by Chuck Holm, NERC Reliability Specialist
Forces in power plant world will work against CIP-003 compliance if left unchecked. The article presented here focuses specifically on physical access to cyber assets to comply with CIP-003-8 R1 1.2.2.
CIP-003-8 Attachment 1 Section 2 – Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.
Personnel working in the power industry have a reputation for getting things done and are typically known for high productivity. High performing employees can view CIP-003 requirements as working against high productivity goals.
Physical barriers using key/combo locks and electronic lock technology are often bypassed during tasks that have high visibility and short turnaround times. Personnel can view physical locks and electronic locks as hindering task completion and, in some cases, they may view the lock as a barrier to safely completing the task.
As an example, workers at a facility found that the doughnut shaped magnet used to calibrate gas detectors could be used to override the lock in magnetically operated card locks. Use of the doughnut shaped magnet also disabled the feature that notified corporate security if the door remained open. The doughnut shaped magnet would be placed on doors that needed to be left accessible during the shift.
Bypassing security measures is a violation of most corporate policies and of the requirements detailed in the NERC Standard CIP-003-8. Addressing individuals knowingly bypassing security measures is best left to corporate policy. And while we follow corporate policy we should also look at security measures and how they can encourage noncompliance.
Regarding the doughnut shaped magnets. The facility operated “lone operator” overnight, on weekends, and holidays. The lone operator was often required to leave the control room (which was card locked) and enter an engine hall to perform simple tasks – such as check oil level – add water etc. The card key was a solid plastic (and brittle) key a little larger than a credit card. A back up control room entry system was provided. It consisted of a direct line to corporate security and through the direct line the operator could gain access to the control room if the card key failed to open the door or if the card key was forgotten in the control room.
On more than one occasion, the operator either snapped (broke) the card key while performing tasks in the engine hall or forgot the card key when leaving – and when they tried to utilize the backup system – no one in corporate security answered the phone. On another occasion the operator was successful in reaching someone at corporate security but failed to “prove” his identity, so corporate security refused to allow the operator access to the control room. The control room was left empty while multiple engines were online – meaning that engines could not be removed from service, and load and voltage could not be adjusted.
At another facility, cyber assets were installed in a building that also housed combustion turbines. The building access was controlled by issuing “smart keys” to full time employees that had to be renewed every 30 days. Contractor “smart keys” were issued to personnel working overhauls or outside vendors needing temporary access to the building. The contractor “smart keys” only remained active during a shift and had to be reactivated each day. The big advantage of the “smart key” system was the way the system tracked issued keys. The numbered keys issued and to whom was tracked by the “smart key” system as well as the renewal times/dates and the area accessed using the key. The accounting system was fantastic.
However, the physical key was a bit bulky – when compared to a normal key. The smart key was about the size of a modern car fob meaning that plant maintenance staff and vendors would not keep the key in their pockets when performing maintenance because the keys were uncomfortable when bending over or getting into positions necessary to perform maintenance. In addition, the keys were removed from pockets when entering sensitive areas to prevent a foreign material introduction event.
In the beginning maintenance personnel would take the smart key out of their pocket and place it on an I-beam or another location while maintenance was performed. The keys were often lost or dropped into sumps.
They eventually found a central location inside the building to place the keys. The smart keys were similar in appearance and individually numbered but personnel did not often remember their number so they would just grab a smart key when leaving the building. Low number keys (1-12) were issued to full-time employees and high number keys (13-30) were issued to contractors and vendors. This ended up making the tracking system useless – and in addition, vendors on occasion would grab a low number key which gave them more access.
Managers and leaders are required to address actions that are creating noncompliance of regulatory requirements and guidance is typically provided by corporate policy. But it’s important to recognize that addressing noncompliance strictly through corporate policy will not always address the root causes of noncompliance.
It took some work, but both examples cited were eventually mitigated to the satisfaction of regulatory compliance personnel and personnel required to work within the system.
In the first…a more robust card key was purchased that could handle the abuse of the engine hall. The new card could be almost bent in half and still work. Corporate security installed high resolution cameras at the backup system and even provided camera access to the plant manager if it was required to have the plant manager verify the employees ID.
For the second, a key tracking system was installed in the building. Plant employees were provided with a storage location with a key hanger provided for each employee with their name labeled on the hanger. For vendors, it was discovered that the smart key system could print a report showing name and key number for each person. A vendor/contractor only storage location was provided, and a new key issue report was printed daily and placed in the storage location so the vendor could check which key number they were issued when retrieving the smart key.
It’s also important to occasionally audit physical barriers. Some managers have found at least one physical barrier secretly bypassed during every outage.
Be safe and remember that NAES NERC will always be here to help brainstorm and address gaps in your cyber security programs.
