In my last post,
I discussed an issue that a friend of mine had brought to my attention
recently: the fact that NERC may be expecting entities with Low impact assets
to show that all electronic access permissions in place (i.e. firewall rule entries)
at Low assets were “justified”, rather than simply “necessary”, as required in
the wording for CIP-003-7. I quoted from an email by Mike Johnson, who pointed
out that there really is a difference between the two words (I had opined in
the post that there wasn’t much of a difference). I accepted his argument.
However, I
then went on to say that this didn’t really matter, because of a six-word
phrase in the requirement: “as determined by the Responsible Entity”. Whatever
the meaning of “necessary” in the requirement (i.e. whether or not it is the
same as “justified”), it shouldn’t matter (or so I reasoned), because in the
end it was up to the entity to determine what is necessary. I recommended that
NERC entities still take the conservative approach and assume they have to
justify all access permissions, but I also pointed out that if this would be a
huge burden, you might want to talk to your friendly local NERC Regional Entity
and ask them what they thought of this.
However, the
next day I received an email from an auditor who has appeared many times in the
august pages of this blog, although of course never by name. He had the nerve
to disagree with me, on both points no less! Regarding the first point, he said
(of course, basing his argument on pure logic, not anything having to do with
CIP in particular):
“If the access is truly necessary, then
it is justified. Note the phrase in the
definition of “justified” that states “marked by a good or legitimate
reason.” If the access is needed or
essential (elements of the definition of “necessary’), then it is marked by a
good or legitimate reason. If there is
no good or legitimate reason, then the access is not necessary.”
I really can’t
argue with that. Regarding the second point, he said:
“Where the “as determined by the
Responsible Entity” idea falls apart is in the case where the access is really
not necessary, as per the definition. A
common example is where the Responsible Entity configures access for
convenience (e.g., it is easier to grant access to everything in the ESP rather
than the three hosts that actually need such access permitted). Under administrative law, there is a concept
of reasonableness. Access deemed necessary
by the entity but for which the entity cannot demonstrate the essential need is
not reasonable. We have seen this type
of access and we have written PVs that have been later upheld by Enforcement (Note from Tom: He is talking here about
CIP-007 R1, which also includes the proviso that the entity determines what is “needed”,
not the auditor – although the auditor did point out separately that this
requirement, which applies to High and Medium BES Cyber Systems, necessarily
requires a higher bar than does CIP-003-7, which only applies to Lows). Your idea that this is not a big problem
because the auditor can only expect to see that you have documentation is
invalid.”
In a subsequent email, the auditor
elaborated on this statement in the following quote. He also provided some good
general advice for preparing for audits:
“What I am saying is that if the entity
cannot make a good case for why the permitted access is necessary (i.e., some
sort of reasonable justification), then it has not met the Requirement. Please understand that the auditors are
looking for obvious concerns and are unlikely to get down into the weeds on a
line-by-line basis. We just do not have
the time to perform that level of scrutiny, even with the automated tools we
use. But we do expect the entity to know
why the rule is present, what the rule allows, and why that permitted access is
necessary. If all we see is
documentation describing what the port is used for (to use 1433 – MS SQL in
your example) and not why port 1433 needs to be permitted to everything in the
ESP, the auditor is going to investigate further. If we see Class C, Class B, Class A, or,
heaven forbid, “IP any any” in a rule, we are going to investigate. It does not mean we will automatically find
non-compliance, but we will not simply accept the broad access as being
“necessary” on the entity’s word without further discussion. If we see port 80 permitted from the WSUS
server into the ESP, we are going to investigate (this one is a bit [OK, a lot]
harder for the entity to justify given the way the WSUS server works). Don’t just point to the Microsoft or other
vendor documentation that lists all of the ports that the software uses in some
fashion. Demonstrate that you know how
the port is used by the software. If,
for example, you permit every port listed in the Microsoft documentation for
Active Directory, you will permit 98% of all available ports, turning your
firewall into, and this is a direct quote from the Microsoft documentation,
Swiss Cheese. Sadly, something we see
all too often are rules that are left over from previous configurations that
are no longer needed. This is a basis
housekeeping (cyber hygiene) issue.
Entities are good are taking the necessary coordination and steps to get
a rule put in, but not so good coordinating when the rule is no longer
needed. We see way too much stovepipe
operations where one functional group owns the servers and another functional
group owns the access control devices – and they don’t regularly talk with each
other.”
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post. And if you’re a vendor to the
power industry, TALLC can help you in various ways, including developing
marketing materials, delivering webinars, etc. To discuss this, you can email
me at the same address or call me at 312-515-8996.
No comments:
Post a Comment