At the end of this recent post on the difference between the electronic access control requirements in CIP-003-7 and CIP-003-6, I recounted a concern that a friend of mine had raised, regarding the difference between the words “necessary” and “justified”. To refresh your memory, the electronic access control “requirement” in CIP-003-7 begins with: “Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity…”
The friend had pointed out to me that FERC had noted, in their Order 843 approving CIP-003-7, that “NERC also clarifies (Tom’s note: FERC is referring to NERC’s petition to FERC requesting approval of CIP-003-7) that responsible entities will be required to ‘document the [business or operational] necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.’” (my emphasis). Since the requirement says “necessary”, not “justified”, he was concerned that NERC had inadvertently made compliance with the new requirement – which of course applies to all Low impact assets – much harder, because justifying something is quite different from merely saying it’s necessary.
Although I didn’t say it in the post, I wondered if there really was a difference between “necessary” and “justified”. As I often do, I was having an email conversation with Mike Johnson and asked him if he thought there was a difference. He said (and I’m paraphrasing his email a little):
“Doing a lookup of the two words, you can get:
Necessary – required to be done, achieved, or present; needed, essential
Justified – having, done for, or marked by a good or legitimate reason
Based on the above they are different.
What I have heard from the Regions I follow (WECC, SPP, TRE, RF) that provide good guidance is that “necessary” communications (ports and services) need to have some type of justification. You cannot just say they are needed, without knowing why. For the why, I have seen and recommend you provide the following:
Technical justification – This is the easier one, since you just have to point out that it is required by the technical setup of the communications. Say for SQL this can be ports 156, 1360, and 1433 over TCP and/or UDP, to name a few. You have no idea who you are communicating with, just that the communications channel is open.
Operational justification – This one is more difficult, since you need to know who you are communicating with and why. This should be another computer system or systems, and the application on those systems. Let’s take the example of port 1433, which is for MS-SQL. You would need to know the systems your MS-SQL is communicating with, what applications on that system(s) is using the MS-SQL database, and what is the purpose of the usage. One example could be a SCADA HMI workstation that is communicating with a SCADA server over 1433. The SCADA server could be housing the database for the telemetry of a generation station; the HMI workstation is using 1433 to get the current telemetry to display and act on the database data. The “operational” justification for the communication could be something like:
MS-SQL communications between SCADA HMI workstations and SCADA database servers is used to acquire real-time telemetry data from the servers for operator console displays and processing based on SCADA HMI programming.
The above indicates what is being communicated technically and why it is required to verify it is “necessary”.”
So I’m satisfied that there is a difference between the two words; in other words, if the regional auditors are going to tell NERC entities they need to justify access permissions, not just show they are necessary, the entities should push back and ask where in the standard the word “justify” appears (of course, the answer to that question is “nowhere”).
On the other hand, I still doubt that this will be a big problem, because of the last part of the CIP-003-7 requirement that I quoted in the first paragraph: “as determined by the Responsible Entity…” This certainly seems to indicate that an auditor can’t argue with you about whether or not opening a particular port is necessary (or justified) – all they can legitimately do is make sure you have a documented reason.
On the other other hand, I’ve heard that some at NERC were questioning whether this phrase can even be included in a standard, since in theory the auditors are the ones who are supposed to make that sort of decision, not the entity.
I’ll stop here, because I’m out of hands. This is, of course, a very typical CIP compliance question: There is no straightforward answer. Given that, you would be prudent to take the more conservative interpretation – which in this case means assuming you have to provide justification for access permissions, not just assert they are necessary. But if that course is too difficult or burdensome, then you might want to contact your region and ask the question they’ve heard many times before: “I have a friend at a utility down the street from mine, who was wondering….”
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a vendor to the power industry, TALLC can help you in various ways, including developing marketing materials, delivering webinars, etc. To discuss this, you can email me at the same address or call me at 312-515-8996.