CIP-003: The New Stuff - Part 3: Electronic Access Controls….Finally
(Originally posted on April 16, 2019)
The weather is finally starting to warm up and we dodged the “Spring Bomb” storm, yayy!
It’s a miracle!!
Before we get too excited though, it is time to dissect the Electronic Access Control section of CIP-003-7.
CIP-003-7 R2 S3 — Electronic Access Controls — Effective January 1, 2020
The electronic access controls specified by NERC are for protecting the BES Cyber Systems.
For BES assets classified at medium and impact levels NERC mandates creating an Electronic Security Perimeter (ESP). Think of an ESP as a logical perimeter fence around BES Cyber System.
NERC does not use the ESP term for low impact assets and their requirements; however, it is helpful to have this in the back of your mind as you are implementing these controls into your CIP program.
The verbiage for R2 S3 is shown below.
· R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
o Section 3. Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to:
§ 3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are:
§ i. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);
§ ii. using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and i
§ ii. not used for time-sensitive protection or control functions between intelligent electronic devices (e.g., communications using protocol IEC TR61850-90-5 R-GOOSE).
§ 3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.
Let’s be clear here…NERC is requiring entities to have a firewall, or other device, in front of BES cyber systems for protection.
The basic stand-alone firewall will suffice but the built-in OS firewall will also meet the requirement.
There are a few things here to note.
· Section 3.1.i - only requires a firewall protecting traffic between communications leaving the BES cyber systems at an asset. Traffic between cyber systems where both end-points are located inside the asset are not required.
· Section 3.1ii - only traffic using a routable protocol needs to be protected, other protocols, such as serial, do not require protection.
· Section 3.1iii - There could be other time-sensitive protocols used between IEDs not requiring firewall protection. You would need to justify to an auditor that the firewall latency is not acceptable.
· Section 3.2 - Dial-up connections require authentication, if possible. Better yet just update the systems and remove the dial up.
As with all R2 requirements a plan is needed that describes how you will meet the requirements.
The electronic access controls are easy to understand but not simple to implement, the most difficult part being gathering evidence and keeping it up to date.
There are many ways to gather evidence for the electronic access requirement and may include:
· Adding justifications to the rules on the firewall.
o This can take some time as the existing firewall rules, if any, need to be reviewed and justifications provided.
o Once the initial justifications are recorded new rules and their justifications can be easily added.
o The rules can be printed, or stored as pdfs, after each modification to be saved as evidence.
· A database of protocols along with source and destination IP addresses allowed by the firewall.
o This is an option if the firewall cannot store justifications locally.
o Beware: The database can easily become outdated if it is not updated with each firewall change.
o Update the revision number with each change for evidence purposes.
Don’t forget that evidence needs to be saved for 3 years; this includes firewall rules, plan revisions, etc…