Monday, June 4, 2018

A Hole in the new Low impact Electronic Access Control Requirement

I had a conversation today with someone I have known for quite some time who is a very close follower of developments in NERC CIP. He pointed out to me a serious flaw in the Low impact electronic access control requirement in CIP-003-7. If a lot of entities take advantage of this flaw to lower their compliance burden, this could end up undermining the security of many Low impact assets. However, I would guess that most NERC entities with Low assets will do the right thing from a security POV anyway, so this post is more in the interesting facts category than the “sound the alarm” category.

Section 3 of Attachment 1 of CIP-003-7 starts off with this wording:

Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to:

3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are:
i. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);

Note that this requirement is written strictly to protect communications between BES Cyber Systems located at a Low impact asset and any Cyber Asset outside the Low asset. By contrast, the electronic access control requirement for Medium and High impact BCS, CIP-005-5 R1, is applicable not just to BCS but also to the Protected Cyber Assets (PCA) that are associated with them.

Of course, it is good that this is the case for Mediums and Highs. Since PCAs are Cyber Assets that are routably connected to one or more BCS, they can easily be used as “jumping-off points” to attack the BCS themselves. It makes no sense to protect just some systems on a network; if they aren’t all protected, then none of them are really protected.

However, when it comes to Low assets, there is no concept of a PCA. At Medium and High impact assets, PCAs are identified by first drawing the ESP, then identifying any systems that aren’t part of a BCS as PCAs. But the entity owning a Low asset isn’t required to designate an ESP in the first place[i] – so there is no way, without rewriting requirements, for there to be PCAs. This means that, in the case where there is a routable network at the Low asset that contains at least once BCS, according to the requirement only the BCS on that network need to be protected, not any other devices.

I don’t know whether or not I had even thought about this problem previously, but I know that if I had, I wouldn’t have thought about it for long - simply because the answer would have seemed so obvious to me. That answer is that entities will normally use a firewall to protect the whole network that contains a Low BCS, so the “PCAs” will be protected anyway, even if that isn’t required. And if the entity wouldn’t use a firewall, they would use another device like a data diode, or a procedure like putting all BCS on a separate, air-gapped network that doesn’t have an external routable connection. The idea is that these two use cases – and most of the others found in the concept diagrams starting on page 36 in the Guidance and Technical Basis for CIP-003-7 – protect the whole network, just like a firewall would. If any of these use cases is in place, every device on the network is protected, whether or not it is a component of a BES Cyber System.

However, my friend pointed out to me that there were at least two cases in which an entity could comply with the Low impact Electronic Access Control requirement in CIP-003-7, yet still only protect the BCS. The first of these is described in the first concept diagram: the case in which host-based firewall technology is used to protect just the BES Cyber System(s) but nothing else on the network. The second is the case in which a network firewall is used, but access is restricted just for the BCS on the network; access to other devices is left unrestricted (or perhaps under-restricted, if there are huge port ranges open that aren’t justified).

So the “hole” in CIP-003-7 is that it’s possible to be perfectly compliant with the Low impact electronic access control requirement, yet still leave the Low impact BCS effectively unprotected, because the other Cyber Assets on the network are completely unprotected against external threats. Is it likely that many NERC entities will take advantage of this hole in order to reduce the work they need to perform at Low impact assets? I doubt it, but I’ve been surprised before.

Will the hole be “patched” in the future? My guess is not, since the time to do it would have been in April, when FERC issued Order 843. Assuming they knew about the problem, the fact that FERC didn’t order NERC to patch the hole is probably due to one or more of these three reasons:

  1. They knew that patching the hole would almost certainly mean doing away with the provision in CIP-002 and CIP-003 that an inventory of Low impact BCS isn’t required (it would be pretty hard to show that all the “PCAs” on the network had been protected if you didn’t know which devices were components of a BCS and which weren’t) – and this would provoke a huge fight.
  2. They knew that the changes in CIP-003-7 had been very controversial among the NERC entities, and they wanted to avoid starting another such battle on the heels of that one.
  3. They knew that the electronic access control requirement in CIP-003-6 would have avoided this problem, since it required a LEAP (low impact electronic access point, typically part of a network firewall) whenever there is LERC (low impact external routable connectivity). In requiring the hole be fixed in CIP-003-7, they would effectively have been saying “You know, we’ve decided that CIP-003-6 wasn’t quite as bad as we thought it was. We’d like you to bring back the LERC/LEAP idea, while still fixing the problem we asked you to fix in the first place in Order 822 – namely, the fact that the word ‘direct’ in the definition of LERC was unclear. Of course, we know that will require just as much – if not more – work than was required for CIP-003-7. But don’t worry – it’s all for the cause of BES security. Have a nice day.” This would probably have prompted most of the CIP Modifications drafting team members – who collectively spent many man-years drafting the new requirement and shepherding it through the perilous balloting and approval process – to commit group suicide.

So I doubt very much this hole in CIP-003-7 will ever be filled. What will save the grid from collapsing due to a massive cyberattack on Low impact assets? Owners of Low impact assets will simply have to – using the title of Spike Lee’s movie masterpiece – “Do the Right Thing” and put in a network firewall (or other protection that applies to the whole network), even though it’s not required. But this leads to an interesting question: If NERC CIP is so brittle that a gaping hole like this one can’t be fixed other than simply crossing our fingers and hoping for the best, does this mean there are fundamental problems with the whole NERC CIP compliance regime?

Yes, it does.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a vendor to the power industry, TALLC can help you in various ways, including developing marketing materials, delivering webinars, etc. To discuss this, you can email me at the same address.     

[i] And the reason they’re not required to designate an ESP is because this would lead to an implicit requirement to develop an inventory of Low impact BES Cyber Systems, which is explicitly ruled out by language in CIP-002 and CIP-003.

No comments:

Post a Comment