Thursday, May 24, 2018

An Auditor Disagrees with me, and makes some good Points about Justification

In my last post, I discussed an issue that a friend of mine had brought to my attention recently: the fact that NERC may be expecting entities with Low impact assets to show that all electronic access permissions in place (i.e. firewall rule entries) at Low assets were “justified”, rather than simply “necessary”, as required in the wording for CIP-003-7. I quoted from an email by Mike Johnson, who pointed out that there really is a difference between the two words (I had opined in the post that there wasn’t much of a difference). I accepted his argument.

However, I then went on to say that this didn’t really matter, because of a six-word phrase in the requirement: “as determined by the Responsible Entity”. Whatever the meaning of “necessary” in the requirement (i.e. whether or not it is the same as “justified”), it shouldn’t matter (or so I reasoned), because in the end it was up to the entity to determine what is necessary. I recommended that NERC entities still take the conservative approach and assume they have to justify all access permissions, but I also pointed out that if this would be a huge burden, you might want to talk to your friendly local NERC Regional Entity and ask them what they thought of this.

However, the next day I received an email from an auditor who has appeared many times in the august pages of this blog, although of course never by name. He had the nerve to disagree with me, on both points no less! Regarding the first point, he said (of course, basing his argument on pure logic, not anything having to do with CIP in particular):

“If the access is truly necessary, then it is justified.  Note the phrase in the definition of “justified” that states “marked by a good or legitimate reason.”  If the access is needed or essential (elements of the definition of “necessary’), then it is marked by a good or legitimate reason.  If there is no good or legitimate reason, then the access is not necessary.”

I really can’t argue with that. Regarding the second point, he said:

“Where the “as determined by the Responsible Entity” idea falls apart is in the case where the access is really not necessary, as per the definition.  A common example is where the Responsible Entity configures access for convenience (e.g., it is easier to grant access to everything in the ESP rather than the three hosts that actually need such access permitted).  Under administrative law, there is a concept of reasonableness.  Access deemed necessary by the entity but for which the entity cannot demonstrate the essential need is not reasonable.  We have seen this type of access and we have written PVs that have been later upheld by Enforcement (Note from Tom: He is talking here about CIP-007 R1, which also includes the proviso that the entity determines what is “needed”, not the auditor – although the auditor did point out separately that this requirement, which applies to High and Medium BES Cyber Systems, necessarily requires a higher bar than does CIP-003-7, which only applies to Lows).  Your idea that this is not a big problem because the auditor can only expect to see that you have documentation is invalid.”

In a subsequent email, the auditor elaborated on this statement in the following quote. He also provided some good general advice for preparing for audits:

“What I am saying is that if the entity cannot make a good case for why the permitted access is necessary (i.e., some sort of reasonable justification), then it has not met the Requirement.  Please understand that the auditors are looking for obvious concerns and are unlikely to get down into the weeds on a line-by-line basis.  We just do not have the time to perform that level of scrutiny, even with the automated tools we use.  But we do expect the entity to know why the rule is present, what the rule allows, and why that permitted access is necessary.  If all we see is documentation describing what the port is used for (to use 1433 – MS SQL in your example) and not why port 1433 needs to be permitted to everything in the ESP, the auditor is going to investigate further.  If we see Class C, Class B, Class A, or, heaven forbid, “IP any any” in a rule, we are going to investigate.  It does not mean we will automatically find non-compliance, but we will not simply accept the broad access as being “necessary” on the entity’s word without further discussion.  If we see port 80 permitted from the WSUS server into the ESP, we are going to investigate (this one is a bit [OK, a lot] harder for the entity to justify given the way the WSUS server works).  Don’t just point to the Microsoft or other vendor documentation that lists all of the ports that the software uses in some fashion.  Demonstrate that you know how the port is used by the software.  If, for example, you permit every port listed in the Microsoft documentation for Active Directory, you will permit 98% of all available ports, turning your firewall into, and this is a direct quote from the Microsoft documentation, Swiss Cheese.  Sadly, something we see all too often are rules that are left over from previous configurations that are no longer needed.  This is a basis housekeeping (cyber hygiene) issue.  Entities are good are taking the necessary coordination and steps to get a rule put in, but not so good coordinating when the rule is no longer needed.  We see way too much stovepipe operations where one functional group owns the servers and another functional group owns the access control devices – and they don’t regularly talk with each other.”

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a vendor to the power industry, TALLC can help you in various ways, including developing marketing materials, delivering webinars, etc. To discuss this, you can email me at the same address or call me at 312-515-8996.            

No comments:

Post a Comment