Answer: 1
OK, OK. This
would have been much better for my annual April Fool’s post (which I missed
this year, for the first time in five years). In fact, that answer could have
been the whole post!
But let’s
ask the question more specifically: What is the difference between the Low
impact electronic access control requirement in CIP-003-7 - the standard that
was just
approved
by FERC and will come into effect on January 1, 2020 - and the same requirement
in CIP-003-6, which was going to come into effect on September 1, 2018 but now
sleeps with the fishes?
I must
confess that I have heedlessly enslaved untold billions of electrons in
discussing this topic in a number of posts – none more prolifically than in
this
post from early November 2016, right before the second (and final) ballot
approving CIP-003-7 – yet I have never once set out to address this topic in a single
post, despite always saying that the answer to the question is very simple
(which it is). So now I will remedy that omission. However, I’ve decided the
best way to describe the difference is to discuss the history of how the two
versions were developed. In addition to doing that, I will discuss at the end
of this post what might be a serious interpretation question – for which as of
the moment there might not be a good answer.
When FERC
approved
the CIP version 5 standards in November 2013, they ordered four changes. One of
those changes was to add some meat to the Low impact requirements. In v5, the
only requirement for Lows was CIP-003 R2, which required entities with Low
impact assets to have four policies, including one for electronic access
control. But nothing was said about the content of those policies or any steps
to implement them; FERC decided there needed to be substantive requirements in
each of the four areas, not just policies. All of these changes were drafted by
a new SDT and became CIP v6
The CIP v6
standards were
approved
by FERC in January 2016. The v5 requirement for owners of Low impact assets to
have four policies was moved from CIP-003 R2 to R1, where it was combined with
the policy requirement for High and Medium impact BES Cyber Systems. R2 was now
rewritten as a plan-based requirement
[i], calling
out Attachment 1 to provide details on what needed to be in the plan(s).
Section 3 of
CIP-003-6 Attachment 1 specified that, when a Low impact asset had LERC - Low
impact external routable connectivity, as defined in the NERC Glossary at the
time - then the NERC entity owning the asset had to “implement a LEAP to permit
only necessary inbound and outbound bi-directional routable protocol access”.
Of course, LEAP stood for Low impact electronic access point, which was also
defined in the NERC glossary. The compliance date for this requirement was
September 1, 2018.
However,
when FERC approved CIP v6 in January 2016 in
Order 822,
they ordered that NERC make three further changes to the standards. First, they
ordered NERC to develop a standard to protect communications between Control
Centers (now being balloted as CIP-012). Second, they wanted there to be a
requirement to protect Transient Electronic Devices and Removable Media used at
Low impact assets (this new requirement was balloted and approved at the same
time as the revised electronic access control requirement, and is included in
CIP-003-7 as Section 5 of Attachment 1 of R2
[ii]).
Finally,
FERC ordered NERC to clarify the meaning of the word “direct” in the definition
of LERC, which read “Direct user-initiated interactive access or a direct
device-to-device connection to a low impact BES Cyber System(s) from a Cyber
Asset outside the asset containing those low impact BES Cyber System(s) via a
bidirectional routable protocol connection.” FERC was concerned that some
entities would interpret the word to mean that simple protocol conversion
breaks “direct” access and thus exempts such cases from the requirement, since
the definition of LERC isn’t met.
[iii]
As usual,
the changes FERC ordered couldn’t be incorporated into the standards they had
just approved – CIP v6 – but needed to be in new versions of the standards. So
NERC convened a new standards drafting team in the spring of 2016 called the
CIP Modifications SDT. They were tasked with drafting not just the three
changes FERC had ordered, but others as well (of course, the team continues
working today, and shows no sign of winding up any time soon). However, the first task they took up was
addressing FERC’s concern about “direct”, since FERC had set a one-year
deadline to return a revised requirement or definition for them to approve.
I attended
the meeting in June 2016 in which the SDT took up this question, and wrote
about it in
this
post. I should first point out that I was very skeptical, in my post on Order
822, that any NERC drafting team would ever be able to come up with an
acceptable dictionary-style definition of “direct”. I was thinking the only
workable way to “define” LERC was to provide a set of use cases for when there
is and isn’t LERC; but I didn’t see how a NERC definition could legally consist
of just a set of use cases.
However, I was very pleasantly surprised when the team
decided at their June 2016 meeting to do a complete end run around the word
“direct”, by a) eliminating the definition of LERC altogether and incorporating
a much broader and objectively-verifiable definition in the requirement itself;
b) making the requirement a completely objectives-based one; and c) developing
use cases in the form of ten “concept diagrams” – but actually designated as
Reference Models 1-10 - showing ways in which the requirement could be complied
with (these are found starting on page 36 of the Guidelines and Technical Basis
section at the end of CIP-003-7. I want to point out that the SDT clearly
stated on page 35 that “This is not an exhaustive list of applicable concepts”).
In the new
requirement – which is of course the CIP-003-7 requirement approved by FERC a
few weeks ago - the entity has to take appropriate steps to mitigate the threat
posed by the presence of any external routable connectivity at a Low impact
asset. The goal is to achieve the objective of the requirement, not to use a
particular means to do so (of course, in the v6 version, the requirement
prescribed the means to address the threat posed by LERC, which was a LEAP. In
every case where there is LERC, the entity had to implement a LEAP). In my
opinion, all CIP requirements should be written in this way.
What is the practical difference between the “v6”
and “v7” versions of the requirement? The only difference in practice is that
the NERC entity now has more options on how they can mitigate the risk posed by
external routable connectivity crossing the boundary of a Low impact asset. They
have at least ten options, corresponding to the ten concept diagrams, but the
entity is now explicitly allowed to come up with another solution as well, as
long as they can convince an auditor that it is an equally effective one.
Most
importantly, the entity can still use a firewall (although the term LEAP was
also discontinued) to comply with the requirement (this solution corresponds to
Reference Model 2). They now have to describe it differently in their
documentation, but they don’t have to do
anything different in their deployment. Yet despite this new freedom, there was
a storm of opposition to the revised requirement, and it was voted down
decisively in the first ballot in 2016. The SDT made some minor tweaks and the
new requirement passed on the second ballot. I attributed (and continue to
attribute) the fierce opposition to the fact that a) people simply didn’t
understand what the SDT had done, and b) the NERC community in general was
profoundly suspicious of new CIP standards with any possible ambiguity – and
therefore room for auditor judgement – at all, after the long, exhausting
experience with implementing CIP v5 despite the many ambiguities in those
standards, and with NERC providing guidance of various types, almost all of
which was ultimately withdrawn. I doubt the new requirement would even have
passed on the second ballot, were it not for the fact that the looming FERC
deadline meant the NERC Board would have to draft and approve their own
requirement, if the requirement didn’t pass on the second ballot; there would
simply be no time for further balloting.
This is how
we got where we are today. I suspect most NERC entities with Low impact assets
will simply deploy a firewall in order to comply with this requirement. In
fact, I would think almost all Low impact assets that have external routable
connectivity would already have a firewall. So everything is rosy and I can
conclude this post, right?
No, not yet.
It turns out the hard part of complying with this requirement isn’t coming into
compliance in the first place, but maintaining compliance thereafter. To understand
this, you need to look at the wording in the CIP-003-7 requirement:
Section
3. Electronic Access Controls: For each asset containing low impact
BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity
shall implement electronic access controls to:
3.1 Permit only necessary inbound and
outbound electronic access as determined
by the Responsible Entity for any communications that are:
i. between a low impact BES Cyber
System(s) and a Cyber Asset(s) outside the asset containing low impact BES
Cyber System(s);
ii. using a routable protocol when
entering or leaving the asset containing the low impact BES Cyber System(s);
and
iii. not used for time-sensitive
protection or control functions between intelligent electronic devices (e.g.,
communications using protocol IEC TR61850-90-5 R-GOOSE).
I first want
to point out that, even though this is worded very differently from the
CIP-003-6 requirement, there is in fact no substantive change, except for the
addition of the phrase that I have italicized in the sentence beginning with “Permit
only necessary inbound and outbound electronic access…” Very similar wording –
without the italicized phrase – was found in the v6 requirement: “permit only
necessary inbound and outbound bi-directional routable protocol access…” The
italicized phrase was put in the v7 requirement to preclude an auditor from
saying that the entity had improperly either permitted or not permitted some
access; the entity itself has final judgement on such questions.
But the fact
that this wording didn’t change much between the two versions shouldn’t be
allowed to obscure the fact that there is a fairly significant “requirement”
buried in it: an entity with Low impact assets needs to document why particular
firewall rules were implemented in the first place, as well as why any changes
are “necessary”; and they need to do this for each of their Low impact assets.
The auditor can’t second-guess why they made any changes, but the reason why
any change was necessary will need to be documented. This is made clear in
Section 3.1 of Attachment 2 of CIP-003-7, which provides examples of acceptable
evidence.
However, a
very knowledgeable friend of mine pointed out to me that in Order 843, FERC
states (on page 28): “NERC also clarifies that responsible entities will be
required to ‘document the [business or operational] necessity of its inbound
and outbound electronic access permissions and provide justification of the need for such access.’” (my emphasis) They are
quoting from NERC’s petition to FERC requesting that they approve CIP-003-7.
My friend points
out that the word “justified” is nowhere in CIP-003-7; this was evidently an
embellishment added by NERC to get FERC to feel comfortable with the new
version. My friend was concerned because, as he put it, “There’s a big
difference between “necessary” and “justified” when it comes to an audit!” I
will admit that this does sound like a serious issue, but I don’t have enough
knowledge to say whether this is a problem or not.
So the question
is whether NERC may have inadvertently added a new implicit requirement to
CIP-003-7 Attachment 1 Section 3.1: the requirement that the entity “justify”
every rule implemented in a firewall at a Low impact asset, not just document
why it was necessary. It seems to me that the words “as determined by the
Responsible Entity” preclude this from being a problem, since the only
justification the entity needs to show is that they determined a rule was needed. But I can see that this could be
a big issue, simply because of the huge number of Low impact assets that are
out there.
If you want
to comment on this, either leave a comment below or email me at
tom@tomalrich.com. If warranted, I’ll write
another post on this issue. You have been warned.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post. And if you’re a vendor to the
power industry, TALLC can help you in various ways, including developing
marketing materials, delivering webinars, etc. To discuss this, you can email
me at the same address or call me at 312-515-8996.
[i]
CIP-003-7 R2 was one of two plan-based requirements in CIP v6, the other being
CIP-010 R4. These were the first two plan-based CIP requirements, which as you
may know I now see as the wave of the future for all of CIP (see
this
post).
[ii]
I must say I find it unfortunate that the CIP v6 SDT took it upon themselves to
put what were actually parts of requirement CIP-003 R2, and put them into an
appendix. This requires a lot of circumlocution whenever you try to refer to
these requirement parts; more seriously, it leads to confusion about whether
Attachment 1 is actually “guidance”, not part of the actual requirement.
However, it is every bit as much a part of the requirement as if the contents
of Attachment 1 had been included directly in R2. I certainly hope this won’t
become a trend in the future.
[iii]
FERC’s fear was rooted in the seemingly endless discussions in 2014 and 2015
about what “breaks” external routable connectivity for Medium and High impact
BES Cyber Systems (I wrote about this in a series of posts, the first one being
here
and the last one
here).
The problem with those discussions, from FERC’s point of view, was that FERC no
longer had any leverage, since they had already approved CIP v5 and the ERC
definition. They were determined not to let this ambiguity continue if they approved
the LERC definition as it stood at the time they approved v6. Indeed, I’ve been
told by at least one auditor that the new treatment of Low impact external
routable connectivity in CIP-003-7 has set the tone for the interpretation of
ERC itself by the auditors, even though there has obviously been no official
wording change or official interpretation of the definition of ERC).