This is the
second of two posts that contain unadulterated good news for entities subject
to the NERC CIP requirements. You make think my motivation for doing these
posts is that I was visited by three ghosts on Christmas Eve who told me to
mend my ways. It isn’t that, but rather the realization that I always have a
big queue of things I want to write about, and I should try to prioritize the
good things to post around holiday season.
In November,
I wrote this
post about the NOPR that FERC issued in October, stating their intention to
approve CIP-003 version 7. This is the version of CIP-003 that was much debated
and approved last year (i.e. in 2016), which eliminated the definitions of LERC
and LEAP and incorporated those concepts into the requirement itself (and if
you’re hazy about what this debate was all about, this
post and this
one may refresh your memory. My memory certainly needed refreshment!). Of
course, this whole discussion has to do with Low impact assets (mostly
substations) that have some sort of routable connection to the outside world.
As discussed
in my November post, what I found most surprising in the NOPR was that FERC
clearly stated their intention to push NERC to go well beyond what is in
CIP-003 v7. That standard, which will come into effect 18 months after FERC
issues the Order they committed to issuing in their NOPR, requires that an
entity owning a Low impact asset, for which there is at least one routable
communications stream with a cyber asset outside of the boundary of the asset
itself, have in place some means of mitigating the risk posed by that
communications. It could be a device like a firewall (formerly known as a
LEAP), but it could be something else like network separation, a unidirectional
gateway, etc.
In the NOPR,
FERC said they will approve v7 as written. However, they also asked for
comments on going beyond what is in v7 to require further steps for Low assets.
Specifically, they pointed to authentication and password complexity as two of
the four items[i]
they would now like included in the requirement for securing BES Cyber Systems
located at Low impact assets that contain some form of external routable
connectivity. They might also ask for more than those four items. Of course,
since NERC’s Rules of Procedure don’t allow changes to be made to a standard
once it has been approved by the NERC Board of Trustees (and all new standards
are approved by the BoT before they’re even submitted to FERC for their
approval), these changes will be in a new version of CIP-003, which will be
version 8 (and that version won’t be effective for 3-4 years from when FERC
orders it).
In my
November post, I pointed out at the end that I thought it was clear that the
changes FERC is proposing will doom what has been a bedrock principle of NERC’s
Low impact compliance program since CIP v5: that no inventory of Low impact BES
Cyber Systems will be required. My reason for saying this (not stated in the
post) was that I simply didn’t see any way that this principle could be
preserved if CIP-003 is going to require authentication and password complexity
for Low impact BCS. It seemed to me that there would be no way these
requirements could be audited, absent an inventory of Low impact BCS.
However, a
couple weeks after that post, an auditor wrote in to me with critiques of
several of the points I had made in the post, including the one I just cited. I
will quote in full what he said on this topic:
“(Auditing the new requirements that
FERC is considering can be done without requiring the entity have) an
enumerated list of Low Impact BCS or their component Cyber Assets. Now, as an auditor, I may ask the entity to
demonstrate that the controls have been implemented, so at that time I may ask
for a list of the relays in a sampled substation. Or, knowing that there will be a breaker
relay in the substation for a circuit breaker on a Transmission Line or bus, I
might ask for the Station 1-Line diagram or SCADA substation display, point to
a breaker drawn on that diagram, and ask for evidence associated with that
breaker’s relay. I might even visit a
randomly selected substation, point to a SEL-421 distance protection relay and
inquire how it is managed. Remember that
relaying engineers typically do not do anything without a work order and all
sorts of authorizations, so being able to come up with the work order to change
a password on that very device might not be an insurmountable challenge
requiring additional records keeping not already being done. And if they are not managing the passwords on
the relays, then shame on them. Then
again, if they implemented the SEL-3620 or equivalent, I don’t need to look at
any controls on the relays because access is well managed at the gateway. The point is that there is still no mandate
that the entity identify every Cyber Asset in a Low Impact environment,
identify the subset of those Cyber Assets that are Low Impact BCAs, and group
them into a documented list of Low Impact BCS, and I can envision how the new
requirements can be implemented and audited without requiring a list of Low
Impact BCS.”
To
paraphrase this quotation, the auditor points out at the end why many NERC
entities are so worried about possibly needing to maintain an inventory of Low
BCS. To do this will require doing pretty much everything that needs to be done
to identify BCS at Medium and High impact assets now: identify every Cyber
Asset at the Low impact asset, use the BES Cyber Asset definition to determine
which of these are BCAs, and finally group BCAs (and possibly other Cyber Assets)
into BES Cyber Systems. Then repeat this on a regular basis, so as to include
new Cyber Assets that may have been added.
But he makes
it clear that he thinks I’m wrong in (implicitly) stating that requiring
authentication and password complexity on Low BCS will inevitably require an
inventory. I assumed this was inevitable because there would be no way to audit
these requirements without an inventory, but he thinks I’m simply wrong in this
assumption. He points out several ways he could audit these requirements
without demanding that the entity produce an inventory of all of their Low
impact BCS.
And now that
I read his words again, I realize I was making a false analogy from Medium and
High impact BCS. While these BCS are also required to have authentication and
password complexity, these and other such requirements aren’t the reason why an
inventory of Medium and High impact BCS is required under CIP v5/v6. The reason
an inventory is required is because CIP-002 R1 requires it, period. And CIP-002
R1 not only doesn’t require an inventory of Low BCS, it explicitly states that
such an inventory won’t be required.
All of this
isn’t to say that, once CIP-003 version 8 comes into effect, NERC entities won’t
be under even more pressure from their regions to maintain an inventory of Low
impact BCS. Some of the regions have already stated that they would like to see
their entities do this, and they will be able to make that statement with even
more justification once CIP-003-8 comes into effect. But until the statement
that an inventory of Low BCS isn’t needed is actually removed from the CIP
standards – and now it’s found in CIP-003-6 and CIP-003-7, as well as in
CIP-002 R1 and Attachment 1 – I think NERC entities can rest assured that
nothing fundamental has changed in this regard, no matter what requirements end
up in CIP-003-8.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment