PCS BLOG

There have been recent updates to NERC CIP Supply Chain Standard CIP-013-1, which is not yet approved but under development and subject to possible future changes and approval. The purpose of this project is to better protect BES Cyber Systems by implementing controls to reduce the risk of compromised vendor hardware and software. The following are the most important changes:

  1. Low Impact BES Cyber Systems escape! Draft 1 of CIP-013-1 had requirements for Low Impact BES Cyber Systems, but these have been removed in draft 2. While this would have been good for security, it didn't make sense to require Low Impact systems to implement these controls because industry uses a risk-based approach. Low Impact systems are Low Impact for a reason. They should have some controls but not the same as High and Medium Impact systems. High and Medium Impact systems must implement supply chain security still, however.
  2. Clarifying language was added to Requirement 2 that allows entities to follow a process rather than actually getting vendors to comply: "Note: Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract." The Standard Drafting Team (SDT) on an update call gave the specific example of having a process to ask for supply chain controls when negotiating contracts, but it won't be a violation of CIP if vendors don't agree to those controls and they fall out of the contract during contract negotiations. They also said contract language would not be in the scope of an audit - just the process. Entities are only required to have a process to try to get controls into contract language. Therefore, success for this standard will be in having the right process that covers what it needs to but doesn't go too far, which is a similar approach to the Information Protection Program in CIP-011-2.
  3. Requirement 3 (software authenticity) was moved to a new Part in CIP-010-3, Part 1.6. A question was asked on the webinar of an example of validating software source. The SDT responded that one way was to check the SSL on a webpage and validating the SSL certificate has been issued to the vendor and is still valid. For automated patching systems, you can use the automated system specifications. If the system says validates the patch prior to making it available to you, you can rely on that process and don’t have to re-validate patches. If a patch is validated once, it can be distributed to multiple machines without having to validate again.
  4. Requirement 4 (vendor remote access) was moved to two new Parts in CIP-005-6, Parts 2.4 and 2.5.
  5. Implementation was changed from twelve (12) months to eighteen (18) months, which is great news for industry. We all have more time to get ready. However, remember with all the different business units that will be affected it's never too early to start.

Remember the SDT is under tight timelines due to the FERC Order. The Deadline for filing with FERC is September. That requires NERC Board adoption in August with 2nd formal commenting and balloting through June 15. It's time to comment and ballot. The development project page is found at http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx .

NERC and the Regions require that the initial CIP-003-6 Low Impact Cyber Security Incident Response exercise be completed by April 1, 2017. Proven Compliance Solutions (PCS) helped its clients perform these by facilitating table top exercises. The result was better understanding of Incident Response Plans and improved inter-departmental communication for the entities.

Performing exercises often reveals lessons learned. Also, performing exercises keeps procedures fresh in the mind of Subject Matter Experts (SME) who may have to follow procedures late at night or on weekends when they may not expect to do so.

PCS has found the most difficult thing for entities to do is to plan a meaningful scenario. Often the scenario is scheduled with appropriate SMEs who arrive at the meeting and look to the meeting organizer for what to do next. They read through the Incident Response Plan and talk through a few light scenarios. While this could be considered compliant if proper notes are documented to capture the exercise, the value increases if realistic, involving scenarios are planned in advance.

To plan scenarios, entities could ask themselves the following questions:

  • Which business units and SMEs should participate?
  • What are our attack vectors? How might an attacker actually affect our CIP systems?
  • Is the attack just electronic or will it have a physical security component?
  • At what point should the scenario require communication from the person/group who sees it to the Incident Response Team?
  • At what point should the Incident Response Team notify the Electricity Information Sharing and Analysis Center (E-ISAC)?
  • Will CIP systems need to be contained, eradicated, and restored?

The same exercise performed for CIP-003-6 can also be used for CIP-008-5 for High/Medium Impact systems if the same Incident Response Plan and response teams are used.

With a meaningful scenario, entities get more value from the Incident Response exercise. If your entity did not complete a Low Impact exercise by April 1, it is best to complete one right away and file a report with your region. PCS can assist entities with these efforts.

Recent events of the Oroville Dam flooding, which cause hundreds of thousands of people to be evacuated and impacted several utility companies, reminds us all of the importance of Cyber Asset Recovery Plans. NERC CIP-009-6 Requirement 1 mandates registered entities with High and Medium impact Bulk Electric System (BES) Cyber Systems to implement recovery plans, including the following (among others):

  • Conditions for activation of the recovery plan(s)
  • Roles and responsibilities of responders
  • One or more processes for the backup and storage of information required to recover BES Cyber System functionality

 The recent disruptions bring to mind that conditions for activating recovery plans can be varied and surprising. Registered entities are expected to create a table or list of different types of events or magnitude of loss. A table could be designed as follows:

BES Cyber System Impact Actions
Loss of backup system Investigate and Recover
Loss of primary system Automatic Failover, Investigate, and Recover
Loss of primary and backup system Investigate and Recover

 

Recent events also highlight the benefits of geographically dispersed BES Cyber Systems. For example, if your data center suddenly becomes submerged by water, it would be critical to operations to have another data center to fail over to that was not underwater.

Another tip is to have recovery plans available to those with a role in the plan at their homes and in a way that would be easily transportable. Consider the following:

  • Do Subject Matter Experts (SME), the people charged with bringing systems back online, have access to recovery plans from their homes? Ideas include encrypted thumb drives and paper copies stored in safe locations (perhaps a safe). Both are transportable.
  • How can we allow SMEs to restore BES Cyber Systems if they can't get to the office? Good VPN security and practice can help with this. Consider having SMEs work from home one day a month to test remote administration and find recommendations for improvement.
  • How can we help SMEs feel more comfortable leaving their families during a disaster? Interviewing SMEs and asking them will reveal interesting information. Perhaps minimal food storage and a backup radio can make all the difference.

There are many ways registered entities can comply with NERC CIP-009-6, and Proven Compliance Solutions helps its clients find the best solution. Please contact us for further information.

Among other items, NERC CIP-007-6 Requirement 5 contains requirements for protecting CIP computer systems by securing shared accounts.

Part 5.2 states, "Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s)."

Part 5.3 states, "Identify individuals who have authorized access to shared accounts." These two requirements can be accomplished manually, such as in a spreadsheet, or they can be done through a technical solution. Typical data points to capture are a) system name, b) account name, c) individual who has authorized access, and d) access start date.

Part 5.6 states, "Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months." For most systems, this can be enforced through user account settings. However, this is simply not available on some systems. In these cases, Subject Matter Experts must manually change passwords. Escalated task reminder systems can be used to prompt action. The technical shared account system can also be used to run reports of password ages.

Further, CIP-004-6, Part 5.5 requires Responsible Entities to "change passwords for shared account(s) known to the user within 30 calendar days." This requirement causes a lot of work when a System Administrator leaves a company because there may be dozens of shared accounts for which the password needs to be changed. However, technical solutions exist where a report can show which passwords a person actually accessed while working there. For example, an entity may choose to use a software solution to identify shared accounts and require users to use that program to get the shared account password. Shared account passwords would not be known without accessing them through the software solution. That program could then log who accessed passwords and when. If the person was terminated or no longer needed access and only accessed 14 of the 24 passwords, only those 14 would need to be changed while the other ones would not.

Each Responsible Entity is unique and should implement the controls that fit their needs, which could be a combination of various methods. Further, careful consideration should be made so evidence of performing required controls can be easily demonstrated to internal and external auditors. Proven Compliance Solutions helps its clients with these and other CIP challenges. Please contact us for further information.

NERC CIP-008-5, Part 2.1, requires a Responsible Entity to:

"Test each Cyber Security Incident response plan(s) at least once every 15 calendar months:

  • By responding to an actual Reportable Cyber Security Incident;
  • With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or
  • With an operational exercise of a Reportable Cyber Security Incident."

Since you probably won't be responding to an actual Reportable Cyber Security Incident every year, you will need to perform a paper drill or operational exercise. It can appear difficult to design fresh scenarios to keep your Subject Matter Experts (SME) interested while testing essential skills. This article will provide tips to help you.

Tip #1: Make it fun. A playful scenario and atmosphere increases SME focus and learning. If the experience is different than the other day-to-day SME tasks, SMEs will contribute more to the experience and get more out of it. 

Tip #2: Brainstorm the scenario. This is an extension of making the experience fun. If you've been through a drill where what you expect would happen did happen, you know it's not very fun. The best drills should have the following:

  • A bad actor or actors with a tragic backstory fueling their motive, an opportunity to take action, and the means to perform the action. Remember all bad actors believe on some level what they are doing is justified or else they wouldn't be doing it.
  • A vulnerability (real or plausible) in your system the bad actor can exploit.
  • A twist or perfect storm where a technology does the unexpected combined with people who are unavailable or misbehaving.

The scenario and objectives should be written down before hand. Only limited details should be released to the participants at first. Then, over time, more details should be revealed as they would be in a real situation. The scenario script should be read out loud by a person with a dynamic voice. A handout should be given to SMEs for reference and note taking.

Tip #3: Have refreshments. This will increase participation and improve the compliance and security culture.

With these three tips, you'll be better prepared to plan, execute, and document the test of your Cyber Security Incident Response Plan each CIP year (15 calendar months). Proven Compliance Solutions has helped other entities plan, execute, and document these tests, and it can help you and your organization as well.

Our Services