1. Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits
CAR-005 and CIP-006 “Diet” ESP Audit Approach
WECC Open Webinar
February 21st 2013

2. Agenda
CAR-005 Audit Approach
CIP-006 R2.2 PACS “Diet” ESP

3. What is CAR-005? NERC CIP-005 Compliance Analysis Report.
Posted in May 2012
Intended to provide practical information and suggestions surrounding CIP-005

4. What is CAR-005?
Specific issues were raised related to non routable communication beyond ESP boundaries. (See pages 11 & 12)
What is the current WECC approach on CAR-005?

5. CAR-005 Audit Approach, Know Thy Self
Front End Processors (FEP) that are serially connected directly to field devices that an entity owns and or operates may not be considered Access Points under Version 3 of CIP-005.
Know the backend architecture of your ICS network!

6. CAR-005 Audit Approach, Know Thy Self
It may be necessary to classify Front End Processors as Cyber Assets within your ESP.
Know the backend architecture of your ICS network!

7. CAR-005 Audit Approach
ICS components with serial and/or dial-up interfaces may be Access Points:
- A Front End Processor (FEP) or CCA serially connected to a component of another network beyond your control (e.g., another entity)
- A FEP or media converter device that uses the internet (e.g. IP; VPN, SSL) to communicate
Know the backend architecture of your ICS network!

8. CAR-005 Audit Approach Inquiring minds want to know!
During an audit the WECC Cyber Security Team will ask questions about each entities back end non-routable architecture. CIP-005 sub teams will work with you during the offsite and onsite weeks to understand all communication paths traversing your ESP

10. PACS “Diet” ESP CIP-006-3 R2.2 CIP-006-3 R2.2 reads:
Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP R2 and R3.

11. ESP Diet ESP PACS “Diet” ESP CIP-006-3 R2.2
“Diet” or “Sugar Free” drinks are missing something. Some people say you have the same taste, but none of the sugar.
“Diet” ESP requires compliance with CIP-005 R2 & R3
ESP
Diet ESP

12. PACS “Diet” ESP CIP-006-3 R2.2 CIP-005-3 R2 reads:
The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s)
R2.4 states specifically:
Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

13. PACS “Diet” ESP CIP R2.2
NERC FAQ on CIP-005 clarifies what is intended as “strong procedural or technical controls”
Strong technical and procedural controls normally require use of at least two of the following three factors: (1) something the person knows, (2) something the person has, and (3) something the person is. “What a person knows” is typically a password, pass phrase or some personal identification number (PIN). “What a person has” is typically a physical device such as an electronic authentication token or smart card, and “what a person is” is usually some biometric characteristic such as a fingerprint or iris pattern.
NERC CIP-005 FAQ pg. 7

14. PACS “Diet” ESP CIP R2.2
PACS “Diet” ESP Example diagram

15. References NERC CIP-005 Compliance Analysis Report
NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from,
NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from,
NERC CIP-005 FAQ
NERC CIP-005 Compliance Analysis Report
WECC_SLC CIP-101_CIP-005_JA
*Links retrieved 2/19/2012

16. Questions? Brent Castagnetto, CBRM, CBRA, MABR
Manager, Cyber Security Audits
Western Electricity Coordinating Council
Office: