This is the
fourth post in a series on the NOPR that FERC released in October. The NOPR
accomplished two primary goals: 1) FERC announced that they intend to approve
CIP-003-7, which was approved by NERC and submitted to FERC early this year;
and 2) FERC proposed to order NERC to make two important changes to CIP-003-7,
which will have to be incorporated into a new version of CIP-003. This post
will focus on the first of those changes; the next (and last) post in this
series will discuss the second change.
The first
change that FERC ordered has to do with the changes that the CIP Modifications
Standards Drafting Team made to the requirement for electronic access control
for Low impact assets in CIP-003-6. These changes were balloted (twice) and
endlessly discussed by the NERC community in 2016. The final version of
CIP-003-7 was approved by NERC and sent to FERC early this year.
These
changes were made because FERC, when they approved “CIP version 6” in Order 822,
ordered that NERC modify the definition of low impact external routable
connectivity (affectionately known as LERC) to clarify the meaning of the word “direct”
in the definition. However, when the new CIP Modifications Standards Drafting
Team started discussing this issue, they realized
that what was really needed was a modification of the requirement for
electronic access controls for Low impact BES Cyber Systems. Hence, what was
delivered to FERC was a modification of Section 3 of Attachment 1 of CIP-003-6,
not a new definition of LERC (the LERC definition was also modified, but it was
removed as a separate definition and incorporated into the language of the
requirement itself).
In their NOPR,
FERC said they intend to approve the revised requirement language. That will
come into effect 18 months after FERC issues the actual order approving
CIP-003-7. However, they did also indicate that they wanted further changes,
beyond what is now in CIP-003-7. What they asked for was interesting on a couple
of fronts, and I’ll discuss that now.
FERC’s “Proposal”
for these changes is found in Sections 27-32 of the NOPR (starting on page 22).
After saying they intend to approve CIP-003-7 as written, FERC then says “However,
NERC’s proposed revisions to Reliability Standard CIP-003-7 regarding the LERC
directive and electronic access controls for low impact BES Cyber Systems raise
certain issues.”
What are
these issues? FERC immediately goes back to Order 822, stating “The directive
was based on the concern that responsible entities could avoid adopting
adequate electronic access protections for low impact BES Cyber Systems by
simply installing a device, such as a laptop or protocol converter, in front of
the BES Cyber System to ‘break’ the direct routable connection.”
I went back
to Order 822 to try to verify what FERC said in the NOPR; and frankly, I’m a
little confused. Here is what I think they are saying:
1. In
paragraph 27 of the NOPR (right after the sentence quoted above), FERC says “In Order No.
822, the Commission directed NERC to develop modifications to the LERC
definition to eliminate ambiguity surrounding the term “direct” as it is used
in the definition.” I agree that is true.
2. From re-reading the discussion of this
topic in Order 822 (starting in paragraph 73 on page 44), it seems FERC was exclusively concerned with making sure there was an adequate protection device
(a LEAP) in every case where there was LERC (i.e. Low impact external routable connectivity).
I don’t see anything in Order 822 that suggests FERC was asking NERC to go
beyond just requiring Low assets with LERC to have a LEAP. But FERC is saying
that in Order 822 they really ordered NERC to require Low assets to install “adequate
electronic protections” for Low BCS[i], and
they’re implying that these should go well beyond having a LEAP.
3. In
paragraph 28 of the NOPR, they state “…proposed Reliability Standard CIP-003-7 does not
provide clear, objective criteria or measures to assess compliance by
independently confirming that the access control strategy adopted by a responsible
entity would reasonably meet the security objective of permitting only ‘necessary
inbound and outbound electronic access’ to its low impact BES Cyber Systems.” In
Order 822, FERC seemed quite content to follow NERC’s lead and limit the
enforcement of “only necessary inbound and outbound electronic access” to LEAP
devices (e.g. firewalls). If there was LERC, the entity needed a LEAP. If there
was no LERC, the entity didn’t need a LEAP. End of story.
4. However,
FERC seems to have now re-defined “necessary inbound and outbound electronic
access” to include other considerations like authentication and password
complexity, although they emphasize there need to be clear criteria for what is
required. In paragraph 31, FERC goes back to the CIP v5 requirements for High
and Medium impact BCS to find these. They say “For medium and high impact BES
Cyber Systems, auditors use the following criteria to review whether the access
control strategy is reasonable: (1)
whether the electronic access was granted through an authorized and monitored
electronic access point (Reliability Standard CIP-005-5, Requirement R1); (2)
whether the electronic access granted to individuals/devices was evaluated
based on need (Reliability Standard CIP-005-5, Requirement R1.3); (3) whether
the entity has mechanisms to enforce authentication of users with electronic
access (Reliability Standard CIP-007-6, Requirement R5); and (4) whether the
responsible entity routinely uses strong passwords and manages password changes
(Reliability Standard CIP-007-6, Requirement R5).”
5. In
other words, FERC is now saying that just having a firewall isn’t enough to
protect Low impact BES Cyber Systems when they are routably connected to the
outside world. Instead, the four controls just listed also need to be in place.
6. But
they’re actually even going beyond that. They’re saying (paragraph 29) that an
entity that owns Low impact BCS should have an “access control strategy”
(presumably a documented strategy. What in the NERC world doesn’t need to be
documented?). This strategy will of course need to include the four “criteria”
listed in bullet 4 above. FERC continues by saying “In order to ensure an
objective and consistently-applied requirement, the electronic access control
plan required in Attachment 1 should require the responsible entity to
articulate its access control strategy for a particular set of low impact BES
Cyber Systems and provide a technical rationale rooted in security principles
explaining how that strategy will reasonably restrict electronic access.” So
NERC entities with Low BCS will not only have to implement the four types of
controls, but they will have to include these controls (and possibly others) in
a documented access control strategy for Low BCS.
I need to
point out that I’m not saying FERC has done anything wrong here; they certainly
have the power to require NERC to do more than they asked them to do previously.
They have clearly had a change of heart (as well as a change of Commissioners,
of course) since they issued Order 822, and they now believe that simply
throwing a firewall in front of BES Cyber Systems located at a Low impact asset
isn’t enough to protect them; rather, other controls are needed. It is hard to argue with that, of course.
And there’s
one more point to be made before I let you go: What do you think all of this
means for the supposedly set-in-stone principle that an inventory of Low impact
BCS will never be required? Yup, I agree. Once CIP-003-8 (which is of course
the version that will include everything that FERC is proposing to order in the
NOPR) comes into effect, this principle will sleep with the fishes.
But I do
want to remind you that this is just a NOPR, not an Order. FERC is soliciting
comments on everything I’ve just mentioned. If you have any comments, you
should speak now or forever hold your peace!
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
FERC also says (in paragraph 73, right after the sentence quoted above), that “As
the Commission noted in Order No. 822, the desired clarification could have
been made by including the security concepts from the Guidelines and Technical
Basis section of Reliability Standard CIP-003-6 in the definition.” I have
looked backwards and forwards in the GTB for CIP-003-6, and I haven’t found any
general discussion of security concepts. There is certainly a lot of discussion
of when LERC is or isn’t present, but that just relates to the question of
whether or not an entity needs to install a LEAP at a Low impact asset. There’s
nothing to suggest that NERC had somehow laid out some basic security concepts in
the GTB, that they should then have required that entities follow for Low
impact assets – but didn’t for some nefarious reason.
No comments:
Post a Comment