In July, I
had an email exchange with a well-known CIP auditor – who has contributed very
heavily to this blog since I started it more than three and a half years ago –
that covered several important topics. I was just rereading that exchange and
was struck by the following passage from him:
“Stop limiting protections to just Interactive Remote
Access and the Intermediate System. The
firewall cannot distinguish between interactive and machine-to-machine
traffic. If I have an authorized connection
from a Cyber Asset outside the protected network boundary to a Cyber Asset
inside that boundary, strongly protect that outside system by managing it the
same way you manage the Intermediate System (patched, anti-malware, logged and
monitored, and multi-factor authentication at a minimum). Let's extend the protection zone to the first
"hop" outside the protected network boundary. If you always play the game from your 3 yard
line, you are going to lose.”
Since
understanding what this means requires some unpacking, let me translate for
you:
- The auditor is referring to the fact that the NERC
definition of Interactive Remote Access contains the sentence “Interactive
remote access does not include system-to-system process
communications”. Of course, CIP-005-5
R2 requires that all IRA sessions must pass through an Intermediate
System. Thus, system-to-system communications (i.e. no human at a
keyboard) do not have to pass through an Intermediate System, even though
the system outside of the ESP isn’t controlled in any way by the CIP
requirements.
- Of course, many people will point out that all
communications into the ESP must come through an Electronic Access Point
like a firewall. Firewalls can restrict certain types of access as well as
certain IP addresses, but if a machine is already permitted access into
the ESP, and it has been taken over by a malicious attacker, the game is
over: the attacker has access to the ESP.
- The auditor is saying that, to prevent this from happening,
remote machines that are allowed to directly access an ESP need to have
the same protections that an Intermediate System does. The point of the
Intermediate System is to make it impossible for a remote human user – who
could be anyone, anywhere on the planet – to directly access systems
within the ESP. But trusted remote machines are allowed such access. What happens if one of those is
compromised? It seems that some protections should be required for those
machines, if they are going to be allowed to bypass the Intermediate
System to access the ESP.
- There are two main types of remote machines that can have
direct access to the ESP. Some are used by vendors, who require ESP access
for diagnostic purposes. Since vendors are not NERC entities, they are not
subject to the CIP standards. However, vendor remote access will be
addressed in some way in the new supply chain standard that FERC has
ordered NERC to develop.
- The other category of remote machines is machines that are
on the IT network of the entity that owns or operates the ESP. This
category can include backup servers, historians, FTP servers, etc. They
are not in scope for CIP versions 5 and 6, even though they may actually
meet the definition of BCA/BCS. Why aren’t these in scope? Because
CIP-002-5.1 R1 says that only BES Cyber Systems located at one of the six
asset types listed in R1 are in scope. By definition, these remote
machines aren’t at one of those asset types
But should these machines on the IT network,
that are under the control of a NERC entity and have direct access into the ESP,
be in scope for CIP? I would say they should be in some way. If they can’t be
forced to go through an Intermediate System, some protections need to be
required of them.
However, before
I’m accused of recklessly expanding the scope of CIP and placing another burden
on the already-overburdened entities that have the misfortune of having High or
Medium impact assets under CIP, I need to come back to an argument I’ve used
before: I don’t think the scope of CIP should be expanded to cover IT assets
until the CIP standards are made non-prescriptive and threat-based. Unlike the
current standards, these future (hopefully) standards will require the entity
to take a look at all of the threats to its control systems, including those
threats that originate in the IT network.[i] All
serious threats will need to be mitigated in some way, but the exact
mitigations applied will be up to the entity; the auditors will determine
whether they are sufficient, given the threat they address. It is only in this
“new CIP” that I support putting controls on machines owned by the entity but
outside of the ESP, that are currently granted direct ESP access.[ii]
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
Exhibit A for a threat coming through the IT network is the Ukraine attacks, as
discussed in the post just linked.
No comments:
Post a Comment