NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said, the answers in a CAN may be very unpopular and in some cases raise more questions than they answer.
This first CAN is a good example. It addresses whether laptops that can remotely access Critical Cyber Assets [CCA’s] are CCA’s themselves. For CIP novices, designated something a CCA triggers a large number of technical and administrative cyber controls and physical security requirements. There is no doubt that remote access must be secure, but mobile security is different than fixed asset security . . . even if it is something as simple as physical security but also think of the approved ports / services and other issues. For example, what if you use a highly restricted VM for emergency remote access?
At first I thought this was going to apply to all sorts of remote access to a CCA, but a close reading shows this may only apply to Operator Stations:
System operator laptops with the capability and purpose of controlling Bulk Electric System assets remotely (whether in normal operations or in emergencies) should be designated as CCAs under CIP-002-2 Requirement R3. …
will treat system operator laptops with the capability and purpose of controlling Bulk Electric System assets remotely (whether in normal operations or in emergencies) as CCAs, and as such, all Critical Infrastructure Protection Standards must be adhered to for these devices.
For over ten years now we have stressed that control should take place from the control center even if it is a remote engineer telling an operator what to do, but engineers, administrators and vendors sometimes need emergency remote access to look at a cyber asset or network issue that is affecting operations. As I read this CAN, as long as the laptop is not controlling the assets they are not covered. Since the vendors and administrators have the capability of taking out all the critical cyber assets, the “purpose” of the laptop shouldn’t be a criteria. It should be the capability.
This CAN is also instructive on the difficulty of writing and applying these regulations. It is very hard to effectively and efficiently apply security if judgement is not allowed.