A:April 21, 2017
I have questions and need some clarification about asset boundary and LERC + LEAP.
The Guidelines and Technical Basis (GTB) states, “Section 3 requires the establishment of boundary protections for low impact BES Cyber Systems when the low impact BES Cyber Systems have bi-directional routable protocol communication or Dial-up Connectivity to devices external to the asset containing the low impact BES Cyber Systems. The establishment of boundary protections is intended to control communication either into the asset containing low impact BES Cyber System(s) or to the low impact BES Cyber System itself to reduce the risks associated with uncontrolled communication using routable protocols or Dial-up Connectivity. “
The GTB does not provide guidance on what can and cannot be an “asset boundary”, but the usual interpretation that comes to mind is a fence line, a room, a building, or an equipment cabinet.
Q1: Could the asset boundary be a logical VLAN, if this VLAN is behind (protected) by a firewall or ACL router?
Q2: Routable bi-directional communication between low impact devices occur only inside the VLAN: if the VLAN is the asset boundary, would the communication be a LERC or non-LERC?
Q3: Routable bi-directional communications occur such that one Cyber Asset is outside the VLAN and the other device, a low impact BCS, is in the VLAN: if the VLAN is the asset boundary, would the communication be a LERC that need access control via a LEAP?
Another scenario is depicted in the screenshot below, taken from the WECC CIP V5 Advanced Workshop CIP-003-6 R2 Low Impact BCS:
Q4: if a device at station Y communicates to a low impact BCS at station Z, using a bi-directional routable protocol, would this device-to-device communication be a LERC that needs access control via the LEAP at location X, or, would it be acceptable to have the logical communication path go through the Layer 2 switch only, and not the LEAP?
Q1: Asset in this context is synonymous with facility. If the VLAN is at a single asset there is minimal concern. In the illustration provided, the “Trunking VLAN 77”, as drawn, is considered a potential noncompliance (PNC) unless there is a LEAP at each asset. Communications between the two assets without going through “Location X” is considered not permitted.
Q2: If there is an access point, and communication to any devices (not just other low-impact devices) on other VLANs, then it’s a LERC. If the VLAN spans multiple asset locations, then it is LERC and requires a LEAP for network traffic between the multiple asset locations. However, if the VLAN is entirely within a single asset location and ALL communications are within the VLAN, then no LERC seems to exist.
Q3: Routable bi-directional communications between a Cyber Asset outside the VLAN and a Cyber Asset within the VLAN is considered to be a LERC, and it requires a LEAP.
Q4: The layer-2-only approach is considered not permissible. The layer 2 traffic has encapsulated Layer 3 traffic; and as such, must have more granular controls on the network traffic. Furthermore, each of the substations has a LERC, and each must be protected (even from each other) by the LEAP.