FERC issued specific guidance to NERC to remove language that would allow operators to opt out due to business considerations. They also rebuked the argument that an operator might not be critical to the bulk power supply since there were other operators producing in the same area who could respond to a contingency. FERC pointed out that a coordinated attack or a regional event could affect numerous operators. This does represent a real and likely scenario if cyber defenses are sufficiently compromised.
A Broad Security Framework
The current standards are designed to serve entities from the smallest operators all the way up to multi-national conglomerates. In other industries, the bar for participating in standards such as Sarbanes-Oxley was determined by the size of the organization. In the newly approved CIP standards, the bar is whether your assets, if compromised, could affect the reliability of the bulk power supply. Due to this simple bridge, the standards had to apply to a much broader range of operations. As a result, the standards may be too general for operators that are more complex and too specific for simpler operations.
Although SOX controls may in fact map to several of the CIP standards, special consideration must be taken in order to satisfy and comply with the CIP. CIP standards also apply to production environments, which are frequently more challenging to secure than a traditional IT environment. SOX implementation is normally collaboration between accounting and IT since it covers financial controls. CIP governs Process Control systems that are not subject to the same security DNA as IT systems. As a result, an uneducated approach by IT can actually cause outages instead of prevent them.
In some cases, traditional IT techniques such as vulnerability scanning and network mapping tools can generate enough traffic to adversely impact the entire system resulting in dropped service, power generation shutdown, and permanent damage to equipment. Loss of visibility or control of the Process Control Network is a serious risk. Cyber visibility and control issues probably contributed to the 2003 Blackout when certain power models did not reflect the correct state1. More recently, an outage in Tempe, Arizona was linked to an Energy Management System (EMS) malfunction.
In order to prevent any issues like this from occurring, several parties need to be involved outside of the normal finance team players. The traditional internal controls staff should still be involved. They will need to insure that the framework they use handles the concerns that CIP Compliance represents for the organization: Avoiding fines and sanctions and at the same time, securing the enterprise.
Mapping and Gap Analysis
In order to implement any standard, a basic approach is first establishing what controls are called for in the standard, then look for existing controls that may satisfy them One method may be to list all of the controls from the standard in one column and list the existing controls that are applicable to meeting the standard in another. Any blanks in the existing controls column are gaps that have to be filled in order to achieve compliance.
In a post Sarbanes-Oxley world, most publicly traded companies have many documented controls in place. A kickoff point for many corporate protection plans resides in the security policy. A well written policy calls out protection and non-disclosure of user identification, passwords, care of access cards and security tokens and some terms of use of company computers and email systems.
If the company covers these policies during employee orientation and retrains via email alerts and sign on bulletins, they could well meet the basic requirements of CIP003 and CIP004 for security policies and security awareness training. A key component that must be present as compliance is evidence of the control. One example might be documentation of security training by having each employee sign and date a form during orientation upon completion.
Mitigation
This could be the hard part. In most cases, mitigation may only require more documentation and changes to retention procedures, i.e., 30 days system log retention is now required to be 90 days, etc… Procedural language can be very proscriptive. “The guestbook will be signed by all visitors. When the guests are on the premises, their host will escort them at all times. Once the guestbook is full or if ninety days from the last entry have elapsed, you may dispose of the guestbook. In the event of a security breech, the guestbook will be immediately retired and replaced with a new one. The old guestbook will be given to the security office for evidence and continued retention up to 3 years.”
This demonstrates a physical access control and retention procedure. Nothing more sophisticated than a guestbook, available at any stationery store. Yet this simple control would comply with the standards. From this, it is important to understand that compliance is measured by evidence of controls. It may not venture into adequacy of controls except to note the presence or absence of the control.
Simply put, mitigation is reducing the risk or impact of an event or condition. In the case of critical infrastructure protection, there are numerous ways to reach the same conclusion. A door may be secured with a lock, an alarm and a video camera. All of these are physical security controls. In the case of a physical security perimeter, NERC CIP calls for access logs and retention. What occurs there if the organization will not or cannot deploy such a system?
Handling Exceptions
This is the area of compliance auditing normally referred to as compensating controls. A compensating control provides the same or nearly the same level of assurance that something is being accomplished, by a substitute method. For example, if there is only one operator on at a time in a power plant control center and the power plant control system does not support security ids, the compensating control for maintaining system logs by user-id is that the system log is stored with a copy of the operator sign in / sign out sheet. If there is a questionable event on the log, the auditor will be able to tell which operator was on duty by referring to the sign in sheet.
These types of controls may be stronger than the control they are replacing or they may only weakly approximate the level of control required. If the control is substantially weaker, it may be that the organization can claim the weaker control was necessary because the original control did not exist and it was not technically feasible to replace it in the short term.
This may be the case if we are talking about replacing a legacy EMS Balancing Authority and associated equipment. Upgrading these systems is costly and has a high degree of risk associated with the shutdown and conversion to the new system. It could take up to a year or more just to put together the plan for replacement. This cannot be used as a permanent excuse however. FERC has called out for clearer guidelines on the technical feasibility exemption. Organizations considering this exemption should document thoroughly the reasoning and technical hurdles barring correction of the deficiency. Expect future iterations to ask for a clear timetable for correcting the underlying cause for the exemption.
Compliance Testing
Once you have implemented CIP controls and closed any known gaps, testing begins. Testing falls into three general categories, sampling, surveys and interviews. Sampling involves checking a number of a given set of items to make sure they are done according to procedure. Surveys are self-assessment questionnaires filled out by workers regarding processes in their area. Interviews are conducted by the auditor to test workers knowledge of procedures and controls.
Testing requires looking at the documented control, then verifying that it is working as advertised. In terms of compliance to security standards, one area that is frequently neglected is the source and execution of security authorizations and revocations.
There may be a form signed by the hiring manager to set up a new user. When the employee or contractor leaves or is terminated, a separate form alerts IT to terminate or suspend the account. A common test for this control is to pull a list of new hires and then try to track down the paperwork authorizing access. If it is missing, it could be taken as evidence of a weak control.
The converse is true as well. Pull a list of recent terminations and then check all of the systems to make sure the access have been revoked. Especially critical is physical access control databases such as card swipe authorization systems. FERC commented on the termination / separation of employee contractors and approval of the CIP standards in FERC Rule 706. The expectation that an organization would move quickly to revoke access when it was no longer needed will be closely examined in any external audit. It is better that your organization can address this before it becomes mandatory.
Automation can side step some of these concerns and reduce the risk of missing paperwork. In testing automated functions, if the auditor finds that it works as advertised, the auditor will normally not look for additional controls. For example, some HR systems feed information into training systems. This insures that all workers receive the required training based on their job title. Computerized logs maintain the training records and the administrative burden is reduced.
The basic techniques of mapping, gap analysis, mitigation and testing will go a long way towards bringing your organization into compliance with the NERC CIP standards. However, by focusing on leveraging existing controls, your enterprise will be able to move rapidly toward truly securing the enterprise.
References:
(1) Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations,
Chapter 9: Physical and Cyber Security Aspects of the Blackout
http://www.nrcan.gc.ca/media/docs/final/finalrep_e.htm