In this sixth blog installment on successfully implementing the NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the requirements for electronic access controls.
CIP-003-6, Requirement R2, Attachment 1, Section 2 — the Electronic Access Controls section of the CIP requirements — indicates that a facility, or BES asset, with Low Impact External Routable Connectivity (LERC) is required to implement a Low Impact BES Cyber System Electronic Access Point (LEAP), and if there is Dial-up connectivity, implement authentication per the Cyber Assets capabilities. The following sections will cover the basics of those requirements.
LERC has been an area of confusion, especially caused by the use of “direct” in its definition, therefore clarification has been ordered by FERC in Order 822. The simplest determination of LERC is to determine if a routable connection (i.e. TCP/IP) comes into the BES asset that externally connects a Cyber Asset to a BCS inside that BES asset. CIP-003-6 contains a series of reference models demonstrating what is considered “direct” communication — connections that result in LERC — and when LERC is not present due to breaks in the routable communications protocol. Burns & McDonnell’s experience to date indicates most connections are “direct” and qualify as LERC, but there are always exceptions in each unique project case. If you’re unsure, it is recommended to get input from a knowledge resource.
When LERC has been determined, a LEAP must be implemented in order to permit only necessary traffic to the BCS. If the BCS is on the same network as other non-BCS Cyber Assets, an Entity will have to take special care to limit the non-BCS traffic as part of the inbound and outbound rules for the entire BES asset. Burns & McDonnell recommends that BCS and non-BCS Cyber Assets be segmented as a best security practice and future-proof the BES asset from possible changes in the standard. A LEAP can be located at the BES asset as demonstrated in Reference Model #1 of CIP-003-6, or remotely to the BES asset as demonstrated in Reference Model #3 of CIP-003-6. For all permitted traffic, Regional Entities have indicated they are expecting justifications on why the traffic is “necessary,” similar to what is done for High/Medium Impact BCS under CIP-005-5, Requirement R1, Part 1.3.
Authentication for dial-up connections must be implemented per Cyber Asset capabilities, including items like dial-back to specific phone numbers, enabling the modems when required and disabling them when no longer necessary, or the use of passcodes between pre-configured devices. Through experience, we recommend replacing dial-up access with routable connections to eliminate the difficulties of implementing and maintaining dial-up authentication.
Project delays and possible conditions of non-compliance have occurred during Low Impact work related to LEAP on vendor hardware that the Entity does not control. It has taken months to get the information on the allowed traffic, if the vendor was willing to provide that information because they consider it confidential or proprietary. There are also instances were vendors will not make configuration modifications to reduce what is allowed creating the non-compliance condition. In most cases, the Entity has decided to take control by placing their own access control Cyber Asset in front of the vendor’s hardware, identified it as the LEAP and then implement and document the settings to satisfy requirements.
The Standard Drafting Team (SDT) created per FERC Order 822 is anticipated to change the definition of LERC and potentially modify what is considered “direct” communications. Burns & McDonnell is participating in the SDT meetings to understand the possible modification and will communicate this information in future blog posts.
Piloting of selected controls at representative facilities have been helpful in discovering potential costly errors before they are replicated to all facilities, including errors like technical issues not seen during the conceptual design phase that would result in a change in approach or hardware.
As noted in the first and third articles in this series, the Low Impact Cyber Security Awareness and Cyber Security Incident Response Plans must be in place April 1, 2017, even if the controls are not fully implemented. If plan modifications become necessary during the implementation process, the documentation should be updated with all revisions to demonstrate continued coverage during the entire audit period.
If you have any questions on how to approach the Electronic Access Controls, Burns & McDonnell recommends contacting your peer Registered Entities or Regional Entity. Burns & McDonnell is also capable of assisting Entities based on our years of experience with the CIP Standards and group of dedicated networking engineers ready to help Entities with Low Impact requirements, as well as High/Medium Impact requirements.
Upcoming articles in this series will cover additional electronic security controls and what is currently known about the audit approach. In the meantime, here’s more information that may be of assistance in your Low Impact BCS research and implementation efforts:
- My previous posts for the NERC CIP Low Impact Requirement article series:
- Burns & McDonnell will host our second annual Power Utility Security & Compliance Symposium August 8-9, 2016, which will cover several subjects related to Low Impact BCS.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.