I’ve now done four posts (starting with this one) on the question whether substation devices like relays that are connected serially to an intermediate device, that itself is routably connected to a control center or some other location, can be said to participate in External Routable Connectivity (ERC). They have all been interesting posts to write, and have attracted a good amount of attention.
Of course, I don’t have a definitive answer to this question, nor did I ever say I did. In fact, the first post was really number five in my series of posts on “Roll Your Own”, in which I discuss how NERC entities, faced with the many missing definitions and interpretations in CIP v5, need to develop their own definitions and interpretations – faute de mieux as the French say. But I did articulate what I thought might be the best approach; or at least I thought I did.
However, two events today led me to believe that I need to do another post to clarify – for ages to come – what my position on this question is. One was that I had an email conversation in which it was apparent that I hadn’t made my opinion clear – and that’s not surprising, since I’d inexplicably spread my opinion over two posts, and had myself gone back and forth on one issue.
The other event was the webinar today by the CIP V5 Revisions SDT (which should be called the CIP v6/v7 SDT, of course – in fact, they implicitly admitted today that it would have been better just to bite the bullet and say they were drafting CIP v6 to begin with, rather than pretend it wasn’t, which has now led to there being three versions to comply with simultaneously). This webinar ended up shedding some light on this issue, even though it technically has nothing to do with the new CIP versions.
So what is my opinion? In the first post, I brought up the Critical Cyber Asset Identification guidelines published in 2010. Until very recently, I interpreted the discussion of this issue in that document to mean that the relays in question would definitely have ERC. However, I said a customer had recently convinced me that this view was too simplistic, that what was important was whether the relay actually communicated over a routable connection with devices outside the substation. And sure enough, the CCA guidelines actually say that ERC is only present “if a routable connection is used to communicate outside the preliminary ESP.”
But I didn’t really explain why I thought this was the right approach until the second post, where I said “One distinction that seems to be important is whether the intermediate device simply translates the incoming routable messages into a serial protocol for the end device, or whether the intermediate device does something like polling of the end device, meaning that incoming routable messages aren’t passed on in any way. A terminal server might be an example of the first device, while an RTU might be an example of the second.”
In that post, I then got into a diversion where I thought the fact that it could be possible to hack the RTU, then attack the relay through that, meant that really the relay did participate in ERC after all. But that opinion was demolished this week by Steve Parker, who said in the fourth post that this was really a nonsensical idea. And he was right.[i]
However, this diversion has nothing to do with my original opinion: While I’m not a CIP Doctor and don’t play one on TV, I do believe that the approach I described originally is good. And that was confirmed by the second event today, the SDT webinar.
A good part of that webinar was devoted to the new requirement for Low impact assets, CIP-003-7 R2, and the related new terms LERC and LEAP (and if you haven’t been introduced to these two gentlemen and don’t really know much about the new requirement, I suggest you go to the SDT’s web site). The best part was when Jay Cribb of Southern Companies, a key member of the CIP v5 SDT (where he was in charge of CIP-005 and perhaps more) as well as the current SDT, spent some time going over the excellent illustrative diagrams found in the Guidelines and Technical Basis section of the latest draft of CIP-003-7.
It was his discussion of the diagram on page 36 that I found particularly interesting. The diagram shows a device that connects serially to a protocol converter that converts the routable external communications to serial; it makes the point that, because of this, the device is “directly addressable from outside the asset” and therefore participates in ERC[ii]. So this criterion – whether the device is addressable from outside - might be as important a criterion as the one that I cite: whether the device communicates outside of the asset (substation). In practice, they may well amount to the same thing; answering that question is above my pay grade.
The moral of this story? Given that you may have decided you can’t wait any longer for NERC to address this question and you need to roll your own answer, you could do a lot worse than to adopt one or both of these two criteria as determinants of ERC – but whatever you end up doing, be sure to document it!
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] Steve evidently has legions of fans, since they’ve been beating down the doors of my blog to get to this post, despite the fact that I hadn’t publicized it at all. I’m now planning a new series of Steve Parker posts: The Steve Parker Diet, Steve Parker’s Favorite Christmas Recipes, Steve Parker Discusses Parenting, Steve Parker Decries Congressional Dysfunction….and more. I know a good thing when I see it. Stay tuned.
[ii] Actually LERC, the Low impact version of ERC.