Revised Critical Infrastructure Protection Reliability Standard CIP–003–7: What Are the Changes?

Image

The U.S. Government is constantly working to improve its ability to respond to the growing threat of cyber-attacks facing the national power grid. Towards that end, the Federal Energy Regulatory Commission (FERC) approved the revised critical infrastructure protection reliability standards for cybersecurity management controls on April 19, 2018. The new standards took effect on June 25, 2018. The purpose of the new, revised standard is to improve electronic access controls to low-impact Bulk Electronic Systems (BES), to mandate security controls for mobile devices and to develop modifications to critical infrastructure protection (CIP) reliability standards. Work on the new standard began in October 2017 when FERC asked the North American Electric Reliability Corporation (NERC) to clarify electronic access controls, to adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat. According to Daniel Skees from Morgan Lewis, a law firm which represented NERC, CIP-003-7 pushes forward on FERC's concern that even the less critical assets covered by these standards (referred to as low-impact facilities) present risks to the bulk electric system that need to be addressed. The fact that these changes are designed to boost security at low-impact BES is important since most energy facilities are networked together, creating a huge attack surface. "Hackers can target smaller, less critical facilities, and when those attacks are successful, use them as the foundation of an attack into a more critical facility. CIP-003-7 reinforces FERC's policy of minimizing the bulk electric system attack surface by ensuring every FERC-jurisdictional bulk electric system asset receives some minimal level of cybersecurity,” said Skees.

Criteria for Electronic Access Controls

The new standard requires utilities to implement electronic access controls to permit only necessary inbound and outbound access to low-impact BES Cyber Systems for certain communications using routable protocols. During the approval process, there were concerns that “CIP–003–7 does not provide clear, objective criteria or measures to assess compliance by independently confirming that the access control strategy adopted by a responsible entity would reasonably meet the security objective of permitting only ‘necessary inbound and outbound electronic access’ to its low impact BES Cyber Systems.” In response to these concerns, NERC stressed that the new standard “is not prescriptive due to the wide array of low impact BES Cyber Systems and their lower risk to bulk electric system reliability.” It also emphasized how “a responsible entity must demonstrate that its electronic access permissions and controls are consistent with the security objective” and that the entities “must document the necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.” In view of these comments, FERC directed “NERC to conduct a study to assess the implementation of Reliability Standard CIP–003–7.40 The study should address what electronic access controls entities choose to implement and under what circumstances, and whether the electronic access controls adopted by responsible entities provide adequate security. NERC must file the study within eighteen months of the effective date of Reliability Standard CIP–003–7.”

Security Controls for Transient Electronic Devices

The new standard also requires utilities to implement plans to protect transient electronic devices such as thumb drives, laptop computers, and other portable devices used frequently with low-impact BES Cyber Systems. This change is intended to mitigate the risk of malicious code being introduced to low-impact BES Cyber Systems by certain portable devices, such as laptops used to perform maintenance activities. Although the transient electronic device plans implemented by utilities must differentiate between assets managed by the utility and those managed by third parties, such as vendors and contractors, FERC expressed concern that the new standard does not explicitly require mitigation of the risks posed by third-party devices “even if the responsible entity determines that the third-party’s policies and procedures are inadequate.” FERC’s main concern is over the lack of an explicit obligation for a utility to correct any deficiencies that are discovered during a review of third-party transient electronic device management practices. To address this issue, the final rule directs NERC to modify the standard to ensure that responsible entities implement controls to mitigate the risk of malicious code that could result from third-party transient electronic devices.

CIP Exceptional Circumstances Related to Low-Impact BES Cyber Systems

The final rule also approved NERC’s proposal to require utilities to implement policies for declaring and responding to CIP Exceptional Circumstances related to low-impact BES Cyber Systems. In accordance with NERC glossary, CIP Exceptional Circumstances are a category of emergency situations that involve, for example, a risk of injury or death; a natural disaster; civil unrest; imminent or existing hardware, software, or equipment failures; and cybersecurity incidents requiring emergency assistance. By properly declaring a CIP Exceptional Circumstance in response to such an emergency, utilities are allowed to temporarily waive certain but not all CIP reliability standard obligations.

Concerns

FERC’s recent rule aims to provide utilities with more clarity about exactly what sort of electronic access needs to be protected. “Low-impact” facilities are far more numerous than high- and medium-impact facilities and include the oldest technology in a utility’s infrastructure. According to Skees, "the biggest challenge will be in identifying which facilities need to be compliant and mapping all of the electronic access into and out of those facilities so that appropriate electronic access controls can be applied." Only after that analysis and cataloging process is complete can utilities implement the new controls. In practice, the revised standards will present some challenges. Employees operating largely independently will be required to follow these processes correctly, often without supervision. "Failures can be subject to significant fines, but any process requiring human controls is almost inherently going to have occasional failures," Skees said. For information on how Tripwire’s solutions use these methods and other techniques to defend organizations’ ICS systems, click here.   Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.