Recently, a
NERC entity emailed me with a question about CIP-007 R2, patch management.
Specifically, the question was whether the mitigation plan needs to do more
than simply explain why the patch can’t be installed at the time, and state
that it will be installed by a specific future date; it seems their auditor had
informed them that wasn’t enough.
I knew the
answer to this, but I reached out to an auditor for his opinion and I was glad
I did – he had some very helpful suggestions.
Here is his response in full:
“The
requirement is to create (or update) a mitigation plan if the patch cannot be
implemented within 35 days of it being determined to be applicable. The Registered Entity is expected to document
when and how the vulnerability will be addressed, and the expectation as
expressed in the Measures is to specifically document the actions to be taken
by the Responsible Entity to mitigate the vulnerabilities addressed by the
security patch and a time frame for the completion of these mitigations. Simply stating the patch will be installed
sometime in the future is not an action that mitigates the vulnerability in the
interim.
“The
Registered Entity needs to understand what the vulnerability is and how it can
be exploited in order to document what mitigating controls are in place to
reduce the risk of exploit until the patch can be installed. Often, but not always, the proper implementation
of the CIP Requirements will mitigate the risk.
For example, if the vulnerability can be exploited across the network,
tight firewall rules will likely be a mitigation as long as there is no
requirement for broad access to the Cyber Asset that counteracts the
control. The Registered Entity might
also update its anti-malware signature files more frequently and/or increase
monitoring of the impacted Cyber Asset.
“But, if the
exploit requires physical access to the Cyber Asset, asserting the device is
behind a firewall is meaningless.
Rather, the mitigations would include physical access restrictions,
possibly current or enhanced restrictions on the use of removable media; in
other words mitigation steps that counter the exploit mechanism. And, while not stated as an explicit
requirement, the Registered Entity really needs to monitor the vulnerability
until the patch is installed in case the exploit risk changes, possibly
requiring additional protections. That
would be a good cyber security (best) practice.”
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
No comments:
Post a Comment