CIP-003-7: Transient Cyber Assets and Removable Media in 2020

Image

Standard CIP-003 exists as part of a suite of Critical Infrastructure Protection (CIP) Standards related to cybersecurity that require the initial identification and categorization of BES Cyber Systems and require organizational, operational, and procedural controls to mitigate risk to BES Cyber Systems. The purpose of the standard is to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to maloperation or instability in the Bulk Electric System (BES). When the CIP-010-2 requirements became effective for High and Medium impact assets, requiring controls for Transient Cyber Assets (TCA) and Removable Media (RM), a significant portion of the electric transmission and generation footprint was not included as part of the required controls. CIP-003-7 has begun rectifying this deficiency, as the effective date for implementation was on January 1, 2020. It is important to review how companies can align their security procedures and internal compliance program with the requirements of the standard for both the long-standing CIP-010 and new CIP-003 requirements.

Applicability and Requirements Overview

Responsible Entities with facilities that are subject to the standard must implement common controls that meet requirements for high-, medium-, and low-impact BES Cyber Systems. This greatly expands the scope of these requirements that had previously only been applicable to high- and medium-impact BES assets. The CIP-003-7 requirements impact the implementation of physical and electronic access controls for low-impact BES cyber assets. These controls specifically cover policy statements for the following:

1. Cyber Security Awareness: Each Responsible Entity shall reinforce cybersecurity practices, which may include associated physical security practices.
2. Physical Security Controls: Each Responsible Entity shall control physical access on a need basis.
3. Electronic Access Controls: The Responsible Entity shall implement electronic access controls to permit only necessary inbound and outbound electronic access.
4. Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include procedures for identification, classification, and response to Cyber Security Incidents.
5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low-impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media.

For the purposes of this post, we will focus on the requirements for TCAs and RM and specifically the controls outlined in both Attachment 1 of CIP-003-7 R2 and Attachment 1 of CIP-010-3 R4.

What is TCA and RM?

According to NERC’s Glossary of Terms, a Transient Cyber Asset is a cyber asset that is capable of transmitting or transferring executable code, is not included in a BES Cyber System, is not a Protected Cyber Asset (PCA), and is directly connected (e.g., using Ethernet, serial, USB, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset. Examples include, but are not limited to, cyber assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. So what is typically identified by asset owners as TCAs, you ask? Well, it depends. Most commonly identified (especially in substation environments) are laptops used by protection controls engineers to perform configuration and testing of system protection relays. Less commonly, some organizations have identified diagnostic and testing equipment, such as power system simulators for testing relays and schemes. Furthermore, Removable Media is defined as storage media that are not Cyber Assets; are capable of transferring executable code; can be used to store, copy, move, or access data; and are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.

What are the requirements for Low Impact BCS?

To mitigate the risk of inserting malicious code into a low impact BES Cyber System, responsible entities must document – provide evidence – that applicable portable devices connected to assets with Electronic Security Perimeters – things like control systems, microprocessor relays, etc. – have been verified free of malicious code prior to connection. Attachment 1, Section 5 of the CIP-003-7 standard provides two different scenarios for verifying that TCAs are free of malicious code based on if they are managed by the responsible entity or by a third-party entity. Section 5 grants the responsible entity flexibility to determine the method that achieves the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems. The means of verifying the mitigation of the introduction of malicious code to a low-impact BES Cyber System differs depending on whether a TCA is managed by the responsible entity in an ongoing or an on-demand manner. The verification for a TCA managed in an ongoing manner focuses on the process of preventing malware from being introduced to the Transient Cyber Asset. On the other hand, the verification for a TCA managed in an on-demand manner focuses on the process used to ensure the TCA may be safely used in a low-impact BES Cyber System environment prior to such use. If the TCA is managed in both an ongoing and an on-demand manner, then both verification techniques should be employed. Either way, the responsible entity must provide evidence that appropriate actions have taken place to mitigate the risk. Examples of evidence may include but are not limited to documentation of the methods used to mitigate the introduction of malicious code, application of whitelisting practices, processes to restrict communication, or other methods to mitigate the introduction of malicious code. If the TCA is managed by a third-party, example of evidence may include but are not limited to documentation from change management systems the third-party other than the antivirus update process, the use of application whitelisting, and use of live operating systems or system hardening performed by the party.

What are the requirements for High and Medium Impact BCS?

Attachments 1 and 2, like the requirements outlined under CIP-003 for Low Impact BCS, also provide two different scenarios for verifying the security posture of TCAs. They're based on if they are managed by the responsible entity or by a third-party entity. They have many more components that go beyond just ongoing management and malicious code prevention. These additional controls include:

1. Authorization for use by individual, group or role; locations individually or by group and; uses, which have to be limited to what is necessary to perform business functions (Section 1, part 1.2)
2. Software vulnerability mitigation (Section 1, part 1.3)
3. Unauthorized use mitigation

For RM, the notable addition is to require authorization for use, not unlike #1 above. The following table should help to make it more clear all the differences by impact rating for TCAs and RM.

How can you achieve compliance?

The top priority for those working with ICS in the power industry has always been reliability. However, with cyber incidents on the rise, the security of IT assets on which the BES depends has become critical because a cybersecurity incident can result in loss of reliability and impact physical safety. NERC-registered entities always need to be audit-ready and must determine how to best address the standard’s requirements. At the same time, the time-consuming, complex task of meeting NERC CIP compliance must not distract IT and operations staff from their primary focus: ensuring the reliability of the bulk electric system. NERC CIP compliance requires registered entities to establish a set of controls and processes, continuously monitor those processes, and produce detailed evidence of these activities in an audit. Power companies can efficiently and confidently protect their assets from potential threats—malicious or unintended—and maintain reliability and compliance through:

• Continuous Monitoring to continuously collect detailed status information on all your critical cyber assets and immediately detect any changes.
• Situational Awareness to automatically aggregate and analyze your security data and alert on suspicious events or modifications that impact your compliance status.
• Risk Management and Efficient Response through asset tag management to flexibly and easily tag your critical assets based on Impact Rating, associated BES System, Role, Owner, Location, etc., and have them automatically inherit the appropriate security control and classifications.
• Audit-ready Evidence to quickly generate reports and dashboards that fully document your compliance with security controls and processes by CIP requirements.
• Network Visibility via active and passive means to identify not only the critical infrastructure assets being protected but potential threats that are acting maliciously or anomalously.

The Tripwire NERC Solution Suite helps meet those demands with a tailored package of products and expertise. The Suite offers electric utilities a tailored package that helps automate and simplify NERC CIP compliance. It uses standard Tripwire products and supplements them with NERC-specific extensions and content that includes tailored reports, dashboards, correlation rules, scripts, utilities, tools and templates. You can learn more about how Tripwire can help you by reading this solution brief.