NERC’s critical infrastructure protection standards ambiguous, unclear: analysts
Tom Alrich, a NERC-CIP expert, is also uncertain about the most recent CIP version. He posted to his blog on September 2013, “I have come to realize that the biggest problem in the NERC-CIP universe now is the fact that there has been so much uncertainty for so long about the next CIP version.” Alrich fears that even as Version 5 gains approval, NERC, in an effort to address problems with Version 5. will issue CIP Version 6, which will terminate Version 5.
Compliance does not equal security
NERC considers CIP Version 5 to be a significant improvement because of ten new or upgraded reliability standards, including a requirement to identify BES cyber systems’ assets that need be protected. Version 5 requires BES owners and operators to categorize all cyber systems affecting their operations as low, medium, or high impact. Version 4 only requires the identification of critical assets.
Version 5 focuses on discrete electronic access points and not the logical perimeter. Version 5 also imposes a new standard that consolidates configuration change management- and vulnerability assessment-related requirements.
Vajda insists that compliance with regulation addresses only part of the security equation. “Just because you check the boxes [on the NERC forms] doesn’t mean you’ve achieved a secure environment.” According to Vajda, organizations must ask, “what else is in my environment that is not covered in a compliance framework that I need to be worried about?”
Companies must look beyond guidelines listed in audits and consider weak access points relative to their individual operations. “Saying ‘I’m CIP-compliant’ is nothing to boast about,” says Ginter.
Secure access safety
Organizations must consider the use of unidirectional gateway devices for data connectivity from an industrial network to a corporate network. Automation World reports that when addressing BES organizations at a 2012 NERC conference, NERC chief cybersecurity officer Tim Roxey said, “When you are considering security for your control networks, you need to keep in mind innovative security technologies such as unidirectional gateways.”
Waterfall Security, headquartered in Rosh Ha’ayin, Israel, developed its main unidirectional technology in 2004. The device is now used to protect safety systems, nuclear reactors, and conventional electricity generators. NERC-CIP tends to reward organizations that use unidirectional gateways as the only connection between outside-the-perimeter networks and protected networks. “You’re off the hook for one-third of the rule for a medium-impact site, which typically is power generation,” Ginter explains to Automation World.
Encryption is another issue to consider since most devices do not support encryption. BES can be compromised like malware in a computer network system. Ginter stresses that cybersecurity gurus on the IT side and some in industrial spaces ask: “Are you nuts? Why aren’t things encrypted?” Thankfully, CIP Version 5 calls for encryption among BES.
Beyond reliability standards
Although BES can expect NERC to develop updates and new CIP versions, organizations must not rely solely on the next version — they must remain proactive. Ginter asked a power industry official whether CIP standards protect against cyberattacks typical of Chinese intelligence agencies, and the official replied, “You can’t hack the power grid. It’s redundant. It’s complex.” Such attacks, however, are possible, and according to Ginter, no provisions in Version 5 protects against those scenarios.
As one might expect, CIP Version 6 will roll out shortly. Alrich expects it by summer 2014. “You won’t ever have to comply with Version 5, any more than you will with Version 4,” he says. “Your next CIP compliance version will be 6.”