FERC’s New NOPR, Part IV: The Other Shoe Drops

This is the fourth post in a series on the NOPR that FERC released in October. The NOPR accomplished two primary goals: 1) FERC announced that they intend to approve CIP-003-7, which was approved by NERC and submitted to FERC early this year; and 2) FERC proposed to order NERC to make two important changes to CIP-003-7, which will have to be incorporated into a new version of CIP-003. This post will focus on the first of those changes; the next (and last) post in this series will discuss the second change.

The first change that FERC ordered has to do with the changes that the CIP Modifications Standards Drafting Team made to the requirement for electronic access control for Low impact assets in CIP-003-6. These changes were balloted (twice) and endlessly discussed by the NERC community in 2016. The final version of CIP-003-7 was approved by NERC and sent to FERC early this year.

These changes were made because FERC, when they approved “CIP version 6” in Order 822, ordered that NERC modify the definition of low impact external routable connectivity (affectionately known as LERC) to clarify the meaning of the word “direct” in the definition. However, when the new CIP Modifications Standards Drafting Team started discussing this issue, they realized that what was really needed was a modification of the requirement for electronic access controls for Low impact BES Cyber Systems. Hence, what was delivered to FERC was a modification of Section 3 of Attachment 1 of CIP-003-6, not a new definition of LERC (the LERC definition was also modified, but it was removed as a separate definition and incorporated into the language of the requirement itself).

In their NOPR, FERC said they intend to approve the revised requirement language. That will come into effect 18 months after FERC issues the actual order approving CIP-003-7. However, they did also indicate that they wanted further changes, beyond what is now in CIP-003-7. What they asked for was interesting on a couple of fronts, and I’ll discuss that now.

FERC’s “Proposal” for these changes is found in Sections 27-32 of the NOPR (starting on page 22). After saying they intend to approve CIP-003-7 as written, FERC then says “However, NERC’s proposed revisions to Reliability Standard CIP-003-7 regarding the LERC directive and electronic access controls for low impact BES Cyber Systems raise certain issues.”

What are these issues? FERC immediately goes back to Order 822, stating “The directive was based on the concern that responsible entities could avoid adopting adequate electronic access protections for low impact BES Cyber Systems by simply installing a device, such as a laptop or protocol converter, in front of the BES Cyber System to ‘break’ the direct routable connection.”

I went back to Order 822 to try to verify what FERC said in the NOPR; and frankly, I’m a little confused. Here is what I think they are saying:

1.      In paragraph 27 of the NOPR (right after the sentence quoted above), FERC says “In Order No. 822, the Commission directed NERC to develop modifications to the LERC definition to eliminate ambiguity surrounding the term “direct” as it is used in the definition.” I agree that is true.

2.     From re-reading the discussion of this topic in Order 822 (starting in paragraph 73 on page 44), it seems FERC was exclusively concerned with making sure there was an adequate protection device (a LEAP) in every case where there was LERC (i.e. Low impact external routable connectivity). I don’t see anything in Order 822 that suggests FERC was asking NERC to go beyond just requiring Low assets with LERC to have a LEAP. But FERC is saying that in Order 822 they really ordered NERC to require Low assets to install “adequate electronic protections” for Low BCS[i], and they’re implying that these should go well beyond having a LEAP.

3.     In paragraph 28 of the NOPR, they state “…proposed Reliability Standard CIP-003-7 does not provide clear, objective criteria or measures to assess compliance by independently confirming that the access control strategy adopted by a responsible entity would reasonably meet the security objective of permitting only ‘necessary inbound and outbound electronic access’ to its low impact BES Cyber Systems.”   In Order 822, FERC seemed quite content to follow NERC’s lead and limit the enforcement of “only necessary inbound and outbound electronic access” to LEAP devices (e.g. firewalls). If there was LERC, the entity needed a LEAP. If there was no LERC, the entity didn’t need a LEAP. End of story.

4.      However, FERC seems to have now re-defined “necessary inbound and outbound electronic access” to include other considerations like authentication and password complexity, although they emphasize there need to be clear criteria for what is required. In paragraph 31, FERC goes back to the CIP v5 requirements for High and Medium impact BCS to find these. They say “For medium and high impact BES Cyber Systems, auditors use the following criteria to review whether the access control strategy is reasonable:  (1) whether the electronic access was granted through an authorized and monitored electronic access point (Reliability Standard CIP-005-5, Requirement R1); (2) whether the electronic access granted to individuals/devices was evaluated based on need (Reliability Standard CIP-005-5, Requirement R1.3); (3) whether the entity has mechanisms to enforce authentication of users with electronic access (Reliability Standard CIP-007-6, Requirement R5); and (4) whether the responsible entity routinely uses strong passwords and manages password changes (Reliability Standard CIP-007-6, Requirement R5).”

5.      In other words, FERC is now saying that just having a firewall isn’t enough to protect Low impact BES Cyber Systems when they are routably connected to the outside world. Instead, the four controls just listed also need to be in place.

6.      But they’re actually even going beyond that. They’re saying (paragraph 29) that an entity that owns Low impact BCS should have an “access control strategy” (presumably a documented strategy. What in the NERC world doesn’t need to be documented?). This strategy will of course need to include the four “criteria” listed in bullet 4 above. FERC continues by saying “In order to ensure an objective and consistently-applied requirement, the electronic access control plan required in Attachment 1 should require the responsible entity to articulate its access control strategy for a particular set of low impact BES Cyber Systems and provide a technical rationale rooted in security principles explaining how that strategy will reasonably restrict electronic access.” So NERC entities with Low BCS will not only have to implement the four types of controls, but they will have to include these controls (and possibly others) in a documented access control strategy for Low BCS.

I need to point out that I’m not saying FERC has done anything wrong here; they certainly have the power to require NERC to do more than they asked them to do previously. They have clearly had a change of heart (as well as a change of Commissioners, of course) since they issued Order 822, and they now believe that simply throwing a firewall in front of BES Cyber Systems located at a Low impact asset isn’t enough to protect them; rather, other controls are needed. It is hard to argue with that, of course.

And there’s one more point to be made before I let you go: What do you think all of this means for the supposedly set-in-stone principle that an inventory of Low impact BCS will never be required? Yup, I agree. Once CIP-003-8 (which is of course the version that will include everything that FERC is proposing to order in the NOPR) comes into effect, this principle will sleep with the fishes.

But I do want to remind you that this is just a NOPR, not an Order. FERC is soliciting comments on everything I’ve just mentioned. If you have any comments, you should speak now or forever hold your peace!

The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] FERC also says (in paragraph 73, right after the sentence quoted above), that “As the Commission noted in Order No. 822, the desired clarification could have been made by including the security concepts from the Guidelines and Technical Basis section of Reliability Standard CIP-003-6 in the definition.” I have looked backwards and forwards in the GTB for CIP-003-6, and I haven’t found any general discussion of security concepts. There is certainly a lot of discussion of when LERC is or isn’t present, but that just relates to the question of whether or not an entity needs to install a LEAP at a Low impact asset. There’s nothing to suggest that NERC had somehow laid out some basic security concepts in the GTB, that they should then have required that entities follow for Low impact assets – but didn’t for some nefarious reason.