Sunday, August 21, 2016

“Asset Boundary”

I attended the CIP v7 Standards Drafting Team meeting in southern California last week, and was quite glad I did. One of the highlights was observing the drafting team’s webinar on the new LERC definition (which they presented in a separate room from the one where I and the other observers were). A lot of questions were submitted during the webinar, and not all of them were fully answered. I will take it upon myself to provide what I think are the correct answers to a few of these, in separate posts on each question.

It is clear that one of the big concerns entities have is the term the SDT introduced in the new LERC definition: asset boundary. More than one questioner asked why they didn’t define this term. I will explain why I think the SDT didn’t define it, and also why I’m not sure they need to. But I will also make one point about LERC that should be made, either in a definition or in the Guidance and Technical Basis for CIP-003-7.

This post won’t make a whole lot of sense unless you have already read my previous post discussing the new LERC definition (and the revised section 3.2 of Attachment 1 to CIP-003, which goes with the new definition). Please do that now….All done? Great, here’s a short quiz to make sure you really read it. You will need to answer all of these questions correctly in order to become a Certified LERC Expert.

  1. What two-word French phrase did I use in the post? What does it mean?
  2. How many of my previous posts did I link to in this post and in its footnotes? Why do I link to previous posts so often? Is it because I get paid by the hit?
  3. Is the post brilliant or merely very insightful?

I see enough of you passed the quiz so that I should continue with this post. So why did the SDT not define “asset boundary”, since the phrase plays such a big role in the new LERC definition? At first glance, it would seem to be a pretty simple question, but as with almost every other question about the new CIP standards, it is actually much larger.

The big problem here is that to define an asset boundary, there has to be a definition of “asset”. And believe it or not (considering how important the concept is in the CIP standards), that word isn’t defined in the NERC Glossary[i]. Why is this the case? I don’t know for sure, but I believe the reason “asset” isn’t defined is because there is a fundamental contradiction at the heart of CIP-002-5.1 R1 and Attachment 1. The contradiction is that in theory CIP v5 doesn’t apply to assets (“big iron”), but only to cyber systems (“little iron”). This is why the High and Medium impact criteria in Attachment 1 strictly speaking don’t apply to assets (or Facilities, for that matter) but to BES Cyber Systems. And it is why the definition of Low asset is “an asset containing Low impact BES Cyber Systems”. Yet I think it would be close to impossible to find a single NERC entity or auditor that didn’t first classify its assets as High, Medium or Low impact, then identify the BES Cyber Systems at the Highs and Mediums. No other approach makes sense.[ii]

However, I’m not sure that “asset boundary” needs to be defined, even if it could be. There is no specific compliance obligation associated with this phrase, as there is with the phrase Electronic Security Perimeter (which is defined, of course). So if the entity and the auditor disagree about what the asset boundary is, there is no way this would be likely to lead to a Potential Violation, and certainly – in my opinion - not to an actual violation.

But there is one consideration that was brought up in the SDT meetings, which I don’t see in the LERC definition or the Guidance: The asset boundary needs to encompass all of the BES Cyber Systems located at the Low impact asset; if it doesn’t do that, then it is conceivable some BES Cyber Systems which actually have LERC will end up not being protected.

For example, an auditor pointed out to me that he knew of at least one Low impact generating station that draws its cooling water from deep wells located as far as five miles from the fence line; the pumps for these wells are controlled by systems that most likely meet the BCA/BCS definition. If that entity decided the fence line were the asset boundary and had an external routable connection that ended at the pumps (I realize this scenario isn’t very likely), they might be tempted to declare that the asset didn’t have LERC (since they would consider the pumps outside of the asset boundary). Assuming they also had BCS within the fence line, they then wouldn’t be obligated to protect them as required in Section 3.2 of Attachment 1 of CIP-003-7 (i.e. in the new version of CIP-003 discussed in the post I linked at the beginning of this post).

However, I think this point should be made in the Guidance, not with a definition. This is because a definition would read something like “A physical border that encompasses all BES Cyber Systems at the asset.” How would an entity demonstrate that their asset boundary did include all BCS? Of course, they would have to have a list. And the need to have such a list is ruled out repeatedly in the CIP v5 and v6 standards.[iii]

So I think this point should at least be made in the Guidance.[iv]

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] It is “defined” in CIP-002-5.1 R1, in the list of six asset types that are considered in scope for CIP versions 5 and 6. So for purposes of CIP versions 5 and 6, “asset” is well defined. Of course, there are a lot of other problems in CIP-002 R1 and Attachment 1 that aren’t so neatly dealt with.

[ii] I have discussed this contradiction a number of times – coming from different angles – since April of 2013. Two posts that tried to address it more head on are this one and this one. Of course, I estimate that very close to 100% of NERC entities and auditors think in terms of the big iron / little iron model (which after all is how CIP v1-4 worked: Critical Assets and Critical Cyber Assets). In other words, just about everybody thinks in terms of “High impact Control Center”, “Medium impact substation”, etc., even though strictly speaking those terms don’t refer to reality any more than the terms “unicorn” and “griffin” do. In fact, during the SDT meeting the group was considering requirement language that referred to “High and Medium impact assets”. I had to be the bad guy and point out that the correct terms were “assets containing High impact BCS” and “assets containing Medium impact BCS”. Nobody disagreed with me on that.

[iii] Someone might object that, by the SDT’s simply stating in the Guidance that all BCS had to be within the asset boundary, the entity would probably still be obligated to have a list. But an issue almost identical to this one has already been addressed and resolved by – I believe – all of the NERC regions, in discussions of the current definition of LERC (i.e. the one that came into effect with v6, not the one that was just drafted and will almost certainly come into effect in 2017). Of course, in the current definition of LERC and the current “requirement” 3.2 of CIP-003-6, a LEAP is required to protect all BCS with LERC. However, the regions all seem to agree that it is possible to show that your LEAP is protecting all of your BCS without having to enumerate all of them; for example, an entity can provide a network diagram showing that all BCS are on a network protected by the LEAP – but the diagram doesn’t have to show each BCS. In the same fashion, using the new LERC definition, the entity could demonstrate to the auditor that all of its BCS were within the asset boundary by providing a physical map of the facility that includes locations where BCS are found – but which does not need to enumerate the BCS themselves.

[iv] There is a small problem with saying this, since technically there is no Guidance provided for definitions, just for requirements (as was brought up in another context at the SDT meeting). But understanding the LERC definition (including “asset boundary”) is required for compliance with Section 3.1 of CIP-003 Attachment 1; it shouldn’t require an act of Congress to allow the SDT to insert this helpful advice about the meaning of asset boundary in the Guidance for that section.

No comments:

Post a Comment