Lessons Learned CIP Reliability Standards

Transcription

1 Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A document to be used as compliance evidence should ideally have a title identifying the document, an identification of the entity or group within the entity for which the document is valid, the revision date of the document, a revision or version number, a revision history, a review history (for -3 R5 and CIP R9 purposes), and an approval signature (if required). Use of SharePoint as a means of version control for processes, procedures, and lists that require reviews. The actual processes, procedures, and lists that are required to be reviewed and/or approved per a requirement in a standard, need to be maintained with versioning information, effective dates, and review dates within the SharePoint system. An entity can use a system like SharePoint as a means of version control for the review and/or approval of processes, procedures, and lists. However, the "written" documentation must agree with the information contained in the SharePoint system. Use of a Compliance Management System as a means of reviews and approvals for processes, procedures, and lists that require reviews and /or approvals. The steps identified within the Compliance Management System (CMS)need to document the name of the process, procedure, and/or list. In addition, all versioning information to include review and/or approval and date of the review/approval should also be included. The process should also identify the means by which the information within the CMS is verified for accuracy. An entity may use a Compliance Management Systems (CMS) for reviews and/or approvals of processes, procedures, and lists. However, the CMS must identify the name of the process and procedure along with the versioning information to include review and/or approval, and the dates for the review and approval. It is strongly suggested that a process is in place to assure the accuracy of the information contained in the CMS. Reliance on a vendor to adhere to the CIP standards for outsourced services. Require the outsourcing vendor to provide evidence of compliance to all the CIP standards that pertain to the outsourced service. An entity can use an outsourced service, however contractual controls need to be put in place to assure the outsourcing vendor is following the CIP standards and can routinely provide evidence to demonstrate compliance. CIP-002 R1. Incomplete application of the CIP Standards (version 4) "Bright Line Criteria", in the event an entity elects this approach. Ensure all required criteria from the CIP Standards (version 4) "Bright Line Criteria" are addressed and documented. In "Cyber Security Standards Transition Guidance," dated April 11, 2013, NERC provides a method to adopt the CIP Standards (version 4) "Bright Line Criteria" (BLC) as an entity's risk-based assessment methodology. In implementing Approach 2 of the guideline, an entity should carefully consider and document all of the required criteria. 1

2 CIP-002 R1.1. Entity has a Risk Based Assessment Methodology that goes through a 3 step process. Step 1 assigns overall risk, by assigning values for Threat, Vulnerability and consequences. The product of these 3 factors yields a Total Risk value. As the last part of Step 1, the entity compares the Total Risk value against criteria threshold criterion equal to 25 of 500 or 5% to determine if a plant is critical or non-critical. No basis is given in the RBAM, other submitted evidence, or SME interviews for the threshold criterion used. Based on the evidence provided, the audit team determined that the entity did not have any supporting risk basis for the chosen 5% threshold criteria of acceptable risk. If an entity provides threshold criteria as a determining factor A risk basis needs to be provided for any criteria used in of critical or non-critical assets, they need to provide a evaluating assets and determining their criticality. documented basis for selecting the chosen threshold criterion. CIP-002 R3. Incomplete identification of Critical Cyber Assets. Ensure all Cyber Assets associated with a Critical Asset are considered as possible Critical Cyber Assets. In some approaches to identifying Critical Cyber Assets, it is possible to miss the evaluation of Cyber Assets that are associated with the Critical Asset. An entity should be careful to ensure that all Cyber Assets that are associated with a Critical Asset are identified and reviewed as possible Critical Cyber Assets. Also, an entity should keep in mind the determination by FERC, as put forth in "ORDER ON INTERPRETATION OF RELIABILITY STANDARD," Docket RD , dated March 21, ( CIP R3. Computers allowed remote access to one or more Critical Cyber Assets (CCAs) obtaining access rights sufficient to perform all functions of the CCA. The remote computers connecting to the CCAs were not classified as CCAs themselves. Permissions changed to the remote computer to lessen access rights when connected to a CCA so that critical functions cannot be exercised remotely. Remote connectivity to CCAs must be scrutinized to make sure that the access is truly needed, that the connection is secure and that all Std/Req's are met. CIP-004 R1. The security awareness program quarterly newsletters were not distributed on a quarterly basis per the entity's program. Many were distributed on an ad-hoc basis. Revised process to ensure creation and distribution of the security awareness newsletter per the entity's defined program. There should be governance of the CIP program processes and procedures to ensure that implementation of required actions occurs. CIP-004 R2. Personnel, including contractors, were granted physical Revised process for new personnel requiring more rigor in the and/or electronic access to Physical Security Perimeters (PSPs) steps and verification that training is provided and and/or Electronic Security Perimeters (ESPs) without receiving documented before access is granted to PSPs and/or ESPs. required security training. Vigilance in tracking personnel who have access to PSPs and/or ESPs is paramount in the company knowing who has access to their Critical Assets and Critical Cyber Assets. 2

3 CIP-004 R3. Missed conducting background check for contractors before granting access. Created separate process to handle Personnel Risk Assessments (PRAs) for contractors in order to delineate between what was required for company staff and hired contractors. One policy for conducting PRAs may not adequately meet the requirements of the Std/Req. Having a process to handle contractor personnel only is of benefit to the entity, especially with the typical turnover rate for contractor personnel. CIP-004 R3.1. Background check data obtained during Personnel Risk Assessments (PRAs) was not reviewed for relevance and completeness; therefore employees were recorded as having a valid PRA when they actually did not. All background checks for affected personnel were reviewed and new checks ordered where required. Personnel newly designated as requiring a PRA had their background check reviewed manually for completeness. The software program in place to process the background check data was modified to confirm that all required information was contained in each background check. Personnel Risk Assessments (PRAs) are performed so that there is some measure of an individual's background before they are granted access to Critical Assets, Cyber Assets, CIP Information, etc. It is imperative that the results from the requested background check be reviewed so that the company is assured the data is complete. CIP-004 R4. Missed conducting a proper review of access rights for employees. Review and changes to existing process for reviewing access rights in order to provide more detail and accountability by management. Strong processes, having been tested and proven, must be in place to make sure that all actions required by the CIP Standards are being conducted properly and documented. Management accountability for the successful completion of the process is strongly recommended. R1. R1.4. While not CCAs, cyber assets were found within the ESP that had not been identified. Evaluated all cyber assets within defined ESPs to identify which were CCAs and which were not. Appropriate documentation lists were updated to reflect all cyber assets. Non-critical cyber assets that reside within an ESP, must be identified and accounted for by the company. An undocumented, non-critical cyber asset could become a launching point for an attack on a critical network. In order to properly secure critical networks, companies must identify all devices that exist in that network or ESP. R1.6 Inconsistences identified between Critical Cyber Asset list and Electronic Security Perimeter diagrams. Assure additions and/or deletions of Critical Cyber Assets are reflected on the Electronic Security Perimeter diagrams. When using both a Critical Cyber Asset list and Electronic Security Perimeter diagrams to demonstrate documentation of compliance for CCAs within an ESP, make sure they are synchronized. R1. R2. Use of "mixed-trust" networks in a virtual switched environment led to multiple issues with security and compliance. Carefully evaluate the benefits and costs of mixing protected networks (ESPs) and non-protected networks on the same switch hardware. Successfully implementing protected networks (ESPs) and nonprotected networks on the same network infrastructure can be difficult. All of the requirements of -3, R4 must be carefully evaluated and documented. 3

4 R2. Ports and services required to be enabled on access points to ESPs were not identified and verified. A re-evaluation of all access point ports and services was conducted. Verification that the ports and services were required to be enabled was performed and documented. Changes were made to procedures to make sure that ports and services were verified moving forward. Un-needed ports and services left in an enabled state are the gateway by which a malicious actor can gain access to a critical network. If a company is unaware of enabled ports and services on cyber assets, the risk level for exploitation is elevated. Ports and services on any given device should be configured to only allow what is needed, monitored to make sure it is operating in a correct manner, and reviewed or evaluated on a regular basis to make sure that only those ports and services that are required are the ones actually running. Ports and services on access points to ESPs were identified and verified for inbound traffic only. Both inbound and outbound traffic must be filtered. The Requirements are not limited to one direction of traffic only. In the event a Cyber Asset within an ESP is compromised, it may attempt to communicate directly with external systems for purposes of commend and control or data exfiltration. R2. Ports and services required to be enabled on access points to ESPs were identified using only the newest listing of active ports and services and not an original "baseline" for each device with edits documenting any additional ports and services being enabled. Although not explicitly required by the Standard, a good compliance practice is to keep a baseline document of ports and services required for operations. The baseline should identify the direction of traffic permitted, the service originating or receiving the traffic, the port or port ranges An annual Cyber Vulnerability Assessment should first review used for the traffic, and the business need for the traffic. The the baseline to ensure it is still accurate, and then compare business need is particularly important. For example, the firewall rules or other access controls to this baseline. identifying traffic to Port 22 as SSH does not fulfill the requirement to identify Port 22 as "required for operations." In this case, the business need might read, "SSH is required for system support personnel to access devices within the ESP for remote support during non-business hours." 4

5 Ports and services were evaluated only for the management port of an access point. Monitoring the ports and services used by the management The access control configuration of the access point must be port of an access point is required by CIP R8, which is reviewed for those "ports and services required for operations called into scope for access points by -3 R and for monitoring Cyber Assets 3 R2 and R4 refer to those ports and services permitted to within the Electronic Security Perimeter." transit the access point to assets within the ESP. R.2. R2.4. Access through a an ESP access point allowed users to a CCA without user identification and secure authentication. An alternate method of the required connectivity was identified which provided for proper identification, authentication and monitoring of user access. The firewall rule allowing the original access was no longer needed and thus removed from the firewall rule set. All Access points into an established ESP must be identified and documented. Security of these access points is of the utmost importance since they are basically the "gateway" to your CCAs. Proper identification, review for possible unknown access points, strong authentication procedures, and monitoring of the traffic that passes through the access point is vital to the security of CCAs contained within the ESP. R3. R3.2. The security monitoring process was not configured on some firewalls to save alerts for unauthorized access (i.e. Denied Access) to the system log. Changed firewall policy to enable the option for "deny with logging". Proper configuration for the alerting of potential malicious traffic must me enabled and operating properly in order for administrators to timely respond to a possible cyber event. R4. R4.1. R4.3. R4.4. R4.5. The Cyber Vulnerability Assessment process was spread across multiple documents and internal groups performing the assessment tasks. Inconsistent processes, and a lack of identified scope for the various vulnerability assessment tasks,resulted in incomplete assessments with insufficient evidence to demonstrate compliance that the assessments included required actions in all sub requirements. The entity updated their vulnerability assessment processes and procedures to completely assess the controls as defined in the sub requirements of R4. Secondarily, the entity assigned overall vulnerability assessment implementation and evidence gathering to one group (Information Security) within the company. A complete and compliant Cyber Vulnerability Assessment process requires much coordination within a large organization. Compliance is measured by sufficient and appropriate evidence that each and every sub requirement has been tested, results have been documented, and action plans executed to mitigate identified vulnerabilities. CIP-006 R1. Network wiring within an ESP was not protected by a six-wall boundary. Protect the network wiring with conduit or other measure. Network wiring is part of the ESP. It must be protected with a PSP as required by the standard. Also see from FERC, "ORDER REMANDING PROPOSED INTERPRETATION OF RELIABILITY STANDARD CIP-006-4," Docket RD , dated March 21,

6 CIP-006 R1. R1.4. R1.6. Physical access to a PSP was granted to individuals who had not been authorized. The individuals for which access was granted, did not follow the company procedure for Visitor Log Book entry. In addition, the individuals were not escorted as is required. Video was reviewed during the timeframe to identify if any other individual gained access as well. The individual who granted access was re-educated on the CIP Standards and the Physical Security Plan. Security Awareness training is an important part of any company security program. Employees must be reminded on a regular basis of company security policy, especially as it pertains to their assigned responsibilities. CIP-006 The Responsible Entity did not declare the Physical Access Control System (PACS) Intelligent Controllers and Administration Workstations as devices that authorize and/or log physical access. Document the devices as PACS systems and apply all of the protective measures specified in PACS controllers that perform the authentication functions of access control and log access in the event of a failure to the server need to be afforded the protection of Workstations that performs the authorization functions of access control also need to be afforded the protection of CIP-006 R4. R5. R6. Loss of power to various buildings had adverse affects on PSP controls, monitoring and logging Posted personnel at necessary sites where paper logs were used to monitor access. A procedure was created for PSPs when power is no longer available. Backup power was put in place for critical equipment. The loss of power in real-time or planned, can cause unforeseen problems. The event here strengthens the case for a proper testing program to be run on a regular basis to try and identify some of the unknown issues in advance. CIP-007 R Audit trail (automated or manual) not maintained for a shared account. Keep an audit trail (automated or manual) of shared account use. Even if only one individual routinely uses an account, if it is a shared account with multiple individuals with access, an audit trail of individual use must be kept. 6