A previous blog post introduced NERC CIP 003-7 and provided an overview of this standard. It also identified January 1, 2020 as the deadline for when organizations must be able to demonstrate their compliance with CIP 003-7. In anticipation of this date, this blog post will revisit the standard’s four requirements and five sections in Attachment 1, while offering specific recommendations on how organizations can comply with the standard going forward.
When developing a cyber security policy(ies), Responsible Entities need to do several things:
- Look to their management structure and operating conditions for inspiration.
- Use these elements to craft a comprehensive policy or set of policies that cover(s) all nine subject matter areas required for High and Medium Impact BES Cyber Systems (BCSs) and all five subject matter areas for Low Impact BCSs.
- Alternatively, craft a single umbrella policy that uses lower level documents to address all applicable subject matter areas.
- Frame the security policies in a way that applies to all three impact ratings of High, Medium and Low Impact BCSs.
Overall, Responsible Entities should use CIP-003-7 merely as a starting point for their security policies. As NERC explains in its documentation:
Responsible Entities are encouraged not to limit the scope of their cyber security policies to only those requirements in NERC cyber security Reliability Standards, but to develop a holistic cyber security policy appropriate for its organization. Elements of a policy that extend beyond the scope of NERC’s cyber security Reliability Standards will not be considered candidates for potential violations although they will help demonstrate the organization’s internal culture of compliance and posture towards cyber security.
This documentation goes into further detail about the security measures that Responsible Entities must apply to their Low Impact BCSs, as well as the controls that were previously applicable to High and Medium Impact BCSs.
For those Responsible Entities that maintain Low Impact BCSs, Attachment 1 of CIP-003-7 provides a list of five sections that should appear in Responsible Entities’ cyber security plans. These are as follows:
1. Cyber Security Awareness
- Use a cyber security awareness program to reinforce best security practices with its workforce every 15 months.
- Document that awareness materials were distributed and be able to explain the channels used to disseminate that information.
While there’s no requirement to maintain lists of employees who received the awareness modules, it is recommended that mailing lists, attendance sheets, and/or other records of awareness receipt are maintained as supplemental evidence artifacts, if possible.
2. Physical Security Controls
Under Section 2 of Attachment 1, Responsible Entities must control physical access, based on need, to (1) assets or locations of Low Impact BCSs and (2) assets that provide electronic access controls to Low Impact BCSs. Towards this purpose, organizations can do the following:
- Apply some form of security measures including access controls (card readers, high security keys), monitoring controls, or perimeter controls, like fences, guards and locked gates
- Monitoring need not consist of logging and maintain logs, however; it can consist of other methods such as door alarms and human observation.
- Consider documenting the types of controls that were implemented. This may include attestations from physical security SMEs or the individual(s) installing the controls, screen shots from the technical mechanism/toolset used to enforce the control (if applicable), as well as pictures or other such evidence that depicts the physical control having been implemented at the site. Conversely, if procedural controls were used, documentation of those controls would also be sufficient.
3. Electronic Access Controls
Responsible Entities must implement boundary protections for Low Impact BCSs when those systems have bi-directional routable protocol communication or dial-up connectivity to external assets. Some things to keep in mind include the following:
- Electronic access controls themselves are meant to control the communication that reaches the Low Impact BCSs and may be susceptible to potential threats.
- If such connectivity is non-existent , Responsible Entities can simply document this in their cyber security plans.
- The Entity must ensure that only necessary inbound and outbound connections are permitted wherever a routable protocol is used. The same protections must be afforded to communications between a Low Impact BCS and a Cyber Asset containing a Low Impact BCS. If these communications are used for time-sensitive protection or control functions between intelligent devices, these controls are not applicable, and this should be documented as such in the cyber security plan.
- For any dial-up accessible assets, a form of authentication must be used if that asset accesses Low Impact BCSs. If the Cyber Asset in question is unable to perform authentication due to technical limitations, this should be documented.
- Document these controls in the form of diagrams that illustrate the allowance of these particular connections. Specific documentation that depict allowable or necessary ports and services or even access control lists that restrict specific Internet Protocols (IPs) is also acceptable.
4. Cyber Security Incident Response
It’s important for Responsible Entities to have a cyber security incident response plan that they can use to respond to and report incidents should they develop into a Reportable Cyber Security Incident. Here’s how organizations can best organize their efforts around this topic:
- Develop plans that pertain to certain assets or groups of assets or simply create a single enterprise-wide plan that includes Low Impact BCSs. The plan can be straightforward and should include all fundamental components of incident response, such as roles and responsibilities, identification, classification, and notification to appropriate parties.
- Be sure to test these devised strategies at least once every 36 months.
- Actual reportable security incidents, tabletop drills and NERC-led exercises such as GridEx count towards these experiences.
- Lastly, put a mechanism in place to update your plan based on lessons learned every time a test is performed, or an actual incident recovery takes place. Not only will this strengthen the plan, but it will also improve response capabilities. Remember though – these updates must occur within 180 days after the test or incident.
5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation
As we know, the transference of executable code, whether through portable media or via connection to another Cyber Asset, inherently increases the likelihood of malicious code propagation throughout the environment. In order to reduce the chance of this happening, organizations need to establish a plan(s) that mitigates these risks.
- If your organization manages the Transient Cyber Assets (TCAs), develop a process to fight malicious code infiltration by applying application whitelisting or implementing an Antivirus solution that receives manually deployed signature updates.
- Obtain documentation from the vendor, if the TCA is unable to support the installation of these technologies.
- Practices need to be established to review the antivirus update level, process used to update the antivirus level, application whitelisting process, or usage of read-only media to review the executable, if the TCAs are managed by a party other than the Entity. This review must take place every time a TCA is to be connected to the Low Impact BCS and accompanied by documentation that confirms the existence of this review process (i.e. email communications, procedures that capture the review process, change management documents, etc.).
- Organizations need to ensure that Removable Media (RM) is free of malicious code prior to connecting the RM to a Low Impact BCS. As such, the RM should first be connected to a non-BCS Cyber Asset that is capable of detecting and mitigating any discovered malicious code. The antivirus tool should be configured to either use on-demand scanning or to scan the RM upon connection to the Cyber Asset. Additionally, the logs generated from these scans should be saved as evidence that the scan and removal occurred.
- This process is both manual and automatic. As such, comprehensive documentation in the form of procedural controls is imperative to ensure adequate enforcement of these practices.
This particular Requirement remains unchanged from prior versions of CIP-003. As noted in the previous blog post, Responsible Entities can achieve compliance with this Requirement by simply following their pre-existing Senior Manager documentation processes. When identifying a CIP Senior Manager, it is important to note that the individual plays a key part in the following:
- Working with Subject Matter Experts (SMEs) to develop the cyber security policy.
- Approving the cyber security policy. (This duty cannot be delegated.)
- Overseeing the creation and tuning of internal controls.
- Serving as the main representative of the CIP compliance program to the organization’s executives and board.
- Managing external relationships with Regions and NERC.
Responsible Entities may document appropriate instances of delegation by the CIP Senior Manager through one policy or several policies. Here are some important things to keep in mind:
- Keep delegation documentation updated within 30 days of any delegation changes. Not only is this required, but it also helps ensure individuals don’t inadvertently or assume undocumented authority.
- Frame policies in terms of job roles and not individuals. Doing so will prevent Responsible Entities from needing to change their existing documentation if someone in the role of delegate to the CIP Senior Manager leaves.
Clearly, there’s a lot that goes into achieving compliance with CIP-003-7. That’s why organizations should consider streamlining their efforts by building a program with a trusted provider who has a proven track record of helping organizations meet their CIP-003 compliance goals. Learn how ITEGRITI can help in that regard.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Itegriti, Inc.