“Consistency is the
hobgoblin of little minds.”
- Emerson
In my recent
(third) webinar
with EnergySec, I didn’t hide the fact that I have recently made a 180-degree
shift in my opinion on the question of the meaning of External Routable
Connectivity (ERC). On the same day as the webinar, I elaborated on this in a post,
but since that post was more focused on what FERC had said about LERC (don’t
you just love these acronyms?) not ERC, I didn’t give a complete exposition of
what I currently believe. This post will provide that.
My previous
position was stated in the post just cited and in my second webinar
with EnergySec. In that webinar, we discussed NERC’s April Memorandum on “Network
and Externally Accessible Devices” (which has since been withdrawn, along with
the other Memoranda). That document, in the section entitled “Natively
serial-based BCAs”, focused on the situation in which there is a serially-connected
device such as a relay in a substation, that communications with a device –
like an RTU or protocol converter - that in some way “translates” a routable
communication stream (say, from an EMS) to serial format for transfer to the relay.
NERC’s
position on the scenario described was clear: “Nothing in the plain language of
the CIP version 5 standards or the record of development indicates that the SDT
intended natively serial-based BCAs that have been modified to be externally
accessible via a routable network to be treated any differently from natively
routable-based devices.” (I would include a hyperlink to the Memorandum here,
but the Memoranda have all been removed from NERC’s site. If you need a copy,
email me at talrich@deloitte.com)
However, in
the webinar and this
post, I brought up Morgan King’s presentation from WECC’s January CIPUG
meeting in which he stated that some devices perform a “protocol break” – that
is, they terminate the routable communications coming from the EMS and initiate
a different serial conversation with the relay. In such a case, Morgan stated
(and I agreed) that ERC is truly “broken”, so the relay does not have ERC. To
illustrate his point, Morgan had pointed to Reference Model 6 in the Guidance
and Technical Basis of CIP-003-6, which had diagrammed exactly this case –
although the reference was technically to LERC (Low impact ERC), rather than
ERC.
Wishing to
be as nice to NERC as possible, I stated in the webinar that I believed both
NERC and Morgan were right, since they were contemplating different types of
devices. However, I suspected that NERC had meant their statement to apply more
broadly to any device that takes in a routable communications stream on one end
and emits serial on the other, so they probably weren’t contemplating any
exceptions to their rule. But I firmly believed that Morgan had gotten it right
and there was something called a “protocol break” that would break ERC.
About a
month after that webinar, I changed my opinion on ERC. It didn’t happen in a
blinding flash of light on the road to Damascus. Rather it happened when I
started trying to understand the implications of FERC’s NOPR, and specifically
the section entitled “Definition – Low Impact External Routable Connectivity”
(paragraphs 68-70). I came to believe that, while FERC’s statement had addressed
only LERC, it was impossible not to consider it a statement about ERC as well.
You can read
about what I thought in this
post, but to briefly summarize. FERC made it very clear they didn’t understand
what a “protocol break” was; therefore, they didn’t think it could be invoked
as a way to remove ERC. I concluded by saying I believed NERC was working on a
Lesson Learned on ERC, and it would be a mistake if NERC repeated Morgan’s
argument (and mine) that there is something called a protocol break, and that
it “breaks” ERC. While FERC couldn’t force NERC to rescind this opinion (since
they’ve already approved the definition of ERC in Order 791), it just wouldn’t
be a good idea to fly in FERC’s face on this issue.
However, in
the post I should have asked the question whether there are any other ways that
ERC can be “broken” by a device (like an RTU) that communicates routably to the
outside world, but serially to one or more other devices. There is one way that
came up in FERC’s discussion in the NOPR. The wording in Reference Model 6 in
CIP-003-6 identifies authentication as another condition that would break LERC
(and by implication ERC as well). If the device that translates routable to
serial also requires the user on the routable end (e.g., at the control center)
to re-authenticate before it will pass their communications on to the
serially-connected device, then ERC is broken as well. FERC didn’t comment on this at all, but they
also didn’t rule it out. So I think it’s safe to say they are comfortable with
ERC being broken when re-authentication is required.
I can think
of another example, which I brought up in the first
of four posts last year that discussed the ERC issue. This is of an RTU that is
configured just to poll the serial devices and pass the data on to the EMS;
there is no inbound communications that is passed on to the serial devices in
any form. This seems to be a good example of another way in which an intermediate
device can break ERC, when a transition between serial and routable
communications is involved. There may be other examples as well.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment