CIP-003-8: Electronic Access Controls are Cool!

(Originally posted on August 2, 2020)

The last blog post we did covered physical security controls.

Since we are still working through CIP-003 what better way to beat the heat than to talk about some cool Electronic Access Controls.

Time to get excited!

Electronic Access Controls

I’m just going to go ahead and say it, the objective of CIP-003-8 R1.2.3 is to protect the BES cyber system with a firewall.

Let’s break this down.

ATT 1, Section 3. Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to:

3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are:

Permitting only inbound and outbound electronic access…you mean firewall rules. Let’s keep analyzing.

i. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);

First the requirement is specifying communications between a low impact BES cyber system and a Cyber Asset outside the subject asset.

Luckily, NERC leaves it up to you to decide where the demarcation line is for communications leaving the asset. Just be sure this is documented thoroughly.

ii. using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and

Second, the communications must be using a routable protocol. This is pretty standard stuff.

iii. not used for time-sensitive protection or control functions between intelligent electronic devices (e.g., communications using protocol IEC TR61850-90-5 R-GOOSE).

Third, the communications must not be used for any time-sensitive protection. Basically, if there is a potential for protection failures or issues due to latency issues caused by the firewall, do not use a firewall.

NERC realizes that even though putting a firewall in front of a protective relay would “protect” the relay, it has the potential to cause havoc due to latency. The solution would be worse than the problem.

If the communication link meets the three criteria listed above, it must be controlled with a firewall (or other method, we’ll touch on this in a bit) and the access must be justified and documented.

One of simplest methods of documenting electronic access evidence is to put the justification in a notes or comments field of the firewall rule, if the firewall is capable.

3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.

If your company is still using dial-up connectivity, I’m sorry. I do realize this is unavoidable in some instances; however, be sure there is a way to authenticate the connectivity if at all possible. Some dial-up devices do not allow this functionality.

Either way, document the capabilities, even if there is no authentication functionality.

Firewalls and Other Methods of Protection

Even though a firewall will be the most common method of meeting this requirement, it is not the only method.

Host-base firewalls could be used (still a firewall, data diodes, and even vendor devices specific for ICS protocols

The supplemental material starting on page 38 of the standard provides several BES cyber system scenarios and how to protect them. Study these carefully if you’d like to learn more or just can’t sleep.

Well, I think we covered enough electronic access for today.

Stay safe everyone and don’t forget to check out our handy new website EZ-CIP!