I’ve now
done four posts (starting with this
one) on the question whether substation devices like relays that are
connected serially to an intermediate device, that itself is routably connected
to a control center or some other location, can be said to participate in
External Routable Connectivity (ERC). They
have all been interesting posts to write, and have attracted a good amount of
attention.
Of course, I
don’t have a definitive answer to this question, nor did I ever say I did. In fact, the first post was really number
five in my series of posts on “Roll Your Own”, in which I discuss how NERC
entities, faced with the many missing definitions and interpretations in CIP
v5, need to develop their own definitions and interpretations – faute de mieux as the French say. But I did articulate what I thought might be
the best approach; or at least I thought I did.
However, two
events today led me to believe that I need to do another post to clarify – for ages
to come – what my position on this question is.
One was that I had an email conversation in which it was apparent that I
hadn’t made my opinion clear – and that’s not surprising, since I’d inexplicably
spread my opinion over two posts, and had myself gone back and forth on one
issue.
The other
event was the webinar today by the CIP V5 Revisions SDT (which should be called
the CIP v6/v7 SDT, of course – in fact, they implicitly admitted today that it
would have been better just to bite the bullet and say they were drafting CIP
v6 to begin with, rather than pretend it wasn’t, which has now led to there
being three versions to comply with simultaneously). This webinar ended up shedding some light on
this issue, even though it technically has nothing to do with the new CIP
versions.
So what is
my opinion? In the first post, I brought
up the Critical Cyber Asset Identification guidelines published in 2010. Until very recently, I interpreted the
discussion of this issue in that document to mean that the relays in question would
definitely have ERC. However, I said a customer had recently convinced me that
this view was too simplistic, that what was important was whether the relay actually
communicated over a routable connection
with devices outside the substation. And
sure enough, the CCA guidelines actually say that ERC is only present “if a
routable connection is used to communicate outside the preliminary ESP.”
But I didn’t
really explain why I thought this was the right approach until the second
post, where I said “One distinction that seems to be important is whether
the intermediate device simply translates the incoming routable messages into a
serial protocol for the end device, or whether the intermediate device does
something like polling of the end device, meaning that incoming routable
messages aren’t passed on in any way. A terminal server might be an
example of the first device, while an RTU might be an example of the second.”
In that
post, I then got into a diversion where I thought the fact that it could be
possible to hack the RTU, then attack the relay through that, meant that really
the relay did participate in ERC after all.
But that opinion was demolished this week by Steve Parker, who said in
the fourth
post that this was really a nonsensical idea. And he was right.[i]
However,
this diversion has nothing to do with my original opinion: While I’m not a CIP
Doctor and don’t play one on TV, I do believe that the approach I described
originally is good. And that was
confirmed by the second event today, the SDT webinar.
A good part
of that webinar was devoted to the new requirement for Low impact assets,
CIP-003-7 R2, and the related new terms LERC and LEAP (and if you haven’t been
introduced to these two gentlemen and don’t really know much about the new
requirement, I suggest you go to the SDT’s web
site). The best part was when Jay
Cribb of Southern Companies, a key member of the CIP v5 SDT (where he was in
charge of CIP-005 and perhaps more) as well as the current SDT, spent some time
going over the excellent illustrative diagrams found in the Guidelines and
Technical Basis section of the latest
draft of CIP-003-7.
It was his
discussion of the diagram on page 36 that I found particularly
interesting. The diagram shows a device
that connects serially to a protocol converter that converts the routable
external communications to serial; it makes the point that, because of this,
the device is “directly addressable from outside the asset” and therefore
participates in ERC[ii]. So this criterion – whether the device is
addressable from outside - might be as important a criterion as the one that I
cite: whether the device communicates outside of the asset (substation). In practice, they may well amount to the same
thing; answering that question is above my pay grade.
The moral of
this story? Given that you may have
decided you can’t wait any longer for NERC to address this question and you
need to roll your own answer, you could do a lot worse than to adopt one or
both of these two criteria as determinants of ERC – but whatever you end up
doing, be sure to document it!
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
Steve evidently has legions of fans, since they’ve been beating down the doors
of my blog to get to this post, despite the fact that I hadn’t publicized it at
all. I’m now planning a new series of
Steve Parker posts: The Steve Parker Diet, Steve Parker’s Favorite Christmas Recipes, Steve Parker
Discusses Parenting, Steve Parker Decries Congressional Dysfunction….and
more. I know a good thing when I see it. Stay tuned.
[ii]
Actually LERC, the Low impact version of ERC.
No comments:
Post a Comment