At the end of this
recent post on the difference between the electronic access control
requirements in CIP-003-7 and CIP-003-6, I recounted a concern that a friend of
mine had raised, regarding the difference between the words “necessary” and “justified”.
To refresh your memory, the electronic access control “requirement” in
CIP-003-7 begins with: “Permit only necessary inbound and outbound electronic
access as determined by the Responsible Entity…”
The friend had pointed out to me that
FERC had noted, in their Order 843 approving CIP-003-7, that “NERC also
clarifies (Tom’s note: FERC is referring
to NERC’s petition to FERC requesting approval of CIP-003-7) that responsible entities will be
required to ‘document the [business or operational] necessity of its inbound
and outbound electronic access permissions and provide justification of
the need for such access.’” (my emphasis). Since the requirement says “necessary”,
not “justified”, he was concerned that NERC had inadvertently made compliance
with the new requirement – which of course applies to all Low impact assets –
much harder, because justifying something is quite different from merely saying
it’s necessary.
Although I didn’t say it in the post,
I wondered if there really was a difference between “necessary” and “justified”.
As I often do, I was having an email conversation with Mike Johnson and asked him if he
thought there was a difference. He said (and I’m paraphrasing his email a
little):
“Doing a lookup of the two words, you can get:
Necessary – required to be done, achieved, or present; needed,
essential
Justified – having, done for, or marked by a good or legitimate
reason
Based on the above they are different.
What I have heard from the Regions I follow (WECC, SPP, TRE, RF)
that provide good guidance is that “necessary” communications (ports and
services) need to have some type of justification. You cannot just say
they are needed, without knowing why. For the why, I have seen and
recommend you provide the following:
Technical justification – This is the easier one, since you just have to point out that
it is required by the technical setup of the communications. Say for SQL
this can be ports 156, 1360, and 1433 over TCP and/or UDP, to name a few.
You have no idea who you are communicating with, just that the communications
channel is open.
Operational
justification – This one is more difficult, since you need to
know who you are communicating with and why. This should be another computer
system or systems, and the application on those systems. Let’s take the
example of port 1433, which is for MS-SQL. You would need to know the systems
your MS-SQL is communicating with, what applications on that system(s) is using
the MS-SQL database, and what is the purpose of the usage. One example
could be a SCADA HMI workstation that is communicating with a SCADA server over
1433. The SCADA server could be housing the database for the telemetry of
a generation station; the HMI workstation is using 1433 to get the current
telemetry to display and act on the database data. The “operational” justification
for the communication could be something like:
MS-SQL communications between SCADA HMI workstations and SCADA
database servers is used to acquire real-time telemetry data from the servers
for operator console displays and processing based on SCADA HMI programming.
The above indicates what is being communicated technically and
why it is required to verify it is “necessary”.”
So I’m satisfied that there is a difference between the two words;
in other words, if the regional auditors are going to tell NERC entities they
need to justify access permissions, not just show they are necessary, the
entities should push back and ask where in the standard the word “justify”
appears (of course, the answer to that question is “nowhere”).
On the other hand, I still doubt that this will be a big problem,
because of the last part of the CIP-003-7 requirement that I quoted in the
first paragraph: “as determined by the Responsible Entity…” This certainly seems to indicate that an
auditor can’t argue with you about whether or not opening a particular port is
necessary (or justified) – all they can legitimately do is make sure you have a
documented reason.
On the other other hand, I’ve heard that some at NERC were
questioning whether this phrase can even be included in a standard, since in
theory the auditors are the ones who are supposed to make that sort of decision,
not the entity.
I’ll stop here, because I’m out of hands. This is, of course, a
very typical CIP compliance question: There is no straightforward answer. Given
that, you would be prudent to take the more conservative interpretation – which
in this case means assuming you have to provide justification for access
permissions, not just assert they are necessary. But if that course is too
difficult or burdensome, then you might want to contact your region and ask the
question they’ve heard many times before: “I have a friend at a utility down
the street from mine, who was wondering….”
Any opinions expressed in
this blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC.
If you would like to
comment on what you have read here, I would love to hear from you. Please email
me at tom@tomalrich.com. Please keep in
mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post. And if you’re a
vendor to the power industry, TALLC can help you in various ways, including
developing marketing materials, delivering webinars, etc. To discuss this, you
can email me at the same address or call me at 312-515-8996.
No comments:
Post a Comment