This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out security gaps, ambiguities, and areas that could prove challenging to audit. The purpose of the posts is to highlight areas for future improvement, and to draw attention to issues for which entities may wish to apply greater diligence than is currently required by regulation.

This simulpost (well, semi-simulpost thanks to my getting worn out on international travel) from Steve Parker at EnergySec is intended to discuss the weakening of the ESP from V3 to V5 in regards to serial based communications. Considering that the lack of any security in automation protocols is the softest and gooeiest center of any industrial control system, regulations that weaken the Electronic Security Perimeter should be viewed with intense scrutiny. 

From Steve Parker, EnergySec

Version 5 of the NERC CIP standards appears to have taken a step backwards with respect to the protection of Electronic Security Perimeters. Previously, control, or at least the declaration of an access point, was required wherever data crossed the logical perimeter. This included data passing via non-routable protocols. In fact, in the CIP-005 Compliance Analysis Report published in May of 2012, this point was made clear:

A common error is to presume that an electronic access point is only required for routable networks. In fact, any data traffic that crosses the ESP requires an electronic access point somewhere. – Page 11

The basis for this position is CIP-005-3 R1.1, which states, “Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).”

Read more at EnergySec.org.

title image by by itjournalist