3What is CAR-005? NERC CIP-005 Compliance Analysis Report. Posted in May 2012Intended to provide practical information and suggestions surrounding CIP-005
4What is CAR-005?Specific issues were raised related to non routable communication beyond ESP boundaries. (See pages 11 & 12)What is the current WECC approach on CAR-005?
5CAR-005 Audit Approach, Know Thy Self Front End Processors (FEP) that are serially connected directly to field devices that an entity owns and or operates may not be considered Access Points under Version 3 of CIP-005.Know the backend architecture of your ICS network!
6CAR-005 Audit Approach, Know Thy Self It may be necessary to classify Front End Processors as Cyber Assets within your ESP.Know the backend architecture of your ICS network!
7CAR-005 Audit ApproachICS components with serial and/or dial-up interfaces may be Access Points:- A Front End Processor (FEP) or CCA serially connected to a component of another network beyond your control (e.g., another entity)- A FEP or media converter device that uses the internet (e.g. IP; VPN, SSL) to communicateKnow the backend architecture of your ICS network!
8CAR-005 Audit Approach Inquiring minds want to know! During an audit the WECC Cyber Security Team will ask questions about each entities back end non-routable architecture. CIP-005 sub teams will work with you during the offsite and onsite weeks to understand all communication paths traversing your ESP
10PACS “Diet” ESP CIP-006-3 R2.2 CIP-006-3 R2.2 reads: Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP R2 and R3.
11ESP Diet ESP PACS “Diet” ESP CIP-006-3 R2.2 “Diet” or “Sugar Free” drinks are missing something. Some people say you have the same taste, but none of the sugar.“Diet” ESP requires compliance with CIP-005 R2 & R3ESPDiet ESP
12PACS “Diet” ESP CIP-006-3 R2.2 CIP-005-3 R2 reads: The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s)R2.4 states specifically:Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.
13PACS “Diet” ESP CIP R2.2NERC FAQ on CIP-005 clarifies what is intended as “strong procedural or technical controls”Strong technical and procedural controls normally require use of at least two of the following three factors: (1) something the person knows, (2) something the person has, and (3) something the person is. “What a person knows” is typically a password, pass phrase or some personal identification number (PIN). “What a person has” is typically a physical device such as an electronic authentication token or smart card, and “what a person is” is usually some biometric characteristic such as a fingerprint or iris pattern.NERC CIP-005 FAQ pg. 7
14PACS “Diet” ESP CIP R2.2PACS “Diet” ESP Example diagram
15References NERC CIP-005 Compliance Analysis Report NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from,NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from,NERC CIP-005 FAQNERC CIP-005 Compliance Analysis ReportWECC_SLC CIP-101_CIP-005_JA*Links retrieved 2/19/2012