Thursday, July 11, 2019

How do you define external routable connectivity for Lows?



I want to follow up on my last post, which was itself a follow-up to my Part I post on NERC’s draft Data Request regarding supply-chain risks for Low impact assets, which is now out for comment until July 22. And of course, what the DR is really about (in case you’re new to the world of NERC-speak, which requires decades of experience to learn to decipher) is “Should CIP-013 be applied to Low impact assets?”

You may think this question was already addressed by NERC in their recent “Cyber Security Supply Chain Risks” report (which they filed with FERC a few weeks ago), where they said there was no need to move further on the idea at this time, but more study is needed. However, it seems that NERC is now getting a lot of pressure from FERC and from Congress on this issue, and they’re accelerating this DR from what might have otherwise been a more leisurely schedule.

I’m not calling this post and the previous one parts II and III of the DR post – instead, I’m sticking to my original idea of doing two posts, with the second likely to come out at the beginning of next week, God willing and the creek don’t rise. But I raised a question in the first post about how the equivalent of External Routable Connectivity can be defined for Low BES Cyber Systems, given that the term (which is of course defined in the NERC Glossary) includes the words “Electronic Security Perimeter”, and ESP only applies to High and Medium BCS (really only to Medium BCS, since all High impact assets are Control Centers, and trying to find a Control Center without ERC would be like trying to find out if there has ever been a Jewish Pope – the whole purpose of a CC is connectivity). Since I’ve received some interesting answers to that question from devoted readers, I’m devoting these two posts to them.

My last post was devoted to a suggestion by two people (one a current CIP auditor) that simply de-capitalizing the words “Electronic Security Perimeter” in the ERC definition would work fine. But I received two comments that I’d like to throw out there, because of light they shed on the difficult – and still not settled, four years after it was a very hot topic and probably the subject of fist fights – question of what ERC (or erc for that matter) really means.

The first comment (really a question) I received after my last post – and this was from more than one person – was “Where in the ESP definition does it say it’s restricted to High and Medium BCS?” Of course, the answer to that is “Nowhere”. So why do I say this is the case? Because an ESP is defined as essentially a logical “line” that includes all of the BES Cyber Systems within an asset (or perhaps just one part of an asset). If you haven’t included all the BCS, then you haven’t properly drawn your ESP and you might be in for some fines.

However, the CIP standards make clear in a couple of places that an inventory of Low impact BCS isn’t required. This means that “ESP” officially has no meaning for Lows (this issue has been fought over many times, and nobody wants to resurrect it anytime soon). But as I stated in the last post, just decapitalizing ERC should eliminate that problem, since this is just a Data Request, not an audit.

The other comment I received was from Kevin Perry, who has been involved with NERC CIP since approximately the Korean War (OK, that’s cruel. He and I are the same age, I believe!), and was for many years the Chief CIP Auditor of SPP Regional Entity. He is allegedly retired now, although I haven’t seen a lot of evidence of that.

Kevin pointed to the former definition of LERC (Low impact External Routable Connectivity) – which I had mentioned in my Part I post as a possibly usable definition, but rejected it because LERC was part of CIP-003-6, and that version of CIP-003 never came into effect, having been replaced by CIP-003-7 (which comes into effect Jan. 1, 2020). He said “Rather than decapitalizing ESP, why not go back to the original intent of LERC - the ability of a Cyber Asset to access a Low Impact BCS from beyond the border (e.g., fence line) of the asset (e.g., the substation) in which the Low Impact BCS resides?”

I must admit this is also a good definition. It was carefully crafted by the CIP v6 drafting team to get around the problem of not having an ESP in Low assets. The ESP was replaced with the idea of the “border” – a term that wasn’t defined, but which I thought was something that people could probably agree on without a lot of disputation. As it is, LERC wasn’t retired because people were fighting over what a border was, but because FERC was concerned about the word “direct” in the LERC definition. Of course, there’s a big back story behind that concern (as there always is with anything relating to NERC or FERC). And if you want to read all 499 of my previous posts (yes, I just realized this will be my 500th post!), I’m sure you’ll understand it.

In any case, LERC now sleeps with the fishes, but I don’t see why it couldn’t also be used as a definition of ERC that applies to Lows, for the purposes of this Data Request. That is, unless you consider the fact that I think this whole DR is misguided and the result of a terrible strategy, which might result in the death of NERC and the end of Life As We Know It. But that discussion is for my post early next week.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment