3 NERC CIP-005 Compliance Analysis Report. o Posted in May 2012 o Intended to provide practical information and suggestions surrounding CIP-005 What is CAR-005?
4 Specific issues were raised related to non routable communication beyond ESP boundaries. (See pages 11 & 12) What is the current WECC approach on CAR- 005? What is CAR-005?
5 Front End Processors (FEP) that are serially connected directly to field devices that an entity owns and or operates may not be considered Access Points under Version 3 of CIP-005. Know the backend architecture of your ICS network! CAR-005 Audit Approach, Know Thy Self
6 It may be necessary to classify Front End Processors as Cyber Assets within your ESP. Know the backend architecture of your ICS network! CAR-005 Audit Approach, Know Thy Self
7 ICS components with serial and/or dial-up interfaces may be Access Points: - A Front End Processor (FEP) or CCA serially connected to a component of another network beyond your control (e.g., another entity) - A FEP or media converter device that uses the internet (e.g. IP; VPN, SSL) to communicate Know the backend architecture of your ICS network! CAR-005 Audit Approach
8 Inquiring minds want to know! During an audit the WECC Cyber Security Team will ask questions about each entities back end non-routable architecture. CIP-005 sub teams will work with you during the offsite and onsite weeks to understand all communication paths traversing your ESP CAR-005 Audit Approach
10 CIP R2.2 reads: Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP R2 and R3. PACS Diet ESP CIP R2.2
11 Diet or Sugar Free drinks are missing something. Some people say you have the same taste, but none of the sugar. Diet ESP requires compliance with CIP- 005 R2 & R3 PACS Diet ESP CIP R2.2
12 CIP R2 reads: The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s) R2.4 states specifically: Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. PACS Diet ESP CIP R2.2
13 NERC FAQ on CIP-005 clarifies what is intended as strong procedural or technical controls Strong technical and procedural controls normally require use of at least two of the following three factors: (1) something the person knows, (2) something the person has, and (3) something the person is. What a person knows is typically a password, pass phrase or some personal identification number (PIN). What a person has is typically a physical device such as an electronic authentication token or smart card, and what a person is is usually some biometric characteristic such as a fingerprint or iris pattern. NERC CIP-005 FAQ pg. 7 PACS Diet ESP CIP R2.2
15 NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, Remote_Access_Guidance-Final.pdf Remote_Access_Guidance-Final.pdf NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, Guidance_for_Secure_Interactive_Remote_Access.pdf Guidance_for_Secure_Interactive_Remote_Access.pdf NERC CIP-005 FAQ NERC CIP-005 Compliance Analysis Report WECC_SLC CIP-101_CIP-005_JA *Links retrieved 2/19/2012 References
Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits Western Electricity Coordinating Council Office: Questions?