NERC CIP-007 Shared Accounts

Among other items, NERC CIP-007-6 Requirement 5 contains requirements for protecting CIP computer systems by securing shared accounts.

Part 5.2 states, "Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s)."

Part 5.3 states, "Identify individuals who have authorized access to shared accounts." These two requirements can be accomplished manually, such as in a spreadsheet, or they can be done through a technical solution. Typical data points to capture are a) system name, b) account name, c) individual who has authorized access, and d) access start date.

Part 5.6 states, "Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months." For most systems, this can be enforced through user account settings. However, this is simply not available on some systems. In these cases, Subject Matter Experts must manually change passwords. Escalated task reminder systems can be used to prompt action. The technical shared account system can also be used to run reports of password ages.

Further, CIP-004-6, Part 5.5 requires Responsible Entities to "change passwords for shared account(s) known to the user within 30 calendar days." This requirement causes a lot of work when a System Administrator leaves a company because there may be dozens of shared accounts for which the password needs to be changed. However, technical solutions exist where a report can show which passwords a person actually accessed while working there. For example, an entity may choose to use a software solution to identify shared accounts and require users to use that program to get the shared account password. Shared account passwords would not be known without accessing them through the software solution. That program could then log who accessed passwords and when. If the person was terminated or no longer needed access and only accessed 14 of the 24 passwords, only those 14 would need to be changed while the other ones would not.

Each Responsible Entity is unique and should implement the controls that fit their needs, which could be a combination of various methods. Further, careful consideration should be made so evidence of performing required controls can be easily demonstrated to internal and external auditors. Proven Compliance Solutions helps its clients with these and other CIP challenges. Please contact us for further information.

Our Services