FERC Proposes Changes To NERC CIP
UPDATE: Suggest you read Joe Weiss’s comment, especially the first paragraph. While Joe and I cordially disagree on the impact of the existing NERC CIP on an asset owner’s security posture, I would bow to his understanding of the FERC/NERC innerworkings and politics. Is the fact that a NOPR was issued at all instructive? Joe says you bet it is.
—————————————-
To be accurate, FERC issued a Notice of Proposed Rulemaking (NOPR) on July 20th for the NERC/ERO Critical Infrastructure Protection (CIP) reliability standards. There is now a 60-day window to comment and then FERC will issue the rules subject to any comment induced modifications.
The NOPR is a 197-page document, although the 197 pages have a lot of white space like a high school term paper so it is not too daunting. Here are the highlights I have gleaned from the document.
1) FERC proposes to approve NERC CIP-002 through CIP-009. There probably wasn’t any choice that would not introduce significant, multiple year delays. Still this is a big deal even if you choose to read no further.
2) Paragraph 33 below shows that FERC wants more specific statements on how to implement and measure security principles in the existing CIP’s. My sense is this was not in the existing NERC CIP’s because it would have been difficult to reach agreement on specific, mandatory controls. Look how long it took to reach agreement on more general requirements. The how or specificity is a natural growth of the standards.
The Commission generally agrees that use of performance-based standards is a part of the design of cyber security safeguards for the Bulk-Power System’s critical assets. However . . . performance-based standards may not always be appropriate, for example, in situations where “the ‘how’ may be inextricably linked to the Reliability Standard and may need to be specified to ensure the enforceability of the standard.” Accordingly, where necessary, the Commission proposes to direct NERC to modify the CIP Reliability Standards to address the “how”. Moreover, the Commission is concerned that, while NERC explains that the CIP Reliability Standards are performance-based, the CIP Reliability Standards do not provide a mechanism to measure performance or otherwise determine whether a responsible entity has met the goals of a particular requirement set forth in the standards.
3) FERC proposes to accept NERC’s implementation plan which concludes with auditable compliance in 2009/2010 dependent on the entity and requirement. There are intermediate stages, such as substantially compliant and compliant prior to the 2009/2010 deadline. I wrote back in Jan 2006 that this schedule was a bit lenient, but given limited work over the past 18 months many entities are going to need all the remaining time to meet the compliance schedule.
4) The flexibility provided by “Reasonable Business Judgment” will be removed in 2009 and the ability to use a lack of “Technical Feasibility” to skip a requirement will require additional documentation. This along with point 2 in this blog entry indicate that FERC is focused on allowing less discretion by the asset owners. I like the requirement to review the “Technical Feasibility” annually and have a plan to remove these exceptions. This is very similar to policy exception procedures we work into security documents.
5) FERC has proposed NERC make 59 modifications to the 8 CIP standards. Here are some of the more interesting modifications:
- Provide additional guidance on the risk based assessment methodology in CIP-002
- Asset owners will need to periodically report policy exceptions to a Regional Entity, who is also responsible for CIP audit. This is designed to prevent or at least check an asset owner from taking “too much latitude in excusing itself from compliance with its cyber security policy”. (CIP-003, R3)
- “require immediate revocation of access privileges when an employee, contractor, or vendor no longer performs a function that requires authorized physical or electronic access to a critical cyber asset for any reason (including disciplinary action, transfer, retirement or termination).” (CIP-004 R4) Immediate is not possible and cannot be audited so this probably will change. Also, there is typically a different time threshold for those terminated for cause and other changes such as transfers. This is very typical of what we see, and even have written in the past, in policies. R4 needed more rigor, but this likely is unworkable and will loosen, or be regularly violated.
- FERC proposes that asset owners “must implement two or more distinct security measures when constructing an electronic security perimeter” (ESP). (CIP-005 R1) Any security professional will design an architecture with defense in depth, but not necessarily at the perimeter. The NERC ESP is one line of defense, then there are internal defenses, and finally system or application defenses - - multiple different perimeters. Would you build two moats around a castle? Probably not an effective use of your security dollar.
- FERC proposes “strong” authentication should be defined and recommends digital certificates and two-factor authentication (CIP-005 R2.4).
- FERC proposes a weekly manual review of ESP access logs, rather than the proposed 90-day review (CIP-005 R3)
- Similar to the requirement for two security measures at the ESP, FERC proposes at least two security measures at the physical security perimeter (CIP-006)
- FERC proposes a requirement to collect forensic data in CIP-009 R1.
Again the most important item is FERC proposes to approve the 8 NERC CIP standards.
Author: Dale Peterson
Posted: August 9th, 2007 under NERC CIP.
Comments: 3
Comments
Comment from Joe Weiss
Time: August 8, 2007, 9:14 pm
The FERC NOPR should not come as a surprise. In December, the FERC Technical Staff issued their Technical Assessment of the NERC CIPs. The general utility industry response was to attack the administrative issues and generally ignore the technical issues. People should understand why FERC chose to issue a NOPR. FERC has not issued NOPRs on other NERC reliability standards. If the NERC CIPs were even close to be being reasonable, there would have been no reason for a NOPR.
I believe an important issue is the NERC CIPs as written would not have prevented most, if not all, of the 90+ cyber events I have collected. If the CIPs can’t even prevent events that have occurred including those that NERC was aware of, what good are they? At the Knoxville Control System Cyber Security Workshop next week, we will be discussing a major control system cyber event that occurred before the CIPs were written that resulted in multiple deaths and significant damage. The NERC CIPs would not have prevented that event, although the ICS version of NIST SP800-53 could have.
One of the FERC NOPR’s big impacts will be on CIP-002. Today, many utilities have between zero and maybe 20-25 critical cyber assets. The real number of critical cyber assets for a mid-size utility should be on the order of many hundreds to thousands. That is, if the asset is connected, it is critical independent of size. Utilities that have performed NERC CIP compliance projects should reconsider the technical validity of their responses based on what will be demanded by the NOPR. The Final Report of the Northeast Blackout has many cyber recommendations, such as telecom, that were never implemented in the NERC CIPs. Those oversites are being corrected by the FERC NOPR.
Generally, regulation never accomplishes its true goal and only creates unnecessary confusion. In this specific case, the regulations being promulgated by the FERC NOPR are necessary, appropriate, and will make the utilities more secure. In fact, many of the presentations, discussions, and demonstrations at next week’s Control System Cyber Security Workshop in Knoxville will actually provide a technical basis for the recommendations in the FERC NOPR.
Comment from Erik Hjelmvik
Time: August 9, 2007, 3:51 am
One of the problems I see with NERC CIP is the definition of the Electronic Security Perimiter (ESP) and the fact that they only care about what’s inside the ESP.
NERC CIP defines the ESP as: “The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.”
So what happens if for example a VPN connection is established into the network inside the ESP? In my oppinion doing so would mean that the ESP is now extended so that it covers the far end of the VPN as well. This would imply that this far end of the VPN should also be audited using NERC CIP. However my guess is that the normal interpretation of NERC CIP is that the audit should not include the protection of remote nodes that connect into the ESP.
In fact I am surprised that NERC CIP doesn’t even say anything about that there should be a list of which nodes that are allowed to connect into the ESP.
You should also have in mind that these remote nodes might even be outside the utility company, i.e. for example a vendor performing remote support.
I do realise that it would be totally impractical to inlcude all remote locations, which are allowed to connect into a ESP, in the CIP audit. My point is however that this is an area where NERC CIP is really lacking and where more work is needed.
Comment from Darryl Dodson-Edgars, CISSP
Time: December 19, 2007, 4:22 pm
Auditing the effectiveness of information systems, regardless of industry, has been occurring for many years. The Information Systems Audit and Control Association (ISACA), for instance, represents individual information systems auditors from most, if not all, market sectors. ISACA endorses the Control Objectives for Information and related Technology (COBIT), as an example of a governance framework. Information security is a major section in this framework. One can obtain deep insight into the “HOW” from this framework.
There are other methodologies which address this subject, as mentioned above with the NIST publication.
The financial industry is also in the critical infrastructure category. Banks in the US, for instance, have adopted IT auditing methodologies that include all of the aspects of the CIP standards detailed by NERC.
The subject of information security is a moving target. I expect that changes will be an on-going element of any set of standards, as the black-hat community is not standing still.
Write a comment