I have written several times (the most recent being here) about Lew Folkerth of RFC, who has long experience and great insights on the subject of NERC CIP compliance. He writes good articles for RFC’s monthly online magazine, and that tradition continues in his article for the July newsletter (you can find the newsletter here. Then click on “The Lighthouse” on the left side).
I thought the whole article was very good, but I was at first puzzled by the discussion of External Routable Connectivity. I recommend you read at least that section of the article; however, the salient points are in this paragraph:
“Our conclusion, then, must be that the ability of any Cyber Asset outside of the ESP to reach “PLC,” by any path, will give “PLC” External Routable Connectivity. While it may be theoretically possible to demonstrate that no External Routable Connectivity to “PLC” exists in a very small network, this becomes exponentially more difficult as the size of the network increases. Also note that if this position is taken then every Cyber Asset in the ESP with External Routable Connectivity, such as “Internal Workstation” in our example, becomes an Electronic Access Control and Monitoring System (EACMS), as each of these Cyber Assets controls access to “PLC.””
Before we go further, let me say that although I have written a number of posts on ERC (the most recent being this one), I have always focused on the case of a relay in a substation connected serially to an RTU, which is itself routably connected to a control center (in fact, I don’t think I’ve seen any other discussion – before Lew’s – that didn’t focus on the same thing). The question in this case is under what circumstances that serially-connected relay can be said to participate in ERC.
The case Lew is addressing is very different. It’s an all-IP network protected by a firewall. Some of the devices (like “Internal Workstation”) are directly accessible through the firewall; others (like the “PLC”) are not. The security question behind this is whether blocking access to a particular device through firewall rules removes ERC.
I had a phone discussion with Lew about the article, and he clarified a couple points that weren’t completely clear to me from what he wrote. Here are the main takeaways:
- On a routable network, most OS’s can be easily configured to pass traffic to another machine. So even though the PLC in his example isn’t directly accessible through the firewall, it is accessible if another machine is forwarding traffic to it – and in that case, it has ERC. So if you are claiming that your firewall is blocking ERC for some devices, you have to show the auditor that no devices with ERC are forwarding traffic to other devices. Additionally, you will have to watch the network like a hawk to make sure that forwarding isn’t turned on for a device that has ERC, toward another device that doesn’t.
- If a device with ERC is passing traffic, it needs to be declared an EACMS. I admit I originally had a hard time understanding this point. But Lew points out in an email “by creating what is effectively a mixed-trust network within a single ESP (devices with and without ERC), the entity is using its devices with ERC as firewalls to keep ERC out of the other devices. This is why the device with ERC also meets the “perform electronic access control” portion of the EACMS definition.” Note that Lew isn’t saying that just the devices that are actually forwarding traffic are EACMS; he’s saying that every device to which external access is allowed by the firewall is effectively controlling access for the other devices on the network, since a small change in its configuration would allow that access.
- In a further discussion, Lew pointed out that potentially every device in an ESP might have to be declared an EACMS, even if for most of them direct external access was blocked at the firewall.
The bottom line is that you need to think long and hard before declaring that some of the Cyber Assets within your ESP have ERC and others don’t, based on whether or not you’re allowing access to them through the firewall. If you bite the bullet and say they all have ERC, you will of course have a somewhat greater compliance burden, but your audits will be much easier (and you won’t stay up nights worrying that somebody – without telling you – is configuring forwarding on a Cyber Asset with ERC). Or in Lew’s words, “I think the message is simple: ‘Don’t mix trust (ERC and non-ERC) in the same ESP.’ It’s not that you can’t do it, but you’ll have a hard time documenting it. The security risk and the compliance risk make the practice inadvisable.”
However, there is an area Lew still isn’t sure about. That is the question how Interactive Remote Access (IRA) affects this. With IRA, the device needs to be reachable by the Intermediate Server, which is hopefully within the DMZ – but that means that technically the device is reachable from outside the ESP, and thus meets the definition of having ERC. So if the IS is the only device that can directly access any device within an ESP, is there still ERC?
At one point, I started writing “Tom’s Lessons Learned”. This post should be called one of “Lew’s Lessons Learned”. This is really what the Lessons Learned are for: explaining direct implications of the wording of the requirements. Note that for once I’m not complaining about any ambiguity or mis-wording of the requirements here – Lew just pointed out some important implications of the existing wording that probably aren’t obvious to most NERC entities (they certainly weren’t obvious to me!).