“I recently wrote my longest post so far, describing how I would rewrite Version 5 of CIP-002 to change what I see as fatal imprecision in the language of that standard. However, I decided to leave part of the required changes for another post, since I wanted to think about them a little more before writing it. Here is that post. It presents my final version of what I am calling Tom Alrich Fantasy CIP-002-5, or CIP-002-5-taf.
In the previous post, I reasoned there are two main areas that need substantial wording changes in CIP-002-5: identification of “big iron” and of “little iron”. [i]
Big iron refers to the facilities that are in scope for Version 5: generating stations, control centers, etc. Little iron refers to the cyber assets that are in scope. The goal of CIP-002-5 (and note that CIP-002-5 without the “-taf” refers to the “real” version submitted to FERC by NERC in January) is for the entity to identify their cyber assets in scope for V5 (called BES Cyber Systems). However, in order to do this, the entity first has to identify and classify their facilities (or assets) in scope, so that the BES Cyber Systems can inherit the facility classifications.
The first post provided a CIP-002-5-taf that I think is much more coherent than CIP-002-5, as far as identification of little iron is concerned. However, I punted on the changes that are needed for big iron and just inserted the term “asset/Facility” as a placeholder wherever CIP-002-5 uses either “asset” or “Facility”. I will now (note – without using a net!) remove that placeholder by fixing the big iron wording problem in CIP-002-5, resulting in my final version of CIP-002-5-taf.
However, this new post will be much shorter than the previous one, since I have already discussed the big iron problems in CIP-002-5 and provided an idea of what the cure could be. I did this in an earlier post
titled “My Comments to FERC on CIP Version 5, Part I”.[ii]
If you haven’t read that post, I recommend you do it now, since I don’t intend to repeat the arguments here, although I will summarize them.”
Read more via Tom Alrichs Blog: My (Final) Fantast CIP-002-5.
Tom Alrich is part of the Honeywell Process Solutions industrial cyber security team, focusing on the energy sector and especially electric power. He has been involved with industrial cyber security and especially NERC CIP compliance since 2007. Tom has spent most of his career in the IT industry, primarily in services for networking and cyber security. Tom has a BA in Economics from the University of Chicago. He lives in Evanston, Illinois.