Please note, this is Part 2 of 2 in the series dedicated to Top 12 NERC CIP Compliance Considerations.
In Part 1, we talked about the following NERC CIP compliance considerations for North American organizations that are doing business in the Energy sector:
- Have BES (Bulk Electric System) Cyber Assets/Systems been categorized in accordance with impact-based approach (NERC CIP V5 concept)? Have Security Policies and Processes been put in place and regularly audited?
- Are employee/staff risk assessments, security awareness and training performed regularly?
- Have Electronic Security Perimeters between lower-level security networks and ICS networks been defined and protected?
- Has a Physical Security Plan of BES Cyber Assets/Systems been properly developed and maintained?
- Do BES Cyber Assets/Systems have proper technical controls for security? (logging, malicious code, access)
We also provided some recommendations for each of the above-listed items. This should give some clarity and guidance for organizations subject to NERC CIP compliance requirements.
Now, let’s talk about the remaining 6 of the top 12 NERC CIP compliance considerations. No surprise, these are equally as important as the first six.
7. Have Incident Reporting and Response procedures been established and reviewed on a regular basis?
It is often difficult to follow a procedure to a “T” under significant pressure (e.g. a real or suspected cyber incident). And there is nothing wrong with this per se.
What really is important is to have a clear set of objectives and a list of activities when one does occur.
There is a number of analogies by famous people as to what happens to a plan when significant pressure is applied, here’s one from Mike Tyson:
“Everyone has a plan until they get punched in the mouth”
For this reason, an incident reporting and response plan should be drafted, understood and practiced to help iron out any bugs (and there definitely will be some).
Having this procedure in place and taking time to run a few table top exercises are key to acting quickly and mitigating risks related to cyber events or incidents.
8. Does the organization have Recovery Plans for BES Cyber Assets/Systems?
Although simple in concept, this one requires (proactive) effort to implement and utilize technologies in combination with processes in order to ensure the ability to recover BES Cyber Systems.
Here’s what this entails:
- drafting a recovery plan,
- putting in place technologies to support this plan,
- testing the plan, and
- putting processes into place (along with an audit trail) to ensure backup activities take place.
Backups can often fall under the radar as they are a proactive activity which may only be used when there is a requirement to recover data or systems.
In other words, if they are not needed very often and no one is watching them, they can stop working.
For this purpose, having a solid plan to ensure backups are happening and taking the time to test them are both key to their success (in part).
The other side of this requirement includes the technology.
Selecting the technology which supports legacy systems, is easy to operate and provides flexibility to recover systems (at the image and file level) is important.
Believe it or not, there will be some systems that are not supported or simply cannot be backed up regularly based on their age, interface type etc. No need to panic! These systems will need to be handled through a manual set of steps or through the thorough documentation of their setup.
9. Has a software and configuration baseline been established and maintained for each of BES Cyber Assets/Systems?
We won’t be wrong if we say that many interruptions to service are inadvertently caused by human error, lack of testing or misunderstanding of critical time frames within a facility.
Here’s the deal:
Solid change management is the glue which helps to minimize risks associated with changes both scheduled and unscheduled (or even malicious in nature).
Ensuring there is a baseline configuration which includes build documentation or, at the mature end of the spectrum, a full configuration management database (CMDB) is important.
At minimum, the facility should know when a change is happening and have the ability to review, approve and test upon completion. Once completed, baseline information should be updated to ensure it is up to date and accurate.
And here is why:
Without a baseline of the environment it is difficult to perform a rollback or account for changes to the operating environment where the source of the change is unknown. Simply put, if you don’t have a firm understanding of the environment, you can’t really tell what “good” looks like.
10. Are Vulnerability Assessments for BES Cyber Assets/Systems conducted regularly?
In most industrial environments, it is common knowledge that systems are difficult to patch, highly customized and often have many vulnerabilities. This holds true across pretty well all sites.
That said, it is important to identify vulnerabilities and at minimum have compensating controls in place.
Here is an example:
If you cannot patch a programmable logic controller (PLC), you should be able to mitigate the risk through network isolation, firewall controls or other method.
Since the IT environment within a facility can change over time (sometimes pretty rapidly during upgrades and other projects), it is important to conduct vulnerability scanning regularly on computers, server and network equipment to identify and flag vulnerabilities.
Believe it or not, it is common for us to see technical controls bypassed through the use of dual-homing NICs (plugging 2 network cables into a device both on different networks in order to make it easy to access). These types of changes can introduce new risks in a facility.
11. Have the Information Classification Policy and handling and protection procedures in regards to BES Cyber Assets/System been developed and implemented?
Most industrial control systems (ICS) environments store information which needs to be protected based on the fact that it can be used to study, understand the plant and potentially to compromise the environment.
This can be different from corporate environments which typically have a larger amount of private and internal information supporting the business and its processes.
Simply stated, information classification and handling procedures need to take into account the type of data being protected, the risk to the organization and address how the information should be handled.
Here are some examples:
- Should network diagrams be sent out unencrypted via email?
- Can block diagrams or single line diagrams be stored on personal computers?
- Should passwords for remote access be emailed along with usernames and access information to consultants?
These and many more questions should be addressed as part of the information classification and handling process. When working through to answer these questions, many interesting situations tend to come up.
It is a thought-provoking process which is a necessity in all organizations.
12. Does NERC CIP compliance initiative have sponsorship throughout the organization?
As with any security framework regarding compliance requirements, NERC CIP should have sponsorship throughout the organization in order to dedicate the appropriate time and resources to compliance-related criteria.
NERC CIP Standards detail the role of NERC CIP Senior Manager which should be a “single senior manager with overall responsibility and authority for leading and managing the entity’s implementation of and adherence to…” CIP standards. This implies a level of accountability being held by a senior leader within the organization to ensure the NERC CIP initiatives hold weight.
“NERC CIP should have sponsorship throughout the organization”
Whether it be ISO or other standards given the organizational shift required, it is next to impossible to ensure compliance where there is a small isolated initiative vs. a cultural shift.
BONUS: Have the communication channels between Control Centers been appropriately secured to ensure the integrity and confidentiality of the data transmitted?
CIP-012 is an interesting standard subject to enforcement. And here’s why: it is derived from CIP-006 and addresses security vulnerabilities related to monitoring a plant remotely from a control center.
As this standard will typically affect sites with medium and high impact BES Cyber Assets/Systems, it may not be on the radar of the ones with low impact BES Cyber Assets/Systems. This standard is important to watch as it evolves, since it is common for power companies to monitor environments remotely in a real-time fashion regardless of size and impact level.
What does this mean for you?
NERC CIP-012 is likely to be expanded to inter-site communications which are common to plants with a distributed power generation model (such as renewables). This by nature requires short- and medium-range communication and includes traditional media such as fibre, line of sight, and other wireless communication methods. Such technology will increase the level of security required for Layer 2 network connections and Layer 3 WAN services that have traditionally been assumed to be secure.
It is also important to note that CIP-012 can be applicable to select low impact assets that meet the criteria outlined in the standard. In other words, keep an eye out for CIP-012 as it starts to become enforced in your reliability coordinator’s jurisdiction.
Thank you for reading Part 2 of 2 in the series dedicated to Top 12 NERC CIP Compliance Considerations.
Stay tuned for more posts on the NERC CIP compliance topic.
Please do not hesitate to contact us via [email protected] for questions or feedback.