Low Impact Electronic Protections Go Beyond NERC CIP-003 Standards

by Allen Kent – NERC CIP Reliability Specialist, NAES Corporation

An electronic attack on a power generation facility is much more likely than a physical attack. Hackers know that they’re less apt to be caught than someone physically assaulting the plant, and they can launch the attack from literally anywhere. The most obvious vector of electronic attack for any business is its connection to the Internet.

Over 90 percent of such attacks have come via malware attached or linked to an email – what we call spam, phishing or spear phishing – or from malware downloaded during Internet browsing, i.e., a ‘drive-by download.’ Once it has passed the perimeter firewall and gotten inside the network, it can spread laterally to other systems much more easily.

Eventually, that malware could get to your protected BES Cyber Systems (BCS) or BES Cyber Assets (BCA). This can all be done behind the scenes without detection by the user, administrator or antivirus software. It’s estimated that hackers had gotten inside the U.S. Office of Personnel Management’s network more than a year before the breach was discovered in June 2015.

CIP-003-6 requires the following of a responsible entity:

  1. For Low Impact External Routable Connectivity (LERC) – in other words, a BCA with remote access – implement a Low Impact BES Cyber System Electronic Access Point (LEAP) – i.e., a firewall – to permit only necessary inbound and outbound bi-directional routable protocol access (3.1);
  2. For all dial-up connectivity, implement authentication that provides access to Low Impact BES Cyber Systems, per Cyber Asset capability (3.2).

This effectively means that responsible entities will be required to have a perimeter firewall that allows only required inbound and outbound traffic – which provides the bare minimum of protection. (I’ll address the dial-up requirements another time; ideally, you simply don’t allow dial-up on your network in the first place.)

These requirements do not take effect until September 1, 2018, so Low Impact responsible entities have time to develop and implement a comprehensive plan. If an entity has deployed a perimeter firewall that limits unnecessary connections in both directions – which anyone connected to the Internet should already have -- then it may have met this part of the CIP-003 requirement already.

However, such an entity is still far from ‘secure’ in this scenario. Good cyber security requires additional measures. Knowing what you have on your network is a good first step in defending against an electronic security breach. This means having an accurate list of all Cyber Assets – especially those connected to a network – and knowing which can have an impact on your plant (i.e., which are BCAs). An accurate network topology diagram helps identify the network perimeter and low impact electronic access points (LEAPs). Identifying and limiting remote-access connections to your cyber assets – via the internet or dial-up – is important to ensuring that these avenues of attack have been properly protected.

Finally, segmenting your business network from your plant controls network(s) with a secondary firewall will help limit the risk of a lateral attack. Ideally, Cyber Assets in the protected/controls networks would not be accessed from outside of the asset (inbound or ingress) or be allowed to access systems outside the asset (outbound or egress).

This doesn’t mean air-gapping, although that is an effective electronic control. It means allowing only specific and limited communications through the controls network firewall. To demonstrate compliance, it’s most helpful to furnish an exported access control list from each firewall and a justification statement for each rule in the list.

Download File