I want to
follow up on my last
post, which was itself a follow-up to my Part I post
on NERC’s draft Data Request regarding supply-chain risks for Low impact assets,
which is now out for comment until July 22. And of course, what the DR is
really about (in case you’re new to the world of NERC-speak, which requires
decades of experience to learn to decipher) is “Should CIP-013 be applied to
Low impact assets?”
You may
think this question was already addressed by NERC in their recent “Cyber
Security Supply Chain Risks” report (which they filed with FERC a few weeks
ago), where they said there was no need to move further on the idea at this
time, but more study is needed. However, it seems that NERC is now getting a
lot of pressure from FERC and from Congress on this issue, and they’re
accelerating this DR from what might have otherwise been a more leisurely
schedule.
I’m not
calling this post and the previous one parts II and III of the DR post –
instead, I’m sticking to my original idea of doing two posts, with the second
likely to come out at the beginning of next week, God willing and the creek don’t
rise. But I raised a question in the first post about how the equivalent of
External Routable Connectivity can be defined for Low BES Cyber Systems, given
that the term (which is of course defined in the NERC Glossary) includes the
words “Electronic Security Perimeter”, and ESP only applies to High and Medium BCS
(really only to Medium BCS, since all High impact assets are Control Centers,
and trying to find a Control Center without ERC would be like trying to find
out if there has ever been a Jewish Pope – the whole purpose of a CC is
connectivity). Since I’ve received some interesting answers to that question
from devoted readers, I’m devoting these two posts to them.
My last post
was devoted to a suggestion by two people (one a current CIP auditor) that
simply de-capitalizing the words “Electronic Security Perimeter” in the ERC
definition would work fine. But I received two comments that I’d like to throw
out there, because of light they shed on the difficult – and still not settled,
four years after it was a very hot topic and
probably the subject of fist fights – question of what ERC (or erc for that
matter) really means.
The first
comment (really a question) I received after my last post – and this was from
more than one person – was “Where in the ESP definition does it say it’s
restricted to High and Medium BCS?” Of course, the answer to that is “Nowhere”.
So why do I say this is the case? Because an ESP is defined as essentially a
logical “line” that includes all of the BES Cyber Systems within an asset (or
perhaps just one part of an asset). If you haven’t included all the BCS, then
you haven’t properly drawn your ESP and you might be in for some fines.
However, the
CIP standards make clear in a couple of places that an inventory of Low impact
BCS isn’t required. This means that “ESP” officially has no meaning for Lows (this
issue has been fought over many times, and nobody wants to resurrect it anytime
soon). But as I stated in the last post, just decapitalizing ERC should
eliminate that problem, since this is just a Data Request, not an audit.
The other
comment I received was from Kevin Perry, who has been involved with NERC CIP
since approximately the Korean War (OK, that’s cruel. He and I are the same age,
I believe!), and was for many years the Chief CIP Auditor of SPP Regional
Entity. He is allegedly retired now, although I haven’t seen a lot of evidence
of that.
Kevin
pointed to the former definition of LERC (Low impact External Routable
Connectivity) – which I had mentioned in my Part I post as a possibly usable
definition, but rejected it because LERC was part of CIP-003-6, and that
version of CIP-003 never came into effect, having been replaced by CIP-003-7
(which comes into effect Jan. 1, 2020). He said “Rather than decapitalizing
ESP, why not go back to the original intent of LERC - the ability of a Cyber
Asset to access a Low Impact BCS from beyond the border (e.g., fence line) of
the asset (e.g., the substation) in which the Low Impact BCS resides?”
I must admit
this is also a good definition. It was carefully crafted by the CIP v6 drafting
team to get around the problem of not having an ESP in Low assets. The ESP was
replaced with the idea of the “border” – a term that wasn’t defined, but which
I thought was something that people could probably agree on without a lot of
disputation. As it is, LERC wasn’t retired because people were fighting over what
a border was, but because FERC was concerned about the word “direct” in the
LERC definition. Of course, there’s a big back story behind that concern (as
there always is with anything relating to NERC or FERC). And if you want to
read all 499 of my previous posts (yes, I just realized this will be my 500th
post!), I’m sure you’ll understand it.
In any case,
LERC now sleeps with the fishes, but I don’t see why it couldn’t also be used
as a definition of ERC that applies to Lows, for the purposes of this Data
Request. That is, unless you consider the fact that I think this whole DR is
misguided and the result of a terrible strategy, which might result in the death
of NERC and the end of Life As We Know It. But that discussion is for my post
early next week.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment