Thanks to FERC’s Order 822, NERC CIPv6 has been approved. That means that the seven updated standards proposed by NERC for inclusion have been accepted.
First, there seems to be a lot of confusion (or perhaps disbelief) about effective compliance dates for these newly approved standards. If you want to understand why, go read Tom Alrich’s post on the topic. At this point, Order 822 has been published in the Federal Register, which means that we can actually talk with reasonable certainty about compliance dates.
That’s not what this post is about but it’s worth a brief summary. April 1st, 2016, remains the compliance deadline for the CIPv5 requirements; that hasn’t changed. Most of the newly approved standards have a compliance date of July 1st, 2016, (“the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority”), with notable exceptions called out in Order 822 itself.
My objective here, however, is to talk meaningfully about the changes in the CIPv6 standards themselves. There are seven newly approved standards to consider.
A Little Language Change
The changes for CIP-004-6, CIP-007-6, CIP-009-6 and CIP-011-2 primarily revolve around two consistent items. First, NERC is eliminating a specific bit of language: “in a manner that identifies, assesses, and corrects deficiencies.”
This language appears in a number of the CIP requirements, but FERC determined in Order 791 that the language “is too vague to be audited.” While this change was made across multiple standards, I’m not going to discuss it further.
The second change is updating guidance to specifically include Transient Cyber Assets and Removable Media. CIP-004-6 and CIP-011-2 include specific additions to add these devices to the existing requirements. The actual requirements for managing and securing transient assets and removable media are addressed in CIP-010-2, but we’ll get to that.
I asked one of our NERC Alliance Network partners specializing in CIP training about how the changes in CIP-004 will affect registered entities. Nick Santora, from Curricula, recommended that organizations get their training in place before April 1st, 2016, “otherwise, you will need to perform and demonstrate training for your entire staff, contractors, vendors, etc. on these new additions by July 1st, 2016. That could wind up becoming very messy to manage.”
Outside of that larger issue, the primary benefit in these changes is greater clarity in the requirements and hopefully, a cleaner, more consistent audit process. If, however, you were well on your way to compliance with the corresponding v5 standards, there’s probably minimal impact.
CIP-003-6 (Security Management Controls)
The key change from v5 to v6 here is the treatment of Low Impact BES Cyber Assets. For CIP-003-6 R1, the requirement removes the qualification of ‘high and medium’ from the top level and splits the underlying requirements into a section for high and medium and a separate section for low impact assets.
Specifically, the requirement R1.2 now specifies that registered entities must have a policy (and, therefore, corresponding controls) for low impact BES cyber assets that addresses cyber security awareness, physical security controls, electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity and cyber security incident response.
This isn’t new, really. It’s effectively a collapse of CIP-003-5 R1 and R2 into a single R1 requirement.
The new CIP-003-6 R2 now lays out extended details for the requirements for low impact assets. The sections required in the policy are now called out more specifically, along with various cycle durations, e.g. training every 15 months). These details should help both entities and vendors achieve and maintain compliance, but it’s unlikely that they materially impact organizations that were already well situations with regards to CIP-003-5.
CIP-006-6 (Physical Security of BES Cyber Systems)
The new revision of CIP-006 adds a requirement R1.10 to address physical security of “cabling and other nonprogrammable communication components” located outside a physical security perimeter. A key component of this new requirement is the requirement where physical security of these components is not in place.
Essentially, if you can’t adequately protect such components physically, you must implement a set of logical controls, including encryption of data that transits those components, monitoring, and alarm on networks that traverse those components, or “an equally effective logical control.”
Practically, the objective here is to prevent physical tampering that results in logical access. Registered entities either have to put in place the physical controls or demonstrate that they can prevent or detect such tampering effectively.
CIP-010-2 (Configuration Change Management and Vulnerability Assessments)
Can you contain your excitement? We’re finally at the shiny, new requirement for Transient Cyber Assets and Removable Media! Consensus. The juicy details are in Attachment 1 specified by R4!
The controls themselves are not overly onerous and include what many would consider best practices. For transient assets, you must have processes for authorization and mitigation of vulnerabilities, malicious code and unauthorized use. These apply, with some exception, whether the assets are owned by the entity itself or a third party provider.
For removable media, two controls are specified: authorization and malicious code mitigation.
There’s no doubt that this requirement effectively expands the scope of NERC CIP, both in application and audit. Entities will need to spend time defining and documenting processes that are compliant. They may have to actually implement these processes, as well.
While the true impact will become clear over time, it’s safe to say that the requirements to securely manage transient assets and removable media are valuable and will ultimately improve the overall security and reliability of the electric supply.
CIPv6 is largely about scope, and so its impact will be dependent on how the scope expansion affects your organization. The expansion of requirements to low impact assets has zero impact if you don’t have any.
The same goes for the transient assets and removable media. While there aren’t many organizations in that situation, scope reduction is absolutely a valid strategy for any compliance program, NERC CIP included.
While it may seem obvious to state, don’t wait to determine how you’re going to address the CIPv6 requirements. If there’s the potential for budgetary impact (and there is), the sooner you start planning, the better.
At Tripwire, we’ll be producing more information that directly addresses CIPv6 in the coming weeks and working with our partners and customers to continue addressing NERC CIP compliance.
If you are interested in learning more about Industrial Cyber Security you can download our new e-book, “Industrial Cyber Security For Dummies” here.