Finally Some Good News: NERC Proposes Deferment of 3 CIP standards

Amidst all the pandemic doom and gloom, we finally have something positive come from the chaos: NERC filed a motion recently (April 6, 2020) to defer three Critical Infrastructure Protection (CIP) Reliability Standards (as well as 1 PER, and 3 PRC standards) for three months due to the national emergency declared on March 13^th by President Trump. As the original implementation date was July 1, 2020, this means that should FERC approve the motion, the new implementation date would be October 1, 2020.  You can find the announcement here and the filing here, but rather than read through that material, I have some proposals on how to better spend your time! "So, what should I be working on now," you ask? Well, if your implementation of any of the deferred requirements has been lagging, this is a great opportunity to spruce them up in-between other spring cleaning tasks. The three CIP requirements included in the deferral include the following (the text in italics is my summarization and key takeaways of the new components within this revision of the requirements): CIP-005-5 and CIP-010-2 were modified as part of an initiative called “Project 2016-03 Cyber Security Supply Chain Risk Management” – Think of them as the technical components that were added to supplement CIP-013-1 for supply chain risk management.

• CIP-005-6 – Cyber Security – Electronic Security Perimeter(s)
  • R2 Part 2.4 – This new requirement part introduces the need to have at least one method for determining active vendor remote access sessions. Tripwire solutions that help satisfy this requirement include Tripwire Log Center to log access and alerts on vendor remote sessions as well as monitor activity, Tripwire Enterprise to track all change performed by vendor accounts during their remote access sessions, and Tripwire Industrial Visibility to alert on configuration change to control network assets, remote access, and RDP sessions. Lastly, we have a remote access solution called ProSoft Connect from our sister company ProSoft Technology.
  • R2 Part 2.5 – This new requirement part includes an ability to disable active vendor remote access. I think a great feature of Prosoft Connect is the new patent-pending Virtual Lockout-Tagout capability.
  • Key Takeaways – The scope of this remote access is not just applicable to interactive remote access but also to system-to-system remote access. If you’ve studied CIP-005-5 R2, you know that system-to-system remote communication is, of course, exempt to the multi-factor authentication requirement. Therefore, this component could be easy to overlook, but it is an essential capability in case of a system breach.
• CIP-010-3 – Cyber Security – Configuration Change Management and Vulnerability Assessments
  • R1 Part 1.6 – This new section requires that the Responsible Entity verify the identity of the software source as well as verify the integrity of the software obtained from the source prior to a change that can cause a baseline modification of certain components (CIP-010 R1.1.1 Operating System or Firmware, R1.1.2 intentionally installed software, and R1.1.5 security patch installation). Tripwire Enterprise can be used to verify the integrity of the software obtained via several methods, such as by verifying the hash of downloaded software and validating the files that are modified as part of the software or patch deployment. An extension to Tripwire Enterprise called Dynamic Software Reconciliation can help facilitate the automation of validating deployed software components.
  • Key Takeaways – The requirement leaves out the trigger for baseline change of custom software and logical network accessible ports, so there's no need to perform this requirement for changes that fit that criteria. Verification of the identity of the software source can be tricky, as there is a lot that is out of your control on the internet. (I’m thinking of domain hijacking, fake websites, and phishing email campaigns.) Verification of the integrity of the software obtained from the source is a much simpler task (through the use of hash verification), but it relies heavily on the due diligence performed on the verification of the software source.
• CIP-013-1 – Cyber Security – Supply Chain Risk Management
  • Rather than rehash the details on this requirement here, I thought I’d just link to another blog post on the topic here, called “So You Want to Achieve NERC CIP-013-1 Compliance…”

So now that you have all of the modifications shored up in your internal compliance program, what can we work on next? Here are a few ideas!

1. Implement the new Tripwire Enterprise Ransomware Protection Rules. Details can be found here.
2. Brush up on your policies and procedures that cover the CIP Exceptional Circumstances. You know, just in case. Here’s a quick refresher on the subject from the NERC Glossary of terms:

A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.

3. Check out the Tripwire Private Energy Group on the Tripwire Forums. Email us here if you’d like to request access (must be a Tripwire electric utility customer).
4. Check out Travis Smith’s series on the MITRE ATT&CK Framework and follow that up with a short read on the new Industrial Control Systems MITRE ATT&CK Framework.
5. Exercise your CIP-008 Incident Response Plan. What better time is there to do so than when there’s not an actual incident? Don’t forget to take credit for your exercise by documenting the 15 month test requirement identified in CIP-008- R2.1.
6. Lastly, make sure your backups are working, and test a restore. Also, like the item above, don’t forget to take credit for CIP-009-5 requirement 2.1 to test recovery plans at least once every 15 calendar months.

I suspect FERC will grant the extension, but be sure to follow the news to make sure it happens. Don’t count your chickens before they hatch!