How Secure is the ALIGN Secure Evidence Locker?

By Michael Tate, NERC Reliability Compliance Specialist

In 2014, the ALIGN tool was an inkling of an Idea by NERC that has blossomed into a well-run joint venture between all the Reliability Entities and NERC. Now with ALIGN as the primary area of focus for the various Regional Entities, several inquiries around the industry have questioned the use and security of the Secure Evidence Locker used by the application. With a combination of application encryption, evidence retention policy and NERC ERO staff practices, the ALIGN Secure Evidence Locker is the most advanced portion of the new application to date.

While the ERO Portal originally housed the MIDAS tool, there was no fear that information pertaining to PRC-004 would ever lead into a system breech for a submitting facility. However, with the requirement for all Reliability Entities to use the SEL for Evidence review and submittal, a new fear has arisen from the ashes of Cyber Security Policies everywhere. It is implied that submission of evidence such as Firewall Rules and IP addresses to such a portal could lead to a breech of information exposing a facility to possible hacks. This is where the SEL shines in that it is not a regular submission drive where data is dumped and retained for an undefined amount of time. In fact, when you engage in an SEL Data Submission, ALIGN sends you to a separate secure site requiring further encryption. Then every piece of evidence uploaded is encrypted. Finally, upon submission, all pieces of evidence can not be extracted (downloaded), back up to the NERC site and are under the destruction policies of NERC. With this in mind, the SEL was made to address the security conundrum of High Impact CIP Facilities without violating the standards themselves. While its security centric programing has most of the issues on lockdown, NERC made sure to address the most common cause of data breeches: Human Error.

It’s true that NERC and the Reliability Entities have tried to compensate for any possible data breeches via network security and encryption, but they took it a step further with the rules and guidance given to the Auditors in its use. One way NERC addressed the Security of the SEL is the blockage of “copy and paste” on the auditor’s side of the process. All evidence submitted can no longer be copied into an auditor’s notes or follow-on data request. In fact, auditors regardless of region are no longer allowed to refer to evidence files with verbatim language (relative to the evidence in question).

NERC has issued specific guidance to all Reliability Entities in the form of the “ALIGN and SEL Data Handling” policy. This document gives examples of how the regions should ask for information by making specific references to the evidence in question. For example, when questioning a firewall ruleset, NERC States, “ERO Enterprise staff may want to ask the registered entity, “Line 222 of the firewall configuration file appears to be providing overly broad access on several ports, please provide further explanation on why the ports may be open to the all the allowed hosts.” This line of questioning does not specify the actual IP address nor the ports.” Meanwhile, the NERC Data Retention policy is in full play in the background of the ALIGN Tool. Data submitted to the SEL specifically meant to address a possible noncompliance issue, is subject to a 2-year retention policy and will be deleted by NERC upon crossing that threshold.

It is well known that the ALIGN tool is here to stay while all other forms of data submission and retention will be removed as regions adapt the tool to their own policies. It’s always best to stay up to date with the current state of the tool, for your specific region and NERC overall, which can be performed using the links below.