Tuesday, September 8, 2015

Where I (now) Stand on ERC

“Consistency is the hobgoblin of little minds.”
- Emerson

In my recent (third) webinar with EnergySec, I didn’t hide the fact that I have recently made a 180-degree shift in my opinion on the question of the meaning of External Routable Connectivity (ERC). On the same day as the webinar, I elaborated on this in a post, but since that post was more focused on what FERC had said about LERC (don’t you just love these acronyms?) not ERC, I didn’t give a complete exposition of what I currently believe. This post will provide that.

My previous position was stated in the post just cited and in my second webinar with EnergySec. In that webinar, we discussed NERC’s April Memorandum on “Network and Externally Accessible Devices” (which has since been withdrawn, along with the other Memoranda). That document, in the section entitled “Natively serial-based BCAs”, focused on the situation in which there is a serially-connected device such as a relay in a substation, that communications with a device – like an RTU or protocol converter - that in some way “translates” a routable communication stream (say, from an EMS) to serial format for transfer to the relay.

NERC’s position on the scenario described was clear: “Nothing in the plain language of the CIP version 5 standards or the record of development indicates that the SDT intended natively serial-based BCAs that have been modified to be externally accessible via a routable network to be treated any differently from natively routable-based devices.” (I would include a hyperlink to the Memorandum here, but the Memoranda have all been removed from NERC’s site. If you need a copy, email me at talrich@deloitte.com)

However, in the webinar and this post, I brought up Morgan King’s presentation from WECC’s January CIPUG meeting in which he stated that some devices perform a “protocol break” – that is, they terminate the routable communications coming from the EMS and initiate a different serial conversation with the relay. In such a case, Morgan stated (and I agreed) that ERC is truly “broken”, so the relay does not have ERC. To illustrate his point, Morgan had pointed to Reference Model 6 in the Guidance and Technical Basis of CIP-003-6, which had diagrammed exactly this case – although the reference was technically to LERC (Low impact ERC), rather than ERC.

Wishing to be as nice to NERC as possible, I stated in the webinar that I believed both NERC and Morgan were right, since they were contemplating different types of devices. However, I suspected that NERC had meant their statement to apply more broadly to any device that takes in a routable communications stream on one end and emits serial on the other, so they probably weren’t contemplating any exceptions to their rule. But I firmly believed that Morgan had gotten it right and there was something called a “protocol break” that would break ERC.

About a month after that webinar, I changed my opinion on ERC. It didn’t happen in a blinding flash of light on the road to Damascus. Rather it happened when I started trying to understand the implications of FERC’s NOPR, and specifically the section entitled “Definition – Low Impact External Routable Connectivity” (paragraphs 68-70). I came to believe that, while FERC’s statement had addressed only LERC, it was impossible not to consider it a statement about ERC as well.

You can read about what I thought in this post, but to briefly summarize. FERC made it very clear they didn’t understand what a “protocol break” was; therefore, they didn’t think it could be invoked as a way to remove ERC. I concluded by saying I believed NERC was working on a Lesson Learned on ERC, and it would be a mistake if NERC repeated Morgan’s argument (and mine) that there is something called a protocol break, and that it “breaks” ERC. While FERC couldn’t force NERC to rescind this opinion (since they’ve already approved the definition of ERC in Order 791), it just wouldn’t be a good idea to fly in FERC’s face on this issue.

However, in the post I should have asked the question whether there are any other ways that ERC can be “broken” by a device (like an RTU) that communicates routably to the outside world, but serially to one or more other devices. There is one way that came up in FERC’s discussion in the NOPR. The wording in Reference Model 6 in CIP-003-6 identifies authentication as another condition that would break LERC (and by implication ERC as well). If the device that translates routable to serial also requires the user on the routable end (e.g., at the control center) to re-authenticate before it will pass their communications on to the serially-connected device, then ERC is broken as well.  FERC didn’t comment on this at all, but they also didn’t rule it out. So I think it’s safe to say they are comfortable with ERC being broken when re-authentication is required.

I can think of another example, which I brought up in the first of four posts last year that discussed the ERC issue. This is of an RTU that is configured just to poll the serial devices and pass the data on to the EMS; there is no inbound communications that is passed on to the serial devices in any form. This seems to be a good example of another way in which an intermediate device can break ERC, when a transition between serial and routable communications is involved. There may be other examples as well.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

No comments:

Post a Comment