Sunday, May 13, 2018

Question: What’s the Difference between CIP-003-7 and CIP-003-6?

Answer: 1

OK, OK. This would have been much better for my annual April Fool’s post (which I missed this year, for the first time in five years). In fact, that answer could have been the whole post!

But let’s ask the question more specifically: What is the difference between the Low impact electronic access control requirement in CIP-003-7 - the standard that was just approved by FERC and will come into effect on January 1, 2020 - and the same requirement in CIP-003-6, which was going to come into effect on September 1, 2018 but now sleeps with the fishes?

I must confess that I have heedlessly enslaved untold billions of electrons in discussing this topic in a number of posts – none more prolifically than in this post from early November 2016, right before the second (and final) ballot approving CIP-003-7 – yet I have never once set out to address this topic in a single post, despite always saying that the answer to the question is very simple (which it is). So now I will remedy that omission. However, I’ve decided the best way to describe the difference is to discuss the history of how the two versions were developed. In addition to doing that, I will discuss at the end of this post what might be a serious interpretation question – for which as of the moment there might not be a good answer.

When FERC approved the CIP version 5 standards in November 2013, they ordered four changes. One of those changes was to add some meat to the Low impact requirements. In v5, the only requirement for Lows was CIP-003 R2, which required entities with Low impact assets to have four policies, including one for electronic access control. But nothing was said about the content of those policies or any steps to implement them; FERC decided there needed to be substantive requirements in each of the four areas, not just policies. All of these changes were drafted by a new SDT and became CIP v6

The CIP v6 standards were approved by FERC in January 2016. The v5 requirement for owners of Low impact assets to have four policies was moved from CIP-003 R2 to R1, where it was combined with the policy requirement for High and Medium impact BES Cyber Systems. R2 was now rewritten as a plan-based requirement[i], calling out Attachment 1 to provide details on what needed to be in the plan(s).

Section 3 of CIP-003-6 Attachment 1 specified that, when a Low impact asset had LERC - Low impact external routable connectivity, as defined in the NERC Glossary at the time - then the NERC entity owning the asset had to “implement a LEAP to permit only necessary inbound and outbound bi-directional routable protocol access”. Of course, LEAP stood for Low impact electronic access point, which was also defined in the NERC glossary. The compliance date for this requirement was September 1, 2018.

However, when FERC approved CIP v6 in January 2016 in Order 822, they ordered that NERC make three further changes to the standards. First, they ordered NERC to develop a standard to protect communications between Control Centers (now being balloted as CIP-012). Second, they wanted there to be a requirement to protect Transient Electronic Devices and Removable Media used at Low impact assets (this new requirement was balloted and approved at the same time as the revised electronic access control requirement, and is included in CIP-003-7 as Section 5 of Attachment 1 of R2[ii]).

Finally, FERC ordered NERC to clarify the meaning of the word “direct” in the definition of LERC­­, which read “Direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bidirectional routable protocol connection.” FERC was concerned that some entities would interpret the word to mean that simple protocol conversion breaks “direct” access and thus exempts such cases from the requirement, since the definition of LERC isn’t met.[iii]

As usual, the changes FERC ordered couldn’t be incorporated into the standards they had just approved – CIP v6 – but needed to be in new versions of the standards. So NERC convened a new standards drafting team in the spring of 2016 called the CIP Modifications SDT. They were tasked with drafting not just the three changes FERC had ordered, but others as well (of course, the team continues working today, and shows no sign of winding up any time soon).  However, the first task they took up was addressing FERC’s concern about “direct”, since FERC had set a one-year deadline to return a revised requirement or definition for them to approve.

I attended the meeting in June 2016 in which the SDT took up this question, and wrote about it in this post. I should first point out that I was very skeptical, in my post on Order 822, that any NERC drafting team would ever be able to come up with an acceptable dictionary-style definition of “direct”. I was thinking the only workable way to “define” LERC was to provide a set of use cases for when there is and isn’t LERC; but I didn’t see how a NERC definition could legally consist of just a set of use cases.

However,  I was very pleasantly surprised when the team decided at their June 2016 meeting to do a complete end run around the word “direct”, by a) eliminating the definition of LERC altogether and incorporating a much broader and objectively-verifiable definition in the requirement itself; b) making the requirement a completely objectives-based one; and c) developing use cases in the form of ten “concept diagrams” – but actually designated as Reference Models 1-10 - showing ways in which the requirement could be complied with (these are found starting on page 36 of the Guidelines and Technical Basis section at the end of CIP-003-7. I want to point out that the SDT clearly stated on page 35 that “This is not an exhaustive list of applicable concepts”).

In the new requirement – which is of course the CIP-003-7 requirement approved by FERC a few weeks ago - the entity has to take appropriate steps to mitigate the threat posed by the presence of any external routable connectivity at a Low impact asset. The goal is to achieve the objective of the requirement, not to use a particular means to do so (of course, in the v6 version, the requirement prescribed the means to address the threat posed by LERC, which was a LEAP. In every case where there is LERC, the entity had to implement a LEAP). In my opinion, all CIP requirements should be written in this way.

What is the practical difference between the “v6” and “v7” versions of the requirement? The only difference in practice is that the NERC entity now has more options on how they can mitigate the risk posed by external routable connectivity crossing the boundary of a Low impact asset. They have at least ten options, corresponding to the ten concept diagrams, but the entity is now explicitly allowed to come up with another solution as well, as long as they can convince an auditor that it is an equally effective one.

Most importantly, the entity can still use a firewall (although the term LEAP was also discontinued) to comply with the requirement (this solution corresponds to Reference Model 2). They now have to describe it differently in their documentation, but they don’t have to do anything different in their deployment. Yet despite this new freedom, there was a storm of opposition to the revised requirement, and it was voted down decisively in the first ballot in 2016. The SDT made some minor tweaks and the new requirement passed on the second ballot. I attributed (and continue to attribute) the fierce opposition to the fact that a) people simply didn’t understand what the SDT had done, and b) the NERC community in general was profoundly suspicious of new CIP standards with any possible ambiguity – and therefore room for auditor judgement – at all, after the long, exhausting experience with implementing CIP v5 despite the many ambiguities in those standards, and with NERC providing guidance of various types, almost all of which was ultimately withdrawn. I doubt the new requirement would even have passed on the second ballot, were it not for the fact that the looming FERC deadline meant the NERC Board would have to draft and approve their own requirement, if the requirement didn’t pass on the second ballot; there would simply be no time for further balloting.

This is how we got where we are today. I suspect most NERC entities with Low impact assets will simply deploy a firewall in order to comply with this requirement. In fact, I would think almost all Low impact assets that have external routable connectivity would already have a firewall. So everything is rosy and I can conclude this post, right?

No, not yet. It turns out the hard part of complying with this requirement isn’t coming into compliance in the first place, but maintaining compliance thereafter. To understand this, you need to look at the wording in the CIP-003-7 requirement:

Section 3. Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to:
3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are:
i. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s); 
ii. using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and
iii. not used for time-sensitive protection or control functions between intelligent electronic devices (e.g., communications using protocol IEC TR61850-90-5 R-GOOSE).

I first want to point out that, even though this is worded very differently from the CIP-003-6 requirement, there is in fact no substantive change, except for the addition of the phrase that I have italicized in the sentence beginning with “Permit only necessary inbound and outbound electronic access…” Very similar wording – without the italicized phrase – was found in the v6 requirement: “permit only necessary inbound and outbound bi-directional routable protocol access…” The italicized phrase was put in the v7 requirement to preclude an auditor from saying that the entity had improperly either permitted or not permitted some access; the entity itself has final judgement on such questions.

But the fact that this wording didn’t change much between the two versions shouldn’t be allowed to obscure the fact that there is a fairly significant “requirement” buried in it: an entity with Low impact assets needs to document why particular firewall rules were implemented in the first place, as well as why any changes are “necessary”; and they need to do this for each of their Low impact assets. The auditor can’t second-guess why they made any changes, but the reason why any change was necessary will need to be documented. This is made clear in Section 3.1 of Attachment 2 of CIP-003-7, which provides examples of acceptable evidence.

However, a very knowledgeable friend of mine pointed out to me that in Order 843, FERC states (on page 28): “NERC also clarifies that responsible entities will be required to ‘document the [business or operational] necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.’” (my emphasis) They are quoting from NERC’s petition to FERC requesting that they approve CIP-003-7.

My friend points out that the word “justified” is nowhere in CIP-003-7; this was evidently an embellishment added by NERC to get FERC to feel comfortable with the new version. My friend was concerned because, as he put it, “There’s a big difference between “necessary” and “justified” when it comes to an audit!” I will admit that this does sound like a serious issue, but I don’t have enough knowledge to say whether this is a problem or not.

So the question is whether NERC may have inadvertently added a new implicit requirement to CIP-003-7 Attachment 1 Section 3.1: the requirement that the entity “justify” every rule implemented in a firewall at a Low impact asset, not just document why it was necessary. It seems to me that the words “as determined by the Responsible Entity” preclude this from being a problem, since the only justification the entity needs to show is that they determined a rule was needed. But I can see that this could be a big issue, simply because of the huge number of Low impact assets that are out there.

If you want to comment on this, either leave a comment below or email me at If warranted, I’ll write another post on this issue. You have been warned.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a vendor to the power industry, TALLC can help you in various ways, including developing marketing materials, delivering webinars, etc. To discuss this, you can email me at the same address or call me at 312-515-8996.            

[i] CIP-003-7 R2 was one of two plan-based requirements in CIP v6, the other being CIP-010 R4. These were the first two plan-based CIP requirements, which as you may know I now see as the wave of the future for all of CIP (see this post).

[ii] I must say I find it unfortunate that the CIP v6 SDT took it upon themselves to put what were actually parts of requirement CIP-003 R2, and put them into an appendix. This requires a lot of circumlocution whenever you try to refer to these requirement parts; more seriously, it leads to confusion about whether Attachment 1 is actually “guidance”, not part of the actual requirement. However, it is every bit as much a part of the requirement as if the contents of Attachment 1 had been included directly in R2. I certainly hope this won’t become a trend in the future.

[iii] FERC’s fear was rooted in the seemingly endless discussions in 2014 and 2015 about what “breaks” external routable connectivity for Medium and High impact BES Cyber Systems (I wrote about this in a series of posts, the first one being here and the last one here). The problem with those discussions, from FERC’s point of view, was that FERC no longer had any leverage, since they had already approved CIP v5 and the ERC definition. They were determined not to let this ambiguity continue if they approved the LERC definition as it stood at the time they approved v6. Indeed, I’ve been told by at least one auditor that the new treatment of Low impact external routable connectivity in CIP-003-7 has set the tone for the interpretation of ERC itself by the auditors, even though there has obviously been no official wording change or official interpretation of the definition of ERC).

No comments:

Post a Comment