There is a
discussion going on in NERC circles about whether networking devices should be
declared BES Cyber Assets or not. At
first glance, it seems almost an open-and-shut case that they should be. After all, the BCA definition includes Cyber
Assets whose loss, etc. would impact the BES within 15 minutes. It would seem that a switch that ties
together the whole network in a substation or generating station would certainly
fit that bill, right?
At least one
CIP auditor doesn’t think so. He makes
his argument by drawing a distinction between networking devices on the ESP and
those that are inside the ESP. For the
latter, the argument is very simple (and there was a similar argument in CIP
v3): Since the ESP needs to include all routably connected BES Cyber
Assets/Systems, if you consider the device (e.g. a switch) on the ESP to be a
BCS, then you need to redraw the ESP to include it. Then the switch on the redrawn ESP becomes a
BCS, and you have to redraw the ESP again, etc.
Ergo, a switch on an ESP
perimeter can never be a BCS. In fact,
it may very well be an Electronic Access Point.
So how about
a switch that’s inside an ESP? There
isn’t a compelling logical argument against making this switch a BCA/BCS, but
the auditor asserts there’s no compelling logical argument to make it one,
either. It’s better to user the simpler
approach and not declare it a BCA. Of
course, any switch within an ESP (and not otherwise part of a BCS) will have to
be a Protected Cyber Asset, and will thus be subject to almost all the same
controls as a BCS.
Here’s
another question: How about a switch that’s within a BES Cyber System? For instance, if an entity declares their
whole EMS is a BCS, should a network switch (again, one that’s not on the ESP boundary)
be declared a BES Cyber Asset? As I
pointed out in this
recent post, if a Cyber Asset is part of a BCS, you don’t need to take the
additional step to declare it a BCA (or a PCA).
Since all of the v5 requirements apply at the BCS level, a switch will
be protected by the standards in any case.
The auditor
also does want me to point out that “What we are talking about are traditional
networking devices like routers, switches, and firewalls, along with multiplexors,
microwave, and the like - basically the LAN/WAN equipment that serves as the
communications backbone. Not included are end devices like port servers,
terminal servers, Digi devices, and so forth that simply convert the data
stream between TCP/IP and serial. Those are not networking devices in the
traditional sense and, as end devices that only appear in the LAN, should be
identified as BCA if they have a sub-fifteen minute impact on BES reliability
as described in the BCA definition.”
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
No comments:
Post a Comment