There is a discussion going on in NERC circles about whether networking devices should be declared BES Cyber Assets or not. At first glance, it seems almost an open-and-shut case that they should be. After all, the BCA definition includes Cyber Assets whose loss, etc. would impact the BES within 15 minutes. It would seem that a switch that ties together the whole network in a substation or generating station would certainly fit that bill, right?
At least one CIP auditor doesn’t think so. He makes his argument by drawing a distinction between networking devices on the ESP and those that are inside the ESP. For the latter, the argument is very simple (and there was a similar argument in CIP v3): Since the ESP needs to include all routably connected BES Cyber Assets/Systems, if you consider the device (e.g. a switch) on the ESP to be a BCS, then you need to redraw the ESP to include it. Then the switch on the redrawn ESP becomes a BCS, and you have to redraw the ESP again, etc. Ergo, a switch on an ESP perimeter can never be a BCS. In fact, it may very well be an Electronic Access Point.
So how about a switch that’s inside an ESP? There isn’t a compelling logical argument against making this switch a BCA/BCS, but the auditor asserts there’s no compelling logical argument to make it one, either. It’s better to user the simpler approach and not declare it a BCA. Of course, any switch within an ESP (and not otherwise part of a BCS) will have to be a Protected Cyber Asset, and will thus be subject to almost all the same controls as a BCS.
Here’s another question: How about a switch that’s within a BES Cyber System? For instance, if an entity declares their whole EMS is a BCS, should a network switch (again, one that’s not on the ESP boundary) be declared a BES Cyber Asset? As I pointed out in this recent post, if a Cyber Asset is part of a BCS, you don’t need to take the additional step to declare it a BCA (or a PCA). Since all of the v5 requirements apply at the BCS level, a switch will be protected by the standards in any case.
The auditor also does want me to point out that “What we are talking about are traditional networking devices like routers, switches, and firewalls, along with multiplexors, microwave, and the like - basically the LAN/WAN equipment that serves as the communications backbone. Not included are end devices like port servers, terminal servers, Digi devices, and so forth that simply convert the data stream between TCP/IP and serial. Those are not networking devices in the traditional sense and, as end devices that only appear in the LAN, should be identified as BCA if they have a sub-fifteen minute impact on BES reliability as described in the BCA definition.”
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.