This post is the first of a series of blog posts from many in the Electric Power Cyber Security community illustrating what are believed to be gaps in the NERC CIP regulations that govern cyber security in the electric power sector. Over the next 30 days, these gaps will be spotlighted in the hopes that discussion will lead to improvements in the regulations.

The NERC CIP V5 regulations have a single clause in CIP-007 that address the potential use of removable media, this is CIP-007 R1.2.  In it, entities are required to ‘protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media’. This is arguably an improvement from NERC CIP v3, which had no specific restrictions against the use of physical ports.

Despite the slight improvement in CIP V5, the problem is that the regulation doesn’t address protections for Removable Media that is considered necessary by entities. I’ve been doing this for a while, and the most common infection vector in Electric Power systems I’ve consistently seen is the use of Removable Media by authorized personnel, removable media that was deemed necessary at the time and regretted later. My anecdotal experience is backed up by numerous articles, presentations, and actual news stories regarding cyber events originating from uses of Removable Media. The transferring of patches, license keys, control system software updates, moving logic and HMI files between systems and backing up systems can all be considered necessary uses of Removable Media.  What is missing is how we minimize the risk to the bulk electric system from Removable Media threat vectors.

The risk from the necessary use of Removable Media is especially important because some entities have chosen to completely remove communications links to external networks. This leaves Removable Media as the likely means of communication between the outside world and the BES Cyber Assets.

What would close the gap is to require entities to reduce the risk from the necessary uses of Removable Media. This has been handled in traditional IT by the use of Removable Media policies, and the technical and procedural enforcement of the policy. I’m recommending the following to begin addressing the gap:

  1. NERC CIP-003 R1 should require a Removable Media policy, either in CIP-003 itself or through one of the sub references to the other CIPs. If an entity does not have a Removable Media policy for NERC CIP, it’s a finding for CIP-003. If it were me, I’d add the requirement to CIP-007, as it’s the logical place for system protections.
  2. Have the use of any Removable Media  be required to go through the CIP-010 Configuration Management process.  I’m basically classifying every use of Removable Media a potential change to the baseline, making it subject to review and evaluation to determine potential changes to the baseline configuration. This makes sense, as malicious programs delivered on Removable Media would definitely be altering the security baseline of a system.  Entities should test to make sure the use of Removable Media doesn’t affect the baseline. Consider this: On Windows systems the use of Removable Media often requires changes to drivers and registry keys to actually use the media, the case could be made that it should be here anyway.
  3. Use of Removable Media should be limited to specific authorized personnel with a need to know and job function, similar to how we are required to limit user access and privileges in CIP-005, CIP-006, and CIP-007.  This elevates the use of Removable Media to a privilege and right conferred to personnel we trust to be careful in it’s use. If you aren’t authorized to use Removable Media, you don’t get to use it on Electric Power systems, period. This could be enforced with either procedural or technical measures.
  4. Require that Entities maintain a record of Removable Media usage as part of the CIP-007 Logging requirements. This should be based on both procedures and technical measures.
  5. The responsible and authorized use of Removable Media should be an requirement in the Training and Awareness requirements of CIP-004. Entities should demonstrate that as a Measure. If an entity doesn’t cover Removable Media in the Training and Awareness program, it’s a finding.

WARNING Incoming Personal Opinion: Protecting the BES against threats from Removable Media is, in my eyes, similar  to protecting critical equipment from lightning, ensuring equipment has appropriate EMI resistance, and ensuring diversity of electric supply to equipment. These are known issues we have encountered in the past, issues that have taken equipment out of service and cost time and money repairing, issues we have already ‘identified, assessed, and corrected’. We know it’s a risk, we should take steps to reduce it.

title image by aghrivaine