Webinar: How to Improve Security and Reduce NERC CIP Compliance Costs Using Smart Identification

In December, I put up two sponsored posts (which ended up getting a little overwhelmed since they came immediately before and immediately after the SolarWinds attacks were announced) about XTec, the leading vendor of PIV (personal identity verification) cards to the federal government and to the military (although the military version of the card is referred to as CAC). The introductory post is here and a second one, dealing with how PIV cards can help in emergency response situations, is here.

Now I’m happy to announce that I’ll be participating in an XTec-sponsored webinar with the above title, which will be conducted by Energy Central on April 15 from 2:00 to 3:30 PM Eastern Time (and don’t tell me you have to do your taxes. The IRS pushed back the due date ‘til May 17. Of course, I don’t recommend waiting until the evening of that date to start!). Registration is here. If you sign up but can’t make the webinar, you’ll be sent a link to the recording afterwards.

The purpose of the webinar is twofold: to describe the many security benefits of PIV card technology (my favorite: No more passwords!) and to discuss specific ways in which using a PIV card-based solution (preferably XTec’s of course, but the whole webinar focuses on the technology itself. PIV is based on an open standard that is provided by multiple vendors) can help a NERC entity comply with the NERC CIP standards. The webinar identifies about 23 CIP requirement parts for which XTec can help you meet a substantial portion of the part, or in some cases the entire part (for example, there are at least six requirement parts for which PIV cards will eliminate your entire compliance obligation, other than documenting why that is the case. This is because these parts address risks due to use of passwords, and – as I’ve already said and we’ll say repeatedly in the webinar – PIV cards eliminate the need for passwords).

I and two XTec staff members (one of whom, Danny Vital, will also participate in the webinar) have prepared a white paper which is the basis for our discussion on the 15th; but if you want to get a jump on the webinar, you can read the paper. It will be posted on XTec’s web site soon, but I’ve reproduced the entire paper below. See you next Thursday! 

Using PIV cards to increase security and lower CIP compliance costs

In 2004, the US government committed to a new standard for identity and access management across all civilian and military agencies: PIV (Personal Identity Verification for government) and CAC (Common Access Card for military) cards. Today, almost all federal government and military personnel carry a PIV or CAC card, which authenticates their access both to physical facilities and to systems that support their work.  (In this paper we will refer to the technology as PIV for brevity.) 

In the electric power industry, this same technology can both make your organization more secure and greatly reduce the amount of time and money you spend on NERC CIP compliance. In this white paper, we will discuss the five most important ways in which PIV cards can help your organization achieve both of these goals.

One card for physical and logical access

One of the most important features of PIV cards is that the user only has to carry one card. It authenticates both physical access to buildings and other facilities, and logical access to computers and other intelligent devices the employee uses to perform their work. Of course, this is a big convenience for the user, since they just need to carry one card and remember one simple PIN.

However, PIV cards are an even bigger convenience for the organization that implements them. There are several reasons for this:

1. Both physical and logical access can be provisioned at once, based on the person’s role.
2. When the person changes jobs, their previous accesses can be quickly disabled and their new accesses immediately provisioned.
3. When the person leaves the organization, all of their physical and logical access can be removed in one step.

Having a single access management console for both physical and logical access can save your organization a lot of time in complying with the following CIP requirement parts:

• CIP-004-6 R4.1 through R4.4: A single identity management system can authorize, provision, review, and remove an individual’s access both to systems and physical facilities. A full roles capability makes this very easy, when roles have been defined by your organization.
• CIP-004-6 R5.1 through R5.5: Your organization can quickly remove access to the systems, physical facilities and information repositories (including those for BES Cyber System Information), to which an individual had access; this is done at a single console and with minimal delay. You can do this whether the individual was terminated, left voluntarily, or changed roles within the organization.
• CIP-006-6 R1.2, R1.3 and R1.8: PIV cards provide multi-factor authentication and logging at all physical facilities.

Multi-factor authentication

You probably already understand the principle behind multi-factor authentication (MFA): your security is greatly enhanced if the user needs to supply more than one “factor” whenever they enter a building or logon to a computer. There are three types of factors:

1. Something you know (a password or PIN)
2. Something you have (a card that contains an electronic identifier, or a number provided to the user via a hard or soft security token, or a text to their cell phone)
3. Something you are (a biometric “template” like a fingerprint)

A PIV card allows use of all three of these factors in authentication:

1. Upon inserting their PIV card for access to a building or a system, the user is prompted to enter their simple PIN – something they know.
2. The card contains an X.509 digital certificate, which cannot be copied or altered – something the user has.
3. A template of the user’s fingerprint is stored on the card. Some PIV card readers have a fingerprint scanner, which compares the fingerprint of the user to the fingerprint scan template that’s stored on the card. This provides a third means of authentication – something the user is.

With PIV cards and card readers in place, you can have multi-factor authentication literally anywhere in your organization, i.e. a) for access to all devices on both your IT and OT networks, and b) for access to physical facilities including office buildings, substations, generating stations, etc. For some systems or facilities requiring a higher level of security, you can also require the fingerprint scan (or you might require it everywhere!). Conversely, in lower-security situations you can require just the card, not a PIN.

One note: If you prefer contactless single-factor authorization in some cases – e.g. doors in low-risk areas - many PIV cards also have contactless capability, as long as contactless card readers are deployed.

There are two CIP requirement parts that require MFA, as well as one part where it would be a good idea, but it’s not required. If your organization uses PIV cards, you already have everything you need to comply with them:

• CIP-003-8 R2 Attachment 1 Section 2: PIV cards allow your organization to implement multi-factor authentication at low impact NERC CIP assets, as well as medium and high impact assets. This isn’t required, but it’s certainly a best practice.

• CIP-005-6 R2.3: If the remote system (e.g. in an employee’s home) is protected with a PIV card reader, the employee can be multi-factor authenticated for Interactive Remote Access using their normal card and PIN.
• CIP-006-6 R1.3: The employee’s PIV card, PIN and (optionally) fingerprint scan provide MFA for access to High impact Control Centers.

No passwords

Many cybersecurity professionals will tell you that the biggest source of cyber risk in their organization is passwords. “The password is by far the weakest link in cybersecurity today.” Michael Chertoff, former head of Homeland Security.

In other words, it is far too easy to steal or guess passwords. Dragos said they found that about half of the energy companies in their report used similar login credentials for both IT and OT networks, making it much easier for the hackers to penetrate the OT network.

Passwords present a fundamental problem: They need to be as complex as possible in order to be secure, but they also need to be as simple to remember as possible so that users don’t write them down, use the same password across systems and on the internet, etc. In the electric power industry, passwords are often shared, because of the need for multiple people to be able to quickly access the same systems at different times (for example in substations or Control Centers).

While there are some commercial solutions available to partially address this problem, wouldn’t it be great if you could deploy the ultimate solution: eliminate passwords altogether? With PIV cards, you can do that! PIV cards contain a digital certificate that is unique to the individual and can’t be copied or altered. This, along with a simple PIN entered by the user, provides a higher level of security than even the most complex password. And you can always require a fingerprint scan as well, when you believe the highest level of security is required.

There are many NERC CIP requirements that are based on passwords; PIV cards can help you comply with all of these, probably at a much lower cost in staff time and money than you are incurring now. Here are some of the most important examples:

• CIP-004-6 R5.5 and CIP-007-6 R5.3 both apply to shared accounts. If your organization deploys PIV cards to employees (and contractors, if needed), there will no longer be any need for shared accounts. This is because the user will only need their card and an easy-to-remember PIN. In fact, you will always be able to require a fingerprint scan as well, for the highest level of security.
• CIP-007-6 R5.4 requires changing default passwords. If a system is protected with a PIV card reader, any default password that might be on the system is irrelevant; there is no pathway to access the system, even if a user knows the default password.
• CIP-007-6 R5.5 and R5.6 require controls on password length and complexity as well as password changes, but they only apply to systems with “password-only authentication”. Any system with a PIV card reader is out of scope for both of these requirements!
• CIP-007-6 R5.7 requires limitation on the number of unsuccessful authentication attempts. When users are authenticated using PIV cards, there is no password for an attacker to guess. Any attempt to use an invalid PIV card even once will be blocked and an alert generated, as will repeated attempts to enter an invalid PIN with a valid card.

Storing PRA and training renewal dates on the PIV card

Beside the digital certificate and fingerprint scan template, other information (for example, certifications) can be stored on the card and read by the card reader to control access. Four very important pieces of information for NERC entities are whether a user – who has been granted electronic and/or unescorted physical access to BES Cyber Systems - has had a personnel risk assessment and CIP training after being hired, and when each of those was last conducted. The PRA needs to be renewed in seven years and the training needs to be renewed at least every 15 months.

Specifically, there are three CIP requirement parts involved:

CIP-004-6 R2.2: If the user has not yet completed their CIP training, a new employee can be prevented from accessing High and Medium impact BCS, EACMS and PACS, or having unescorted physical access to assets like Medium impact substations or High impact Control Centers.

CIP-004-6 R2.3: If the employee has not renewed their training before the renewal date, they can be prevented from accessing High and Medium impact systems and facilities until they have renewed it. Access will automatically be blocked starting the day after their training expires.

CIP-004-6 R3.5: If a new employee has not completed their Personnel Risk Assessment, or if an existing employee has not renewed their PRA in the last seven years, they can be prevented from accessing High and Medium impact systems and facilities until they have had a new PRA.

Emergency response

When one electric utility has experienced a natural disaster, other utilities will often provide skilled workers to help the impacted utility recover. When this happens, it is usually quite hard for the impacted utility to follow all of the personnel security requirements in CIP-004-6, at the same time as they’re authorizing and authenticating emergency workers.

While a declaration of CIP Exceptional Circumstances will normally protect the utility against any CIP violations being assessed as a result of not strictly following the CIP-004-6 requirements, the fact remains that emergency response situations open up a security hole that might be exploited by a resourceful adversary.

One PIV solutions vendor has worked with federal agencies, primarily FEMA, to develop capabilities based on PIV cards, that can mitigate much of the security risk associated with emergency response situations. These include:

a)      Mobile enrollment and authentication facilities;

b)     Capability to accept PIV cards issued by other organizations (government agencies, other utilities, and vendors);

c)      Capability to create a “derived credential” on a smartphone, laptop, tablet or other mobile device; and

d)     Capability to document exactly who had access to which facility at what time, even at the height of the crisis.

For more information on these topics, see these three white papers:

1. Enhancing your organization’s security using PIV cards: http://www.xtec.com/media/Critical%20Infrastructure%20PIV.PDF
2. 33 ways that PIV cards can help your organization save time and money in NERC CIP compliance: http://www.xtec.com/media/Critical%20Infrastructure%20NERC%20CIP.PDF
3. Use of PIV cards when Mutual Aid is required during natural disasters: http://www.xtec.com/media/Mutual%20Aid.pdf. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.