Thursday, August 25, 2016

Fixing a Hole

In July, I had an email exchange with a well-known CIP auditor – who has contributed very heavily to this blog since I started it more than three and a half years ago – that covered several important topics. I was just rereading that exchange and was struck by the following passage from him:

“Stop limiting protections to just Interactive Remote Access and the Intermediate System.  The firewall cannot distinguish between interactive and machine-to-machine traffic.  If I have an authorized connection from a Cyber Asset outside the protected network boundary to a Cyber Asset inside that boundary, strongly protect that outside system by managing it the same way you manage the Intermediate System (patched, anti-malware, logged and monitored, and multi-factor authentication at a minimum).  Let's extend the protection zone to the first "hop" outside the protected network boundary.  If you always play the game from your 3 yard line, you are going to lose.”

Since understanding what this means requires some unpacking, let me translate for you:

  1. The auditor is referring to the fact that the NERC definition of Interactive Remote Access contains the sentence “Interactive remote access does not include system-to-system process communications”.  Of course, CIP-005-5 R2 requires that all IRA sessions must pass through an Intermediate System. Thus, system-to-system communications (i.e. no human at a keyboard) do not have to pass through an Intermediate System, even though the system outside of the ESP isn’t controlled in any way by the CIP requirements.
  2. Of course, many people will point out that all communications into the ESP must come through an Electronic Access Point like a firewall. Firewalls can restrict certain types of access as well as certain IP addresses, but if a machine is already permitted access into the ESP, and it has been taken over by a malicious attacker, the game is over: the attacker has access to the ESP.
  3. The auditor is saying that, to prevent this from happening, remote machines that are allowed to directly access an ESP need to have the same protections that an Intermediate System does. The point of the Intermediate System is to make it impossible for a remote human user – who could be anyone, anywhere on the planet – to directly access systems within the ESP. But trusted remote machines are allowed such access. What happens if one of those is compromised? It seems that some protections should be required for those machines, if they are going to be allowed to bypass the Intermediate System to access the ESP.
  4. There are two main types of remote machines that can have direct access to the ESP. Some are used by vendors, who require ESP access for diagnostic purposes. Since vendors are not NERC entities, they are not subject to the CIP standards. However, vendor remote access will be addressed in some way in the new supply chain standard that FERC has ordered NERC to develop.
  5. The other category of remote machines is machines that are on the IT network of the entity that owns or operates the ESP. This category can include backup servers, historians, FTP servers, etc. They are not in scope for CIP versions 5 and 6, even though they may actually meet the definition of BCA/BCS. Why aren’t these in scope? Because CIP-002-5.1 R1 says that only BES Cyber Systems located at one of the six asset types listed in R1 are in scope. By definition, these remote machines aren’t at one of those asset types

But should these machines on the IT network, that are under the control of a NERC entity and have direct access into the ESP, be in scope for CIP? I would say they should be in some way. If they can’t be forced to go through an Intermediate System, some protections need to be required of them.

However, before I’m accused of recklessly expanding the scope of CIP and placing another burden on the already-overburdened entities that have the misfortune of having High or Medium impact assets under CIP, I need to come back to an argument I’ve used before: I don’t think the scope of CIP should be expanded to cover IT assets until the CIP standards are made non-prescriptive and threat-based. Unlike the current standards, these future (hopefully) standards will require the entity to take a look at all of the threats to its control systems, including those threats that originate in the IT network.[i] All serious threats will need to be mitigated in some way, but the exact mitigations applied will be up to the entity; the auditors will determine whether they are sufficient, given the threat they address. It is only in this “new CIP” that I support putting controls on machines owned by the entity but outside of the ESP, that are currently granted direct ESP access.[ii]

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] Exhibit A for a threat coming through the IT network is the Ukraine attacks, as discussed in the post just linked.

[ii] I have realized more recently that a new approach to CIP doesn’t require rewriting all of the standards from scratch. Requirements can be made non-prescriptive one-by-one. I provide a real-life example of that in this post.

No comments:

Post a Comment