This is the second of two posts that contain unadulterated good news for entities subject to the NERC CIP requirements. You make think my motivation for doing these posts is that I was visited by three ghosts on Christmas Eve who told me to mend my ways. It isn’t that, but rather the realization that I always have a big queue of things I want to write about, and I should try to prioritize the good things to post around holiday season.
In November, I wrote this post about the NOPR that FERC issued in October, stating their intention to approve CIP-003 version 7. This is the version of CIP-003 that was much debated and approved last year (i.e. in 2016), which eliminated the definitions of LERC and LEAP and incorporated those concepts into the requirement itself (and if you’re hazy about what this debate was all about, this post and this one may refresh your memory. My memory certainly needed refreshment!). Of course, this whole discussion has to do with Low impact assets (mostly substations) that have some sort of routable connection to the outside world.
As discussed in my November post, what I found most surprising in the NOPR was that FERC clearly stated their intention to push NERC to go well beyond what is in CIP-003 v7. That standard, which will come into effect 18 months after FERC issues the Order they committed to issuing in their NOPR, requires that an entity owning a Low impact asset, for which there is at least one routable communications stream with a cyber asset outside of the boundary of the asset itself, have in place some means of mitigating the risk posed by that communications. It could be a device like a firewall (formerly known as a LEAP), but it could be something else like network separation, a unidirectional gateway, etc.
In the NOPR, FERC said they will approve v7 as written. However, they also asked for comments on going beyond what is in v7 to require further steps for Low assets. Specifically, they pointed to authentication and password complexity as two of the four items[i] they would now like included in the requirement for securing BES Cyber Systems located at Low impact assets that contain some form of external routable connectivity. They might also ask for more than those four items. Of course, since NERC’s Rules of Procedure don’t allow changes to be made to a standard once it has been approved by the NERC Board of Trustees (and all new standards are approved by the BoT before they’re even submitted to FERC for their approval), these changes will be in a new version of CIP-003, which will be version 8 (and that version won’t be effective for 3-4 years from when FERC orders it).
In my November post, I pointed out at the end that I thought it was clear that the changes FERC is proposing will doom what has been a bedrock principle of NERC’s Low impact compliance program since CIP v5: that no inventory of Low impact BES Cyber Systems will be required. My reason for saying this (not stated in the post) was that I simply didn’t see any way that this principle could be preserved if CIP-003 is going to require authentication and password complexity for Low impact BCS. It seemed to me that there would be no way these requirements could be audited, absent an inventory of Low impact BCS.
However, a couple weeks after that post, an auditor wrote in to me with critiques of several of the points I had made in the post, including the one I just cited. I will quote in full what he said on this topic:
“(Auditing the new requirements that FERC is considering can be done without requiring the entity have) an enumerated list of Low Impact BCS or their component Cyber Assets. Now, as an auditor, I may ask the entity to demonstrate that the controls have been implemented, so at that time I may ask for a list of the relays in a sampled substation. Or, knowing that there will be a breaker relay in the substation for a circuit breaker on a Transmission Line or bus, I might ask for the Station 1-Line diagram or SCADA substation display, point to a breaker drawn on that diagram, and ask for evidence associated with that breaker’s relay. I might even visit a randomly selected substation, point to a SEL-421 distance protection relay and inquire how it is managed. Remember that relaying engineers typically do not do anything without a work order and all sorts of authorizations, so being able to come up with the work order to change a password on that very device might not be an insurmountable challenge requiring additional records keeping not already being done. And if they are not managing the passwords on the relays, then shame on them. Then again, if they implemented the SEL-3620 or equivalent, I don’t need to look at any controls on the relays because access is well managed at the gateway. The point is that there is still no mandate that the entity identify every Cyber Asset in a Low Impact environment, identify the subset of those Cyber Assets that are Low Impact BCAs, and group them into a documented list of Low Impact BCS, and I can envision how the new requirements can be implemented and audited without requiring a list of Low Impact BCS.”
To paraphrase this quotation, the auditor points out at the end why many NERC entities are so worried about possibly needing to maintain an inventory of Low BCS. To do this will require doing pretty much everything that needs to be done to identify BCS at Medium and High impact assets now: identify every Cyber Asset at the Low impact asset, use the BES Cyber Asset definition to determine which of these are BCAs, and finally group BCAs (and possibly other Cyber Assets) into BES Cyber Systems. Then repeat this on a regular basis, so as to include new Cyber Assets that may have been added.
But he makes it clear that he thinks I’m wrong in (implicitly) stating that requiring authentication and password complexity on Low BCS will inevitably require an inventory. I assumed this was inevitable because there would be no way to audit these requirements without an inventory, but he thinks I’m simply wrong in this assumption. He points out several ways he could audit these requirements without demanding that the entity produce an inventory of all of their Low impact BCS.
And now that I read his words again, I realize I was making a false analogy from Medium and High impact BCS. While these BCS are also required to have authentication and password complexity, these and other such requirements aren’t the reason why an inventory of Medium and High impact BCS is required under CIP v5/v6. The reason an inventory is required is because CIP-002 R1 requires it, period. And CIP-002 R1 not only doesn’t require an inventory of Low BCS, it explicitly states that such an inventory won’t be required.
All of this isn’t to say that, once CIP-003 version 8 comes into effect, NERC entities won’t be under even more pressure from their regions to maintain an inventory of Low impact BCS. Some of the regions have already stated that they would like to see their entities do this, and they will be able to make that statement with even more justification once CIP-003-8 comes into effect. But until the statement that an inventory of Low BCS isn’t needed is actually removed from the CIP standards – and now it’s found in CIP-003-6 and CIP-003-7, as well as in CIP-002 R1 and Attachment 1 – I think NERC entities can rest assured that nothing fundamental has changed in this regard, no matter what requirements end up in CIP-003-8.
The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org.