In last week’s
post
on NERC’s draft Data Request on supply chain security for Low impact assets,
one of the objections I made to NERC’s initial draft of the DR had to do with
how you define External Routable Connectivity at a Low asset. This is important
because, in its original form, the DR requested NERC entities to state their
number of Low impact assets with ERC (i.e. capitalized). The official NERC
definition of ERC, applicable to Medium and High impact BES Cyber Systems, is “The
ability to access a BES Cyber System from a Cyber Asset that is outside of its
associated Electronic Security Perimeter via a bi-directional routable protocol
connection.” Of course, since Low impact assets don’t have ESPs, this
definition doesn’t directly apply to them.
In the post,
I pointed out that the “solution” to this problem that ended up in the final
draft sent out for comment last week (which was actually something suggested by
the team from the Supply Chain Working Group that reviewed and revised the
draft) was probably worse than NERC’s original suggestion, since it simply
pointed to CIP-003-7 and stated that the discussion of “external routable connectivity”
(i.e. ERC for Lows) in there could be the guide to how a NERC entity responds
to this question. I pointed out that very few people in the NERC community – or
even at NERC itself – could correctly state how CIP-003-7 “defines” erc. I
opined that it would be pretty easy for most entities to come up with their own
definition, but then – very helpfully – I didn’t state a definition of erc I
thought might be good!
Fortunately,
two people – one a current CIP auditor who wants to remain anonymous, and the
other my longtime friend and grizzled veteran of the CIP Wars, Joe Garmon –
pointed out an obvious solution to this problem: Simply de-capitalize ESP in
the ERC definition, so that it reads “The ability to access a BES Cyber System
from a Cyber Asset that is outside of its associated electronic security perimeter
via a bi-directional routable protocol connection.” I don’t think anyone can go
too wrong if they use this definition – after all, keep in mind that the DR has
nothing to do with CIP compliance, even though it will come from NERC (although
I know a lot of people will never believe this).
However, my
opinion remains that NERC would be making a big error to release any DR at all,
and they need to completely rethink how they’re responding to the pressure they’re
evidently getting from Congress and FERC on this matter. I will make that point
in part II of the DR post (this was part 1 ½, I guess), which should be coming
within days to a blog near you. Please try to contain your excitement until it
arrives!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment