As noted in my previous post on the Electronic Access Control, I indicated that the Standard Drafting Team (SDT) charged with working on the FERC-ordered Low Impact External Routable Connectivity (LERC) modifications was in the process of completing its initial revisions to be submitted for industry comment and balloting. This update summarizes the most important proposed modifications that are expected to be presented for NERC Standards Committee approval and posting for industry comment and balloting.
Modification Main Points
- The LERC definition will remain, but will be modified as explained below.
- The definition for “Low Impact BES Cyber System Electronic Access Point (LEAP)” will be removed and replaced with text within the Attachment 1 requirements.
To help understand the LERC modifications, let’s first look at the current definition:
Direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber Systems (BCS) from a Cyber Asset outside the asset containing those low impact BCS via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BCS are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols)
The modified definition replaces “Connectivity” with “Communication” in the title, making it now read “Low Impact External Routable Communication,” and would include the proposed text:
Routable protocol communication that crosses the boundary of an asset containing one or more low impact BES Cyber System(s), excluding communications between intelligent electronic devices used for time-sensitive protection or control functions between non-Control Center BES assets containing low impact BES Cyber Systems including, but not limited to, IEC 61850 GOOSE or vendor proprietary protocols
It’s also worth highlighting that the original wording “direct user-initiated interactive access or direct device-to-device” was removed and replaced with “routable protocol communications”. By eliminating the use of ‘direct’, the SDT objective was to remove any uncertainty on what “direct” meant and that any communications coming into the BES asset using a routable protocol are to be considered, regardless of the communication’s intended purpose.
Along with these changes, modifications to the original wording regarding connection “from a Cyber Asset outside the asset containing those low impact BES Cyber System(s)” now reads “communication that crosses the boundary of an asset containing one or more low impact BES Cyber Systems(s).” This revision indicates that communications must pass from outside the BES asset boundary into the BES asset. I’ll dive into additional information for clarifying ‘boundary’ later in this posting.
One addition point to highlight from these modifications is the clarification made on the exclusion of time-sensitive communications only applies to the protection and control functions between non-Control Center BES assets that contain low impact BCS, which addresses the confusion on whether the exclusion could be applied to Control Center to non-Control Center communication.
Removal of LEAP
In removing the LEAP definition, the requirement to provide access protections is handled in the CIP-003 Attachment 1, Section 3 where the text “electronic access control(s)” replaces LEAP: "Implement electronic access control(s) for LERC, if any, to permit only necessary electronic access to low impact BES Cyber Systems"
What Does This Mean?
- A ‘boundary’ where routable connections enter the BES asset must be defined by the Entity. Information will be provided in the Standards Guidelines and Technical Basis (GTB) section, which I’ll cover in future installments.
- Routable communications will need to be identified coming into the BES asset, regardless if the communication is intended for BCS or business systems, bi-directional or uni-directional.
- If communication enters a BCS, then controls must be implemented to allow only necessary inbound and/or outbound communications. There must also be technical and operational reasons justifying why these communications are necessary. Examples on possible controls types will be provided in the GTB section, which use a new set of reference models to demonstrate how controls can be applied to an Entity’s unique configurations.
- If there is no communication to a BCS through LERC, it must still be identified, and noted in the plan that routable communications to the BCS does not occur.
Physical Security Controls & Next Steps
For the physical security controls portion outlined in Attachment 1, Section 2, references to LEAP protection have been removed and replaced with protection of the “electronic access control devices”.
On July 21, 2016, the SDT officially submitted its proposed modification for a 45-day industry comment period, with the ballot conducted during the last 10 days of this period.
As I mentioned in this article’s introduction, this information is based on is the SDT’s current proposal, and it should be expected that there will be additional modifications based on industry comments and ballot outcome. With this ongoing process, I will continue to provide updates and potential impacts that could affect a Registered Entities current low impact implementation work.
Upcoming articles will cover additional information electronic access controls and what is currently known about the audit approach, but in the meantime the following information may be of assistance in your Low Impact BCS research and implementation efforts:
- My previous posts for the NERC CIP Low Impact Requirement series:
- Burns & McDonnell will host our second annual Power Utility Security & Compliance Symposium August 8-9, 2016, which will cover several subjects related to Low Impact BCS.