Sunday, June 4, 2017


My most recent post dealt (in part) with Felek Abbas’ response to the question whether a “jungle mux” should have an ESP around it. The day after I posted it, I realized there was an error in my footnote, which read “Of course, this isn’t to say that the serial devices that connect to the mux don’t have external routable connectivity; they still do, since the external routable communications stream crosses the asset boundary. If the mux controls electronic access, as does the device in Reference Model 5, then no further measures should be required for the entity to comply with the Low impact electronic access control requirement part in CIP-003 R2. If it doesn’t, then some further step will be needed, like a firewall or data diode.”

I replaced the footnote with the one quoted below, but the email feed had already gone out to the 500+ feed subscribers (whose names I can never see, in case you wondered). I thought it would be interesting to see how many of them caught the error, so I didn’t otherwise acknowledge it. I waited and waited and…guess what? Nobody seems to have caught the error. This means one of two things:

1.       None of my readers realize that a device that can be in an ESP is Medium or High impact, not Low (and therefore what I wrote in the footnote about ERC crossing the asset boundary and Reference Model 5 is irrelevant, since these concepts only apply to Lows); or
2.       Nobody reads my footnotes.

Since I know that I have a lot of readers who would spot this error very quickly if they read it, I have to conclude that number 2 is the case. That’s OK – I’m not complaining because nobody reads footnotes. It just means I need to avoid putting important information in footnotes (and I’ve already started doing that. I used to have posts with 8-10 footnotes, but lately I’ve hardly ever gone above two. I’ll try to bring that down to zero).

So here is the new footnote that I inserted in place of the erroneous one. I’m making all of this into a separate post because a lot of people have kind of forgotten the difference between LERC and ERC, and – while a lot of people know that “LERC” has been retired and the definition is now built into the requirement part in CIP-003-7 R2 – probably most (including me) have forgotten what the issues are with ERC, and where things stand in fixing that definition.

“Of course, this isn’t to say that the serial devices that connect to the mux don’t have external routable connectivity. Whether they do or don’t depends on what happens at the jungle mux. The definition of ERC is “The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” If all the jungle mux does is convert the routable communications stream to serial and send it to the proper device, then there is ERC. If the mux performs some sort of authentication, then this probably removes that ability, and there is no ERC.

“However, I’ll admit this is still an ambiguous area, and that points to an interesting irony. That is because FERC’s qualms about the ERC definition (discussed above in this post) led to a change; but the change was in the LERC definition, not ERC. When FERC ordered NERC to clarify the meaning of “Direct” in the LERC definition – in Order 822 approving CIP v6 in January 2016 – they weren’t reacting to problems with LERC since it wasn’t in effect yet. They were really responding to the discussions about ERC in 2014 and 2015 that I described above (I linked above to just one of the posts I wrote on this issue. Others include this one, this one, and this one (in the order I wrote them). I believe FERC was especially concerned about the idea that mere protocol conversion “breaks” ERC.

“If you want to plow through these three posts, you will see that, by the third one, I had concluded (in conjunction with Morgan King, a WECC auditor who has weighed in a lot on technical issues like this) that mere protocol conversion didn’t break ERC, but requiring re-authentication would. I thought when I wrote the third post that this was the last word on the subject. However, in this post, which was written a few days after the third one, I reported that another auditor said this wasn’t enough to break ERC – that there had to also be ‘reformulation of the user’s commands and the acting as a proxy for the user’.

“At this point, I threw up my hands and decided ERC was a black hole – I could write 100 posts and never get to the bottom of the problem, which was that the definition needs to be rewritten. This is one of the tasks on the CIP Modifications SDT’s agenda. I think they should build on the very good work they did with the LERC issue last year and base their new definition of ERC on use cases similar to the Reference Models they developed for CIP-003-7 (although some of those models won’t apply because the new Section 3.1 “defines” what used to be LERC in terms of the asset’s boundary, in order to avoid requiring a list of BCS at Lows). I think any attempt to write a dictionary-style definition will fail. They just need to say ‘In these particular cases, there is ERC. In these particular cases, there isn’t ERC.’”

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.

No comments:

Post a Comment