The third and final in the NAES, ABS Group, Network Perception cybersecurity webinar series covered NERC CIP-003-9: What Now? Response Requirements. While the NERC standard is still subject to revisions and tweaks in the coming months, there is enough “writing on the wall” for low-impact bulk electric system (LIBES) sites to begin the long slog towards compliance and security (two different goals). It begins with a comprehensive inventory of any and all vendors who have electronic access to your site, along with all possible devices, pathways, and equipment they can access.
The first webinar emphasized the need for full supply chain visibility, developing a full network model that can inform the site about what could happen, and no longer relying on your control system OEM for compliance or security. In the second webinar, the panel of experts recommended that you automate the detection of vendor access, and alarm, log, and record all vendor sessions during which changes are made to the system; institute granular controls per vendor and test and validate them regularly; and develop methods for terminating a previously authorized vendor session, if necessary.
The third webinar hammered on the point that it’s all about your site’s supply chain. The opening salvo were words of caution and advice not to apply your processes and procedures for medium and high impact BES to your low-impact ones, and think of cybersecurity like safety. That is, you need to have a culture of cyber-vigilance. “Responsibilities cannot be assigned, they have to be accepted,” one panelist said.
Regarding what clearly is the big challenge, vendor electronic remote access (VERA), sites need to be able to document all network paths that vendors could use, and develop and document methods to authorize, monitor, alert/alarm, and record all remote vendor access. “All network paths possibly available to a ‘bad actor’ need to be exposed and understood in terms of who is connected, what can they do, when do they connect, where can they go, how do I know, and what can I do (e.g., disconnect them, if necessary). For one thing, this means that all firewall rules need to be re-assessed, though not restricted to the point that normal plant operations are impacted if vendors are cut off.
Section 6.2, for example, requires the site to be able to disable VERA if necessary, disable inbound and outbound communication, and remove physical layer connectivity. It also requires that you collect evidence that you can do, and have done, these actions. Section 6.3 requires that you document anti-malware technologies and how they are updated and configured; and document intrusion detection/prevention software, use of automated or manual log reviews, and automated and/or manual alerting.
6.3 also requires that you detect known or suspected malicious communications, which begs the question: how do you define malicious code for specific systems?
Consistency in your processes, procedures, and responses is the key to avoiding trouble should you face an audit or an RFI (request for information), the panelists stressed. At the end, the panel noted that Network Perceptions has software, NP View, capable of generating a model, or network topology, of a site’s electronic devices, monitoring multiple vendors, and producing consistent documentation. It is said to be “basically what’s used by the auditors.”
Access CCJ recaps and recordings of the three webinars here:
- Part 1: What You Need to Know About the New Requirements and How to Comply
- Part 2: What You Should Do vs What You Must Do
- Part 3: What Now? Response Requirements