This comment form is no longer interactive because the comment period is closed.

2015-INT-01 Interpretation of CIP-002-5.1 for Energy Sector Security Consortium (EnergySec)

Description:

Start Date: 07/27/2016
End Date: 09/12/2016

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2015-INT-01 Interpretation of CIP-002-5.1 for Energy Sector Security Consortium (EnergySec) CIP-002-5.1 IN 1 INT 2015-INT-01 Interpretation of CIP-002-5.1 for Energy Sector Security Consortium (EnergySec) CIP-002-5.1 07/27/2016 08/25/2016 09/02/2016 09/12/2016

Filter:

Hot Answers

 

1.       Initial ballot for CIP-003-7 - Cyber Security – Security Management Controls

Vote: No

Comments: PacifiCorp supports comments submitted by Edison Electric Institute.  Also, while PacifiCorp understands the justification provided for the approach the SDT took, PacifiCorp believes that the approach adds an increased compliance burden without added benefit to the security of BES, or any assurance that entities will not be asked for a list of BES Cyber Assets at Low Impact BES Assets.  

Sandra Shaffer, Berkshire Hathaway - PacifiCorp, 6, 9/12/2016

- 0 - 0

Wesley Maurer, On Behalf of: Wesley Maurer, , Segments 1, 5, 6

- 0 - 0

Other Answers

As Austin Energy (AE) understands the question, EnergySec is asking whether the entity must determine:

1. Whether each discrete BES Cyber System “could, within 15 minutes, adversely impact the reliable operation” of generation units aggregating to ≥ 1500 MW; or

2. Whether, collectively, groups of BES Cyber Systems at the generation facility “could, within 15 minutes, adversely impact the reliable operation” of generation units aggregating to ≥ 1500 MW.

 

The proposed response merely regurgitates the contents of the Background discussion regarding an entity’s freedom to group BES Cyber Assets into BES Cyber Systems, it does not answer the question of how to determine if BES Cyber Systems are shared.

AE believes the drafting team intended to say:

CIP-002-5.1 contains no requirement to group BES Cyber Systems. Accordingly, Responsible Entities may determine whether to consider BES Cyber Systems “shared.” Consequently, a Compliance Enforcement Authority has no basis for questioning a Responsible Entity’s conclusions regarding whether BES Cyber Systems are “shared” with respect to their ability to adversely impact the reliable operation of generation units aggregating to ≥ 1500 MW in a single Interconnection.

If AE has interpreted the proposed response correctly, the drafting team should clearly say so. If AE is not correct, the drafting team should rewrite the response to make it clearer.

Andrew Gallo, Austin Energy, 6, 8/20/2016

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 8/30/2016

- 0 - 0

SRP does not agree that the answer provided addresses the question. The question is not if an evaluation is to be done to determine if a BES Cyber system is shared.  SRP understands the question to be asking whether the criterion should be performed on a discrete BES Cyber System shared by multiple generating units at a single plant location or on a collection of BES Cyber Systems shared by multiple generating units at a single plant location.

Diana McMahon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Michelle Amarantos, 9/8/2016

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/8/2016

- 0 - 0

SCE agrees that a BES Cyber System that is shared between multiple generators needs to be evaluated individually, as opposed to being collectively grouped. Furthermore, SCE agrees that there is no obligation to group BES Cyber Systems. Each entity is given the choice of granularity in grouping BES Cyber Assets into BES Cyber Systems, but is not required to group BES Cyber Systems.

Patrick Farrell, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Logical grouping of assets should be at the discretion of the entity and not a requirement

However, this ambiguity may not be supported at audit

John Hagen, 9/12/2016

- 0 - 0

No additional comment

Jaclyn Massey, 9/12/2016

- 0 - 0

Reclamation believes that examples would be helpful for understanding the scope of EnergySec's request and the NERC response. 

Erika Doot, 9/12/2016

- 0 - 0

Bob Reynolds, 9/12/2016

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

We support the interpretation.  It is our belief that NERC and the regions continue to focus on the Registered Entity’s ability to self-determine BES Cyber Systems and shared BES Cyber Systems. We support the direction to the guidance in the background section of CIP-002-5.1 that states:

 

“it is left up to the Responsible Entity to determine the level of granularity at which to identify a BES Cyber System within the qualifications in the definition of BES Cyber System”.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 9/12/2016

- 0 - 0

We agree with the response to Question 1.

RSC, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 9/12/2016

- 0 - 0

We disagree that evaluation of each BES Cyber System needs to be performed individually for each discrete BES Cyber System.  The question may be addressed by simply looking at the elements that comprise Criterion 2.1.

The Elements of Criterion 2.1 are:

Generation

  • Commissioned generation

  • A group [which we interpret as 1 or more] generating units

  • The generating units are at a single plant location

  • The generating units aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceed 1500 MW

  • The 1500MW threshold is at a single Interconnection.

Relationship Between the Generation and the BES Cyber Systems

  • The generating units share a BES Cyber System

The BES Cyber System

  • The BES Cyber System can cause an adverse impact to the reliable operation of any combination of the generating units

  • The adverse impact is within 15 minutes

  • The aggregate adverse impact equals or exceeds 1500 MW

  • The 1500MW adverse impact occurs at a single Interconnection.

In consideration of the criteria, if a single element is false / untrue, the BES Cyber System does not meet the threshold of a Medium Impact Risk. While we think that is straight forward, there is some nuance associated with the evaluation of a BES Cyber System, which is likely the genesis of the question.

The evaluation of a BES Cyber System.

The question asked for clarification of the term BES Cyber Systems, wanting to know if it means each individual and discrete BES Cyber System at a single plant location or collectively for groups of BES Cyber Systems.

We think clarification is found in Criterion 2.1 elements. For example, if there is a group of BES Cyber Systems and evaluation of the individual components determine the Criterion 2.1 thresholds are not met. At that point, it would be easy to say they are not a Medium Impact Risk. However, Criterion 2.1 language, paraphrased, is BES Cyber Systems that could adversely impact reliable operation of the generation units.

We feel the “could” qualifier brings into scope the relationship between and reliance upon the individual components of the group of BES Cyber Systems.

In other words:

If there is a failure in the interaction between two of the multiple BES Cyber Systems.

AND

The failure between the BES Cyber Systems  “…within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection,”

AND

All other elements of Criterion 2.1 are met.

THEN

The threshold is pierced and the Medium Impact Risk is assigned.

It is Not Necessary to Evaluate Each Individual BES Cyber System

Based on the example, it may not be necessary to evaluate each individual BES Cyber System if the Criterion 2.1 threshold is breached on the potential failure of the interaction between two BES Cyber Systems.

We recognize the Criterion is specific to BES Cyber Systems and not the interaction between systems, but the “could” qualifier brings those interactions into scope of the evaluation regardless whether the individual BES Cyber System, alone, can cause the requisite adversity to reliability.

Resolution is Found in the Standard Revision Process

We believe the path to clarifying the ambiguous and uncertain language requires revision of Criterion 2.1 and the underlying Standard. The material revisions required to resolve the issues cannot be gained through the interpretation process.

Jointly-Owned Units Not Considered in Standard

Of additional concern are scenarios of jointly owned units (JOU) with BES Cyber Systems that communicate between entities and also meet Criterion 2.1. While contracts will delineate owners’ responsibilities, it is common with JOU a level of parallel systems that, individually, “could” pierce the adverse reliability threshold.

- 0 - 0

Hot Answers

2.       Initial ballot for CIP-003-7 Implementation Plan

Vote: No

Comments: PacifiCorp supports comments submitted by Edison Electric Institute.  Also, the language in the definitions and CIP-003-7 currently out for vote is a substantial rewrite of the requirements as approved by FERC.  PacifiCorp cannot afford to wait to begin implementation until a revised standard is approved by FERC, meaning that any approved version that does not allow PacifiCorp to leverage work efforts already completed in alignment with the current FERC approved standard would lead to duplicative effort and costs.  Any attempt to compress the overall timeline for implementation could results in a negative impact to the reliability of the bulk electric system

Sandra Shaffer, Berkshire Hathaway - PacifiCorp, 6, 9/12/2016

- 0 - 0

Wesley Maurer, On Behalf of: Wesley Maurer, , Segments 1, 5, 6

- 0 - 0

Other Answers

Andrew Gallo, Austin Energy, 6, 8/20/2016

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 8/30/2016

- 0 - 0

Diana McMahon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Michelle Amarantos, 9/8/2016

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/8/2016

- 0 - 0

SCE agrees that the phrase "shared BES Cyber Systems" applies to discrete BES Cyber Systems ahred by mutliple generators within a generation facility. SCE notes that this term was clarified in the NERC Frequently Asked Questions (FAC) No. 49.

Patrick Farrell, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

However, this does not resolve the question of what is "discreet"

John Hagen, 9/12/2016

- 0 - 0

No additional comment.

Jaclyn Massey, 9/12/2016

- 0 - 0

Reclamation believes that examples would be helpful for understanding the scope of EnergySec's request and the NERC response. 

Erika Doot, 9/12/2016

- 0 - 0

Bob Reynolds, 9/12/2016

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

No comments.     

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 9/12/2016

- 0 - 0

RSC, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 9/12/2016

- 0 - 0

We incorporate our response to Question No. 1.

The object of “those,” like at, “…are those shared…” may seem ambiguous, but the plain reading of the sentence in context illustrates “those” refers to generating units. Substituting “generating units” for “those,” the sentence reads:

“For each group of generating units, the only BES Cyber Systems that meet this criterion are generating units shared BES Cyber Systems that could, within 15 minutes…”

This supports the SDT’s proposed interpretation—that all the generating units share the discrete BES Cyber Systems. However, as discussed in our response to Question 1, we believe the path to clarifying the ambiguous and uncertain language requires revision of Criterion 2.1 and the underlying Standard. The material revisions required to resolve the issues cannot be gained through the interpretation process.

- 0 - 0

Hot Answers

3.       Initial ballot for the new term - Low Impact External Routable Communication (LERC) and its definition

Vote: No

Comments: PacifiCorp supports comments submitted by Edison Electric Institute.  Also, while PacifiCorp understands the justification provided for the approach the SDT took, PacifiCorp believes that the approach adds an increased compliance burden without added benefit to the security of BES, or any assurance that entities will not be asked for a list of BES Cyber Assets at Low Impact BES Assets

Sandra Shaffer, Berkshire Hathaway - PacifiCorp, 6, 9/12/2016

- 0 - 0

Wesley Maurer, On Behalf of: Wesley Maurer, , Segments 1, 5, 6

- 0 - 0

Other Answers

In response to Question #2, the drafting team determined, “The phrase ‘shared BES Cyber Systems’ refers to discrete BES Cyber Systems…shared by multiple generation units.” (emphasis added)

Accordingly, Question #3 seeks guidance regarding how to determine if BES Cyber Systems are “shared” by generation units so as to fall into Criterion 2.1. The proposed response does not do so. Again, AE believes the drafting team intended to say:

CIP-002-5.1 contains no guidance regarding how to group BES Cyber Systems to determine their impact on generation units aggregating ≥ 1500 MW. Accordingly, Responsible Entities have discretion regarding whether or how to “group” BES Cyber Systems. Consequently, a Compliance Enforcement Authority has no basis for questioning a Responsible Entity’s conclusions regarding whether or how to group BES Cyber Systems with respect to their ability to adversely impact the reliable operation of generation units aggregating to ≥ 1500 MW in a single Interconnection.

If AE has interpreted the proposed response correctly, the drafting team should clearly make that statement. If AE is not correct, the drafting team should rewrite the response to make it clearer.

Andrew Gallo, Austin Energy, 6, 8/20/2016

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 8/30/2016

- 0 - 0

Diana McMahon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Michelle Amarantos, 9/8/2016

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/8/2016

- 0 - 0

SCE agrees that the phrase applies to each discrete BES Cyber System, rather than collectively to groups of BES Cyber Systems.

Patrick Farrell, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

What is the defintition of "discreet"?  What attributes make a system discreet?

John Hagen, 9/12/2016

- 0 - 0

No additional comment.

Jaclyn Massey, 9/12/2016

- 0 - 0

Reclamation believes that examples would be helpful for understanding the scope of EnergySec's request and the NERC response. 

Erika Doot, 9/12/2016

- 0 - 0

Bob Reynolds, 9/12/2016

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

ACES supports that the phrase applies to each discrete BES Cyber Systems.

 

While we understand the RFI was limited to "shared," we would like the interpretation team to consider issuing guidance on jointly-owned BES Cyber Systems regarding where and how responsibility, compliance and auditability applies to each owner.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 9/12/2016

- 0 - 0

RSC, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 9/12/2016

- 0 - 0

We incorporate our response to Question No. 1 and its proposed path forward.

- 0 - 0