I attended the
CIP v7 Standards Drafting Team meeting in southern California last week, and
was quite glad I did. One of the highlights was observing the drafting team’s
webinar on the new LERC definition (which they presented in a separate room
from the one where I and the other observers were). A lot of questions were
submitted during the webinar, and not all of them were fully answered. I will
take it upon myself to provide what I think are the correct answers to a few of
these, in separate posts on each question.
It is clear
that one of the big concerns entities have is the term the SDT introduced in
the new LERC definition: asset boundary. More than one questioner asked why
they didn’t define this term. I will explain why I think the SDT didn’t define
it, and also why I’m not sure they need to. But I will also make one point about
LERC that should be made, either in a definition or in the Guidance and
Technical Basis for CIP-003-7.
This post
won’t make a whole lot of sense unless you have already read my previous post
discussing the new LERC definition (and the revised section 3.2 of Attachment 1
to CIP-003, which goes with the new definition). Please do that now….All done?
Great, here’s a short quiz to make sure you really read it. You will need to
answer all of these questions correctly in order to become a Certified LERC
Expert.
- What two-word French phrase did I use in the post? What
does it mean?
- How many of my previous posts did I link to in this post
and in its footnotes? Why do I link to previous posts so often? Is it
because I get paid by the hit?
- Is the post brilliant or merely very insightful?
I see enough
of you passed the quiz so that I should continue with this post. So why did the
SDT not define “asset boundary”, since the phrase plays such a big role in the
new LERC definition? At first glance, it would seem to be a pretty simple
question, but as with almost every other question about the new CIP standards,
it is actually much larger.
The big
problem here is that to define an asset boundary, there has to be a definition
of “asset”. And believe it or not (considering how important the concept is in
the CIP standards), that word isn’t defined in the NERC Glossary[i]. Why is
this the case? I don’t know for sure, but I believe the reason “asset” isn’t
defined is because there is a fundamental contradiction at the heart of
CIP-002-5.1 R1 and Attachment 1. The contradiction is that in theory CIP v5
doesn’t apply to assets (“big iron”), but only to cyber systems (“little
iron”). This is why the High and Medium impact criteria in Attachment 1
strictly speaking don’t apply to assets (or Facilities, for that matter) but to
BES Cyber Systems. And it is why the definition of Low asset is “an asset
containing Low impact BES Cyber Systems”. Yet I think it would be close to
impossible to find a single NERC entity or auditor that didn’t first classify
its assets as High, Medium or Low impact, then identify the BES Cyber Systems
at the Highs and Mediums. No other approach makes sense.[ii]
However, I’m
not sure that “asset boundary” needs to be defined, even if it could be. There
is no specific compliance obligation associated with this phrase, as there is
with the phrase Electronic Security Perimeter (which is defined, of course). So
if the entity and the auditor disagree about what the asset boundary is, there
is no way this would be likely to lead to a Potential Violation, and certainly –
in my opinion - not to an actual violation.
But there is
one consideration that was brought up in the SDT meetings, which I don’t see in
the LERC definition or the Guidance: The asset boundary needs to encompass all
of the BES Cyber Systems located at the Low impact asset; if it doesn’t do
that, then it is conceivable some BES Cyber Systems which actually have LERC
will end up not being protected.
For example,
an auditor pointed out to me that he knew of at least one Low impact generating
station that draws its cooling water from deep wells located as far as five
miles from the fence line; the pumps for these wells are controlled by systems
that most likely meet the BCA/BCS definition. If that entity decided the fence
line were the asset boundary and had an external routable connection that ended
at the pumps (I realize this scenario isn’t very likely), they might be tempted
to declare that the asset didn’t have LERC (since they would consider the pumps
outside of the asset boundary). Assuming they also had BCS within the fence
line, they then wouldn’t be obligated to protect them as required in Section
3.2 of Attachment 1 of CIP-003-7 (i.e. in the new version of CIP-003 discussed
in the post I linked at the beginning of this post).
However, I
think this point should be made in the Guidance, not with a definition. This is
because a definition would read something like “A physical border that
encompasses all BES Cyber Systems at the asset.” How would an entity
demonstrate that their asset boundary did include all BCS? Of course, they
would have to have a list. And the need to have such a list is ruled out
repeatedly in the CIP v5 and v6 standards.[iii]
So I think
this point should at least be made in the Guidance.[iv]
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
It is “defined” in CIP-002-5.1 R1, in the list of six asset types that are
considered in scope for CIP versions 5 and 6. So for purposes of CIP versions 5
and 6, “asset” is well defined. Of course, there are a lot of other problems in
CIP-002 R1 and Attachment 1 that aren’t so neatly dealt with.
[ii] I have discussed this contradiction a
number of times – coming from different angles – since April of 2013. Two posts
that tried to address it more head on are this
one and this
one. Of course, I estimate that very close to 100% of NERC entities and
auditors think in terms of the big iron / little iron model (which after all is
how CIP v1-4 worked: Critical Assets and Critical Cyber Assets). In other
words, just about everybody thinks in terms of “High impact Control Center”,
“Medium impact substation”, etc., even though strictly speaking those terms
don’t refer to reality any more than the terms “unicorn” and “griffin” do. In
fact, during the SDT meeting the group was considering requirement language
that referred to “High and Medium impact assets”. I had to be the bad guy and
point out that the correct terms were “assets containing High impact BCS” and
“assets containing Medium impact BCS”. Nobody disagreed with me on that.
[iii]
Someone might object that, by the SDT’s simply stating in the Guidance that all
BCS had to be within the asset boundary, the entity would probably still be obligated
to have a list. But an issue almost identical to this one has already been
addressed and resolved by – I believe – all of the NERC regions, in discussions
of the current definition of LERC (i.e. the one that came into effect with v6,
not the one that was just drafted and will almost certainly come into effect in
2017). Of course, in the current definition of LERC and the current “requirement”
3.2 of CIP-003-6, a LEAP is required to protect all BCS with LERC. However, the
regions all seem to agree that it is possible to show that your LEAP is
protecting all of your BCS without having to enumerate all of them; for
example, an entity can provide a network diagram showing that all BCS are on a
network protected by the LEAP – but the diagram doesn’t have to show each BCS.
In the same fashion, using the new LERC definition, the entity could
demonstrate to the auditor that all of its BCS were within the asset boundary
by providing a physical map of the facility that includes locations where BCS
are found – but which does not need to enumerate the BCS themselves.
[iv]
There is a small problem with saying this, since technically there is no
Guidance provided for definitions, just for requirements (as was brought up in
another context at the SDT meeting). But understanding the LERC definition
(including “asset boundary”) is required for compliance with Section 3.1 of
CIP-003 Attachment 1; it shouldn’t require an act of Congress to allow the SDT
to insert this helpful advice about the meaning of asset boundary in the
Guidance for that section.
No comments:
Post a Comment