I’m continuing my review of the NERC CIP V5 standard updates, and discussing what good/bad things I find on DigitalBond.com. This week’s focus are Protected Cyber Assets. According to the glossary, a Protected Cyber Asset is:
A Cyber Asset connected using a routable protocol within an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter (a Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a Cyber Asset within an ESP or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes).
Going through the actual NERC CIP standards, the definition does not include the red highlighted text, and nothing in the standard explains how this ’30 consecutive days’ and only ‘used for data transfer, etc’ is going to work in practice. Reading between the lines, it appears that there is a need to allow certain kinds of ‘intermittent’ access within Electronic Security Perimeter (ESP). This access would happen without having to follow NERC CIP controls due to a perception of less risk.
Here’s a question: If a cyber asset within the perimeter ISN’T a Protected Cyber Asset or part of the BES Cyber System, then what exactly is it, and how do we secure it? Right now, there is no requirement to secure this intermittent asset, and the tracking of these assets is not defined at all. These assets could potentially impact reliable operation due to network proximity to a BES Cyber System, and they aren’t even on the map.
I understand the need for an owner to allow certain systems to connect to the ESP for various purposes. An exemption like this would be an immense time saver in my previous role, but would also introduce a lot of risk into work with 3rd parties. Maintenance and troubleshooting activities, especially at Transmission and Generation facilities, often require connecting devices and computers that have specialized software and interfaces to the same network as critical systems.
Under the V3 standards, owners had to go through a lengthy CIP-defined process to add a new cyber asset, and a similar lengthy process to remove it, even if the cyber asset was only needed for 15 minutes. Addition and removal required ensuring applicable CIP standards were accounted for. All of this added up to a massive headache when a turbine needed to be tuned, or a substation relay needed on-site reprogramming by a maintenance tech.
The justification for adding intermittent devices shouldn’t be stuck in the glossary, it requires a documented, standardized, approach. This exemption is risky, both anecdotal accounts and recorded history have identified contractor laptops and other intermittently connected computers as vectors to transmit viruses to the control system, or interfere with the control system in other ways. I’ve posted on the issue of contractor laptops before, and this extends to vulnerability assessment systems as well.
Handling this important maintenance and troubleshooting activity in the glossary will only increase confusion, and leave BES Cyber Systems less secure. Ignoring the history of control system incidents involving contractor laptops, and other devices that require intermittent access to the ESP, is failing to account for historical failure modes in the interest of expediency. If there is considerable pressure from industry to handle this issue in the standards, it should be specifically defined and an approved process and security controls outlined in the standards.
If you have any comments on how to handle intermittently connected devices in the context of the NERC Standards (or in any other context), please post them below. I’m working on my own approach to this as well, and will be happy to incorporate useful feedback from the community.
title image by Davide Restivo