber assets for compliance purposes. This (and other changes like fewer TFEs) should make the compliance process easier than in Versions 1-3.
 There might not be a way, under the current NERC Rules of Procedure, that FERC can simply make a change before approving the full set of CIP Version 5 standards. But they effectively do have this power – as well as to do anything else they want, like write a standard from scratch – now. See paragraphs 309 and 321, which were added to the Rules of Procedure in 2010.