I had a
conversation today with someone I have known for quite some time who is a very
close follower of developments in NERC CIP. He pointed out to me a serious flaw
in the Low impact electronic access control requirement in CIP-003-7.
If a lot of entities take advantage of this flaw to lower their compliance
burden, this could end up undermining
the security of many Low impact assets. However, I would guess that most NERC
entities with Low assets will do the right thing from a security POV anyway, so
this post is more in the interesting facts category than the “sound the alarm”
category.
Section 3 of
Attachment 1 of CIP-003-7 starts off with this wording:
Electronic Access Controls: For
each asset containing low impact BES Cyber System(s) identified pursuant to
CIP-002, the Responsible Entity shall implement electronic access controls to:
3.1 Permit only necessary inbound and
outbound electronic access as determined by the Responsible Entity for any
communications that are:
i. between a low impact BES Cyber
System(s) and a Cyber Asset(s) outside the asset containing low impact BES
Cyber System(s);
….
Note that this requirement is written
strictly to protect communications between BES Cyber Systems located at a Low
impact asset and any Cyber Asset outside the Low asset. By contrast, the
electronic access control requirement for Medium and High impact BCS, CIP-005-5
R1, is applicable not just to BCS but also to the Protected Cyber Assets (PCA)
that are associated with them.
Of course, it is good that this is the case
for Mediums and Highs. Since PCAs are Cyber Assets that are routably connected
to one or more BCS, they can easily be used as “jumping-off points” to attack
the BCS themselves. It makes no sense to protect just some systems on a
network; if they aren’t all protected, then none of them are really protected.
However, when it comes to Low assets, there
is no concept of a PCA. At Medium and High impact assets, PCAs are identified
by first drawing the ESP, then identifying any systems that aren’t part of a
BCS as PCAs. But the entity owning a Low asset isn’t required to designate an
ESP in the first place[i]
– so there is no way, without rewriting requirements, for there to be PCAs.
This means that, in the case where there is a routable network at the Low asset
that contains at least once BCS, according to the requirement only the BCS on
that network need to be protected, not any other devices.
I don’t know whether or not I had even thought
about this problem previously, but I know that if I had, I wouldn’t have
thought about it for long - simply because the answer would have seemed so
obvious to me. That answer is that entities will normally use a firewall to
protect the whole network that contains a Low BCS, so the “PCAs” will be
protected anyway, even if that isn’t required. And if the entity wouldn’t use a
firewall, they would use another device like a data diode, or a procedure like putting
all BCS on a separate, air-gapped network that doesn’t have an external
routable connection. The idea is that these two use cases – and most of the
others found in the concept diagrams starting on page 36 in the Guidance and
Technical Basis for CIP-003-7 – protect the whole network, just like a firewall
would. If any of these use cases is in place, every device on the network is
protected, whether or not it is a component of a BES Cyber System.
However, my friend pointed out to me that
there were at least two cases in which an entity could comply with the Low
impact Electronic Access Control requirement in CIP-003-7, yet still only
protect the BCS. The first of these is described in the first concept diagram:
the case in which host-based firewall technology is used to protect just the
BES Cyber System(s) but nothing else on the network. The second is the case in
which a network firewall is used, but access is restricted just for the BCS on
the network; access to other devices is left unrestricted (or perhaps
under-restricted, if there are huge port ranges open that aren’t justified).
So the “hole” in CIP-003-7 is that it’s possible
to be perfectly compliant with the Low impact electronic access control
requirement, yet still leave the Low impact BCS effectively unprotected, because
the other Cyber Assets on the network are completely unprotected against
external threats. Is it likely that many NERC entities will take advantage of
this hole in order to reduce the work they need to perform at Low impact
assets? I doubt it, but I’ve been surprised before.
Will the hole be “patched” in the future? My
guess is not, since the time to do it would have been in April, when FERC
issued Order
843. Assuming they knew about the problem, the fact that FERC didn’t order
NERC to patch the hole is probably due to one or more of these three reasons:
- They knew that
patching the hole would almost certainly mean doing away with the
provision in CIP-002 and CIP-003 that an inventory of Low impact BCS isn’t
required (it would be pretty hard to show that all the “PCAs” on the
network had been protected if you didn’t know which devices were
components of a BCS and which weren’t) – and this would provoke a huge
fight.
- They knew that the
changes in CIP-003-7 had been very controversial among the NERC entities,
and they wanted to avoid starting another such battle on the heels of that
one.
- They knew that the
electronic access control requirement in CIP-003-6 would have avoided this
problem, since it required a LEAP (low impact electronic access point,
typically part of a network firewall) whenever there is LERC (low impact
external routable connectivity). In requiring the hole be fixed in
CIP-003-7, they would effectively have been saying “You know, we’ve
decided that CIP-003-6 wasn’t quite as bad as we thought it was. We’d like
you to bring back the LERC/LEAP idea, while still fixing the problem we
asked you to fix in the first place in Order
822 – namely, the fact that the word ‘direct’ in the definition of
LERC was unclear. Of course, we know that will require just as much – if
not more – work than was required for CIP-003-7. But don’t worry – it’s
all for the cause of BES security. Have a nice day.” This would probably
have prompted most of the CIP Modifications drafting team members – who
collectively spent many man-years drafting the new requirement and
shepherding it through the perilous balloting and approval process – to
commit group suicide.
So I doubt very much this hole in CIP-003-7
will ever be filled. What will save the grid from collapsing due to a massive
cyberattack on Low impact assets? Owners of Low impact assets will simply have
to – using the title of Spike Lee’s movie masterpiece – “Do the Right Thing”
and put in a network firewall (or other protection that applies to the whole
network), even though it’s not required. But this leads to an interesting
question: If NERC CIP is so brittle that a gaping hole like this one can’t be
fixed other than simply crossing our fingers and hoping for the best, does this
mean there are fundamental problems with the whole NERC CIP compliance regime?
Yes, it does.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post. And if you’re a vendor to the
power industry, TALLC can help you in various ways, including developing
marketing materials, delivering webinars, etc. To discuss this, you can email
me at the same address.
[i]
And the reason they’re not required to designate an ESP is because this would
lead to an implicit requirement to develop an inventory of Low impact BES Cyber
Systems, which is explicitly ruled out by language in CIP-002 and CIP-003.
No comments:
Post a Comment