Hello all.

For those of you that like controversy and/or technical, detailed interpretations of regulatory standards well, you are in for a TREAT today!

One of our regular correspondants who shall remain nameless sent this one over to me the other day.  I cant reveal the person’s name or organization but suffice it to say ‘Auntie Em’ is in the thick of things and has a vested interest in the application and maintenance of NERC CIP.  To that end old Auntie Em posed a question soliciting feedback from the greater community about CIP 006-3a R2.2.  You see, it would seem that this section ‘implies’ something which is indirectly supported by other references BUT nowhere is this explicitly stated.  Follow, if you will, the following chain of thought.

CIP 006-3a R2.2 is a subset of R2 which states:

Protection of Physical Access Control Systems [PACS - editor's reference] — Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point such as electronic lock control mechanisms and badge readers, shall:

(now onto R2.2):Be afforded the protective measures specified in Standard CIP-003-3; Standard CIP-004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP-006-3 Requirements R4 and R5; Standard CIP-007-3; Standard CIP-008-3; and Standard CIP-009-3.

Now that is a lot to digest but lets look just at the 005 requirements R2 and R3, especially R2.4 which states:

Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

So I can conclude (can’t I?) that if you have remote electronic access to PACS then you have to have two factor authentication?  What constitutes ‘strong procedural or technical…to ensure authenticity…’?  Well Auntie Em wasnt entirely convinced so pointed us to Guidance for Secure Interactive Remote Access, date: July 2011 (Final), which, in Auntie Em’s words is a ‘…50 page dummies guide on all things remote access for the BPS.’  A NERC reference document found here if you are so inclined.  However this source is still not overly clear.  CIP V5 has better clarification but still not explicit.

So for those still following the intent is not crystal clear but…it should be obvious right?  If a remote outpost can have its PACS changed from a different physical location WITHOUT strong electronic authentication on that remote physical location then what is the point?  So, in line with the original authors intent, do the ‘right’ thing will you?

What do you think?  2 factor authentication on your PACS controls when remotely managing them?  Is that too strict?  Too little?

Let us know your thoughts.  And thanks to Auntie Em.

 Hello all.  As the title suggests, our man in the field has penned another collection of thoughts.  After having attended the SPP CIP Workshop in Dallas recently and on the heels of the V5 second ballot here is how Tom sees it.  What follows is, as always, a collection of Tom Alrich’s personal opinions and observations.  These are in no way a reflection of Honeywell corporate perspectives.  And I also must warn you, Tom had his ‘creative writing’ hat on!

 The SDT Shifts Gears

Tom Alrich – tom.alrich@honeywell.com

I admit to sometimes having doubts about how nimble the CSO706 Standards Drafting Team is – with seventeen-odd members and a host of constituents to please at NERC and among the NERC entities.  But I was very impressed by how quickly they adjusted – on Wednesday, May 23 – to face two new realities: they are in for another big slog before CIP Version 5 is ready for approval, and it is now virtually certain that CIP Version 4 will take effect.

I had two encounters with the SDT that day.  The first was listening to Phil Huff, SDT Vice Chairman, address the SPP CIP Workshop in Dallas.  He immediately placed himself in my highest opinion (not that he wasn’t there already) by opening his talk with this quotation from Alice in Wonderland, which he thought was very illustrative of CIP:

“But I don’t want to go among mad people,” Alice remarked.

“Oh, you can’t help that,” said the Cat: “we’re all mad here. I’m mad. You’re mad.”

“How do you know I’m mad?” said Alice.

“You must be,” said the Cat, “or you wouldn’t have come here.”

But what Phil said was actually very sane: The SDT realizes it won’t be able to make the schedule for delivering CIP Version 5 to FERC by Sept. 30 of this year, which was its plan only a month or two ago (okay, he didn’t dwell on the fact that the SDT’s plans had changed, but there was no hiding they had).

Why did the SDT change its plans?  Again, Phil didn’t discuss this, but the main reason is that, although the results of the second ballot (called a successive ballot) on CIP Version 5 were encouraging, they were not good enough to move the SDT to the next stage they had been planning – namely, to have a successful recirculation ballot in June, which would then take Version 5 out of their hands and turn it over to the NERC Board of Trustees for approval.

What were the ballot results?  Phil didn’t actually know them at the time of his address (although I imagine he had an idea, having seen at least some of the comments), but I also attended the SDT’s call Wednesday afternoon, where they were formally presented.  The results were certainly much better than the first ballot: ranging from 36% to 68% positive (depending on the standard), with maybe 45-50% being the median.  However, this isn’t enough to go to a recirculation ballot, which is only intended for a standard that doesn’t require any substantive changes from the previous ballot.  That is not yet the case with CIP Version 5.

The call in the afternoon reinforced this notion: John Lim (the Chairman) confirmed that there will be another successive ballot, and that this time there is no room for error.  All or almost all of the standards will have to meet the threshold for approval (I believe that is 60%) – if that doesn’t happen, then the SDT’s whole effort (which has been huge) may go for naught, and NERC will need to start over with a new SAR (Standard Authorization Request) and a new SDT (and this would be for CIP Version 6.  Even the name Version 5 wouldn’t survive)[1]. 

So it seems that the SDT is going to take its time to do this right.  John implied that they might not have spent enough time making sure the most recent Version 5 draft addressed all of the comments from the first ballot (although it would be impossible to address them all, since there were over 2,000 pages of comments.  It seems there were about 1,000 pages the second time).  They are now starting to address the new comments, and are aiming for the second successive ballot (the third ballot in all) in September.  Assuming that is successful, then they would go to a recirculation ballot by the end of the year.  And they might even be able to go home for the holidays without the prospect of having to come back and work on CIP again in the new year (this would be the first time in five years that this has not been the case, since the team started work in the fall of 2008).

And what John emphasized was that the team is hoping to make FERC’s deadline (set in Order 761, issued when they approved CIP Version 4 on April 19) of March 31, 2013 for delivery of Version 5 for their approval.  This is a stretch but *might be a possibility from the SDT side.  However, both Phil and John made another admission: There is no longer much likelihood that CIP Version 4 will not come into effect.  Even if NERC makes the March 31, 2013 deadline, that leaves only a year for FERC to approve Version 5, before April 1, 2014[2].  FERC took 14 months to approve Version 4, and that only involved a change to CIP-002; all of the other standards were the same as in Version 3.  Version 5 is of course a complete rewrite of CIP – it’s hard to see how FERC won’t take even more than 14 months to approve it. [Editor's note:  This last statement is in no way intended to imply that FERC would drag its feet or purposely try to inflict V4 on the community if it could avoid it.  Plain and simple this is complex and must be done correctly.  Therefore a sufficient amount of time will be required to allow for proper review and comment by FERC.]

So there you have it: Version 5 delayed by who knows how long? Six months or more?  And Version 4 now poised to actually be implemented on April 1, 2014.  I don’t think many people (at NERC, FERC, or the entities) wanted this to be the actual scenario, but it looks like that will be the case.

However, I still think there is a good possibility that even the projected six month delay in approving Version 5 is an underestimate.  As we discussed in a previous post, not only does the SDT have to make changes to Version 5 to address the most recent NERC member comments, but they also have to address the requests (commands?) for changes that FERC made sure to include in Order 761 – implying that NERC had better make sure they were addressed in Version 5 when it hits FERC’s desk.[3]  Since, unlike the NERC member comments, FERC’s requests aren’t likely to be popular with the NERC entities, addressing these requests will require more effort and political skill, in my opinion.  It is very possible that the SDT won’t be able to breathe a big sigh of relief this Christmas.

Which leads me to another quote from Alice in Wonderland, which occurrs just before the one Phil cited:

(Alice asked) “Would you tell me, please, which way I ought to go from here?”

“That depends a good deal on where you want to get to,” said the Cat.

“I don’t much care where, so long as I get somewhere,” said Alice.

“Oh, you’re sure to do that,” said the Cat, “if you only walk long enough.”

Hello all.  As promised yesterday here is the latest set of musings from our man in the field Tom Alrich.  As always, must point out, that these are Tom’s ponderings and interpretations.  These are not set instructions/recommendations, etc for compliance path forward nor are these necessarily the thoughts/opinions, etc of Honeywell.  There.  Disclaimer stated, time to read on.  And as always, let us know what you think! 

Your Vote (Partly) Counts!

 Tom Alrich tom.alrich@honeywell.com 

The opinions expressed in this article are those of the author, not of Honeywell International, Inc. or its subsidiaries. 

Before April 19, I had planned to put out a post around now – before the start of the second ballot for NERC CIP Version 5 – patriotically urging NERC entities to vote for Version 5.  While I still believe you should vote yes to the current draft, I feel that everybody should know what their vote means (and what it doesn’t mean), due to the changed landscape introduced by FERC Order 761. 

In my last post, I reversed myself to say that there now was a significant chance that CIP Version 4 would be implemented, followed later by Version 5.  The reason for this was that, in Order 761, FERC had not only approved Version 4 but stated five directives (by my count) that they wish to see incorporated in Version 5 (OK, they didn’t say the directives have to be in place when Version 5 is delivered to them.  But they clearly want them included, and of course have the power to insert them themselves if forced to).

What does this have to do with your vote?  As you know, this is the second ballot on Version 5, known as a successive ballot.  As things stood before April 19, assuming the second ballot was successful, Version 5 would have gone to a recirculation ballot in June (after a few tweaks to respond to comments lodged during the current comment period), and would most likely have been on FERC’s desk for their approval by the end of the third quarter of this year.

This has changed due to Order 761.  The changes FERC is requiring are substantial; they will necessitate more SDT drafting work and at least one and very possibly two more successive ballots before the recirculation ballot (if there are significant changes to a standard, it has to go back for a successive ballot, and if there are new significant changes, it goes to another successive ballot.  Only when there are no further significant changes does the standard go to the recirculation ballot)[1].  So this means that, in the ballot starting May 12, you will not be voting on something close to the final draft of Version 5.  That draft won’t be available for many months.

How different is the final draft of Version 5 likely to be from the current draft?  Here are five significant directives FERC made in Order 761 (and they take great pains to point out that these are all restatements of directives from Order 706, as well as last September’s NOPR for Version 4): 

1. Paragraph 58 requires NERC to make control centers Critical Assets (if they would not otherwise be so) if they are network-connected to other control centers. Of course, it is likely that virtually every control center is so connected – thus, the few control centers that are not now designated high or medium impact in Version 5 will most likely become such.
2. The same paragraph has this sentence: “The Commission also finds merit in MISO’s comment that responsible entities should be allowed to designate data centers as Critical Assets because of their inherent connectivity to the control centers or control systems they support.”  This is quite interesting.  What does “support” mean?  If a third party data center provides some ancillary service to a control center, does it now have to become a Critical Asset?
3. Paragraph 87 advises that “some form of” electronic security perimeter be applied to all BES Cyber Systems.  Given that, in the current draft of V5, only medium and high impact BES Cyber Systems need to be included in an ESP, this would require that low impacts be included as well.  This will be quite controversial, as it probably means the end of the idea that entities will not have to inventory their low impact cyber assets.
4. In Paragraph 91, FERC says “..we continue to believe that criteria adopted for the purpose of identifying Critical Cyber Assets under CIP-002 should include a cyber asset’s “connectivity” and its potential to compromise the reliable operation of the Bulk-Power System. Therefore, we expect Version 5 to address these issues.”  This is quite clearly a directive, but what does FERC want addressed?  The preceding paragraphs show that a big concern is that a cyber asset, even though it might not be essential to the operation of a Critical Asset (which is the definition of a Critical Cyber Asset), could nevertheless be connected (across an ESP) to other Critical Assets and could be used to compromise them (it seems cyber assets at control centers are what they have in mind in this discussion – see paragraph 88ff).  This will be very difficult to incorporate into the CIP standards, which is why the SDT has not been able to do so despite working on this and other Order 706 issues since 2008.  It looks now like they have to do it.
5. Paragraph 104 states that there should be some way for NERC or the Regional Entity to review a cyber asset’s designation as non-critical (or by implication Low impact under Version 5) and change that to critical (Medium or High impact in V5).   

Each of these “directives” could be discussed for days.  But it seems clear that they all will be incorporated in Version 5, whether by NERC’s doing or by FERC’s. 

All very interesting, you say, but what does this have to do with my ballot on Version 5?  I’m saying that, in the ballot starting on May 12, you won’t be voting on what will be in the standards when they’re finally approved.  It would have been better if this ballot had simply been postponed until the changes required by FERC had been made – but given the timing of Order 761, it was probably too late to do that. 

However, his doesn’t mean that the whole ballot is meaningless.  Note that, of the five directives discussed above, all but number 3 relate to designation of Critical Assets – i.e. CIP-002[2].  This means that you should probably spend most of your time addressing (i.e. commenting and voting on) CIP-003 through CIP-011.  These standards are most likely in close to their final form now, since they won’t be changed by FERC’s directives (the exception being that there will most likely be a requirement added that low impact BES Cyber Systems need to be included in an ESP). 

To state it differently, this ballot should be looked on as primarily about CIP-003 through CIP-011.  If these standards can be approved (along with constructive comments about additional changes), then the discussion going forward can focus on CIP-002.[3] 

But make no mistake: the discussion on CIP-002 will be very intense.  FERC Order 761 has effectively set the CIP Version 5 development process back by at least six months and probably more like a year.

[1]I attended an industry call a week ago in which it was suggested that the SDT might simply punt on this, saying it is too late for them to make major changes in V5, and that FERC should make those changes itself.  This strikes me as a singularly bad idea.  There will be a lot of tears and acrimony involved in making these changes, but leaving them up to FERC is potentially worse for the end user, and sets a very bad precedent for all future NERC standards.