In this seventh blog installment on NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the physical security controls necessary for successfully implementing these BCS requirements.
CIP-003-6, Requirement R2, Attachment 1, Section 2 — indicates that physical security must be applied to the BCS requirements and any Low Impact BCS Electronic Access Points (LEAP) at the facility. The security control can be employed at the BES asset level using methods including fences, gates and other types of perimeter defenses, or specifically at the location of the BCS and LEAP, or a combination of those two approaches for a layered defense strategy.
An important aspect to consider for LEAP implementation is that, while the device containing the LEAP could be remote to a BES assets, it must still be protected per the requirement. It’s also possible that a remote LEAP might be located at a higher impact rated BES asset, so careful attention should be made to determine if the LEAP device is truly a Low Impact BES Cyber Asset (BCA), and whether the BCA in question takes on the requirements of the higher impact BES asset due to its BES asset connectivity.
Burns & McDonnell has received many questions on what needs to be considered for BES physical security implementation, and the simplest answer is anything that will protect the BCS and LEAP from unauthorized access. At a minimum, a lock and key system for an enclosure containing the devices is sufficient as long as the enclosure is only accessible to the appropriate individuals. In many cases we have reviewed existing protections at utility facilities and indicated that their current plan would meet requirements with little to no additional modifications necessary as long as they were properly documented.
Access Based on Need
There have been many questions surrounding part of the requirement text for Physical Security Controls that states “based on need as determined by the responsible entity,” specifically, what does “based on need” mean and how do utilities indicate that it’s covered in their plans. Recent presentations from NERC on Auditing Low Impact BES Cyber Systems and Regional Entity outreach workshops provide more insight into what “based on need” indicates:
- What is the need for the personnel to have access to the BCS or location where the BCS are housed?
- How did you determine which personnel need this access?
The above indicates an Entity will be required to indicate why personnel are allowed access to the BCS or locations they are housed, and how that need was determined. One example of this is control houses that contain digital relays identified as BCS. An Entity could indicate in their plan that access to the control house and the BCS is based on the job tasks executed at the substations by technicians qualified to complete those tasks.
Piloting of selected controls at representative facilities have been helpful in discovering potentially costly errors before they were replicated to all facilities. These discovered errors ranged from technical issues not seen during the conceptual design phase, which resulted in a change in approach or hardware, to not being procedurally sustainable with site staff, impacting the use of the controls in meeting the intended protections.
As noted in the first and third articles in this series, the Low Impact Cyber Security Awareness and Cyber Security Incident Response Plans must be in place April 1, 2017, regardless of whether or not they are fully implemented. If during implementation, plan modifications become necessary, documentation should be updated with all revisions retained to demonstrate continued coverage during the entire audit period.
If you have any questions on how to approach the Physical Security Controls aspect of these regulations, Burns & McDonnell recommends contacting our peer Registered Entities, or Regional Entity. Burns & McDonnell is also capable of assisting Entities based on our years of experience with the CIP Standards and helping Entities with the High, Medium and Low Impact BCS CIP Program implementations.
Future articles will cover additional physical security controls and what is currently known about the audit approach. Until that article the following information may be of assistance in your Low Impact BCS research and implementation efforts:
- My previous posts for the NERC CIP Low Impact Requirement article series:
- Burns & McDonnell will host our second annual Power Utility Security & Compliance Symposium August 8-9, 2016, which will cover several subjects related to Low Impact BCS.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.