The document discusses NERC CIP guidelines for securing critical infrastructure devices in the electric grid. It provides an overview of the six main CIP guidelines regarding personnel authorization, training, security of the electronic perimeter, physical security, operations security, and incident reporting. The document emphasizes that compliance requires both compliant technologies and security-focused procedures. It also outlines key security principles like least privilege and role-based access controls. Overall, the summary provides a high-level view of the document's coverage of NERC CIP compliance objectives and guidelines.
2. Summary
Executive Summary . ................................................................................... p 1
Introduction ................................................................................................. p 2
Understanding CIP objectives ...................................................................... p 4
Core Security Principles . ............................................................................. p 5
NERC CIP technical control guidelines . ....................................................... p 6
Finding your compliance solution.................................................................. p 10
Conclusion................................................................................................... p 11
3. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Executive summary
The North American Electric Reliability Corporation (NERC) maintains a set of
Critical Infrastructure Protection (CIP) guidelines that address a broad range of
critical cyber asset and cyber security issues. These guidelines describe the
security-focused procedures that, in combination with compliant technology,
enable secure electric grid operations. The CIP guidelines do not specify the
technologies that must be deployed. Instead, they describe the technology design
necessary to build an information management architecture that complies with
security goals.
These goals include the minimizing of administrative authorization needed for
operational functions. Rights and privileges are to be assigned to a functional role,
not a named individual. Audit trails of field data device and substation activity,
similar to control room auditability, must be maintained to assure comprehensive
confidence in data and controls.
The six CIP guidelines summarized in the paper speak to the procedures and
policies that are vital to critical cyber asset security – personnel authorizations;
personnel training; security of the information management system’s electronic
perimeter; security of the information management system’s physical assets;
operational security; and incident reporting and response planning.
The utility builds its CIP-compliant program with defined procedures addressing
these guidelines, coupled with the hardware and software that enable full
implementation of these procedures. Training of all personnel is necessary for
effective and efficient compliance.
White paper | 01
4. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Introduction
In this paper, we target ‘the myth of compliance.’
While the term ‘compliant’ most often refers to products – the software and
devices deployed in daily field operations of the electric grid – we at Telvent see
security compliance as a ‘process.’ Through our extensive experience working
with critical infrastructure asset owners, vendors and regulatory agencies, we
know full compliance is achieved only when compliant hardware and software is
complemented by information management procedures reflecting strong security
principles.
Here, we discuss in general how consistent NERC Critical Infrastructure Protection
(CIP) compliance reflects best security practices combining:
• Core security principles
• Technical controls defined by CIP guidelines
• strong level of discipline within the user organization and its vendor
A
organizations
White paper | 02
6. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Understanding CIP objectives
What CIP does. CIP provides general security CIP covers both technical and operational
guidance toward achieving the minimal level of compliance. It is the combination of compliant
security required for safe and secure operations. technology and security-focused procedures that
enable CIP-compliant operations; see Figure 1.
What CIP does not do. CIP does not prescribe or
specify the technologies to be deployed to meet In this way, CIP challenges asset owners to
secure operational goals. It defines objectives, consider security a ‘holistic’ issue that actively targets
not how the user must achieve them. With the not only system design and installation but also
responsibility of meeting secure operations objectives, daily processes. Compliant technology establishes
the user also has the choice of which technology will a minimal level of authentication, authorization and
best serve its needs in meeting those objectives. audit ability. The asset owner must actively build
on that compliance foundation to realize a strong
security culture within the organization.
Compliance- Secure CIP Compliant
Capable Hardware Configuration Devices
CIP Compliant
Operations
CIP Compliant
Training Processes
Figure 1. Technology, in and of itself, does not impart CIP compliance. Rather, the user
must build a program that assures its compliant technology is deployed and operated to
create the level of security required to achieve compliance.
White paper | 04
7. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Core Security Principles
Let’s review the security principles that are
fundamental in molding a CIP-compliant information
Information management key for
management architecture: security – and more
Principle of Least Privilege (PoLP). This principle Reliable information management serves
describes the technology design – the design critical infrastructure security by –
of applications and field devices – that allows
• aintaining infrastructure availability –
M
operation with the minimum amount of administrative
preventing acts, intentional or accidental,
authorization. A granular-access approach to from interrupting operations
operational control limits authority to each employee’s
functions; any control authorized beyond defined • reserving data integrity – to support the
P
operational functions invites errors that could have quality of operational decision-making as well
inadvertent, far-reaching impact – and even invite as meet regulatory/auditing scrutiny
malicious abuse.
The robust information management system
also can enforce data confidentiality, allowing it
While many legacy systems might not accommodate
to be used for:
highly granular access, newer technology is being
designed to meet this criterion. • Accounting purposes
Role-based Access Controls (RbAC). Rights and • Business-critical processes
privileges associated with any network device are
assigned to an administrative role or job duty, rather • Customer consumption
than to a named individual. This approach allows
individuals to move in and out of roles within the With compliant information management architecture,
organization without complicated re-definition of the asset owner will:
that person’s authorization, supporting continuous
compliance and limiting authorization errors. It also • Know and control who is allowed to access the
supports the centralized management essential in an system
efficient, integrated network.
• Know and control what each individual is allowed to
Audit trails. While maintaining audit trail capability do on the system
is familiar in the control room, CIP compliance
extends this concept to operation of field devices. • Know and control what can be done by an
By maintaining an awareness of field data activity individual based on where the individual is accessing
and changes at the device and substation level, the the system
user can integrate that data into centralized control
with confidence. The intent is to not only provide the • Know what each individual has done on the system
means for documenting system management in the
recent past but to also enable real-time assessment • Prevent access to critical assets from any location
of whether the CIP controls in place are appropriate – where any of the above situations is not true
doing their job and meeting compliance goals.
White paper | 05
8. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC CIP technical control
guidelines
The NERC CIP document addresses a broad range
of Critical Cyber Asset (CCA) and Cyber Security
About NERC
issues; here, we very briefly review six of the CIP
guidelines that apply to operation of electric network The North American Electric Reliability
Corporation (NERC) is an international
field devices; also see Table 1. The full text of the
regulatory authority established to evaluate
NERC CIP standard can be found at http://www.
reliability of the bulk power system in North
nerc.com. America. NERC develops and enforces
Reliability Standards; assesses adequacy
CIP-003 Security Management Controls describes annually via ten-year forecasts and winter and
the development of a cyber security policy and summer forecasts; monitors the bulk power
documentation of that policy in a way that it can system; and educates, trains, and certifies
industry personnel. NERC is the electric
be updated and that all staff is aware of the policy.
reliability organization for North America,
It discusses management of personnel who have subject to oversight by the U.S. Federal
access to the CCAs and identification of users with Energy Regulatory Commission (FERC) and
different privileges, roles and responsibilities. governmental authorities in Canada. For more
information, visit http://www.nerc.com
• he user will want to look for hardware that can be
T
configured to allow a specific ID for each user and CIP guideline uses vaguely worded phrases such
for addition and deletion of privileged users and for as “where technically feasible”; this wording makes
users with different levels of access. Hardware that it difficult for the organization to fully understand
documents not only access but also documents requirements.
details of functions performed during the access is
a big advantage; this downloadable User Log will While encryption is not identified specifically as a
provide an audit trail for CIP compliance. guideline for ESP access, CIP-005 does speak to:
CIP-004 Personnel and Training identifies the • ecurity of dial-up access – unclear if having a
S
personnel training and awareness recommended password and User Name to access constitutes
for supporting security-related operations and ‘secure.’ Use of a ‘call back’ modem or a SCADA-
procedures. It cites CCA user identification lists that controlled relay that is closed for access and
are reviewed periodically and can be modified to opened when not needed provides adequate
change both users and user privileges. security.
• evices that accept addition or deletion of users
D - n alternative to dial-up connection is the
A
and/or privileges remotely allow updates quickly Ethernet strategy, providing the IT tunnel that
and keep functionalities accurately maintained. eliminates a dial-up channel. Another plus: with
employees equipped with cell phones, replacing
CIP-005 Electronic Security Perimeter(s) deals dial-up access also eliminates any need for a
with identification and protection of ESP access phone line into the substation.
points and communications. In some places, this
White paper | 06
9. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
• ccess denied by default – access requires
A TABLE 1
password, and password changeability
Summary of CIP Issues
• nabling and disabling ports or functions deemed
E Requirement NERC CIP Compliant hardware capabilities
not needed – at the most basic level, a firewall Standard
capability serves this purpose User Access CIP-004 • ndividual user accounts/
I
CIP-005 passwords
CIP-007 • rivileges defined on a per-
P
• ppropriate-use banner – in our opinion, most likely
A
user basis
a legal shield • Strong passwords supported
• asswords hidden when
P
• onitoring, logging and warnings for user access or
M entered
attempted access – simple if the device has alarm Access Control CIP-003 •
Passwords can be managed
generation and logging ability, most useful if alarm CIP-005 from central location
CIP-004 • ultiple admin-type accounts
M
alert is in real time can be configured
• User Log, IP Filter list
- onsider hardware that generates an alarm each
C Electronic Security CIP-005 • limination of dial-up access
E
time a user logs in to initiate automatic user Perimeter CIP-003 with use of IP tunnel
validation by SCADA or other means. IP Tunnel CIP-007 • Appropriate banner usage
• lectronic access logged; can
E
capability eliminates dial-up access, and IP filter
be monitored and alarmed
capability adds an additional layer of security. • Port data paths configurable
• SSL / SSH LAN
CIP-006 Physical Security discusses physical Logging of CIP-003 • Every access attempt logged
accessibility to equipment, including: Access and Usage CIP-004 • Resets logged
CIP-007 • User changes logged
CIP-008 • Time-tagged events logged
• Mounting equipment in lockable enclosures
Personnel termination/ CIP-004 • ser accounts revocable by
U
privilege changes CIP-007 administrator
• Remote control of locks • ser accounts ‘downgradable’
U
to lower level of authority
• Access alarms indicating a door or gate is open Security Software CIP-007 • ll software upgrades available
A
Management for real-time updates
• Card keys, video cameras, etc. • Non-Windows-based OS
Alerts and CIP-005 • Every access attempt logged
• User logged in and failed login attempts Notifications CIP-007 • ccess notification alarms
A
CIP-008 available to SCADA
- evices that can integrate card keys and/or video
D
initiation with access alarms enhance security of
the physical perimeter.
White paper | 07
10. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
CIP-007 Systems Security Management deals
with operating issues such as security patches,
The Electronic Security Perimeter
virus protection, vendor releases and event logging.
References to device security reinforce CIP-005 The majority of ‘surface area of the ESP’
involves field device hardware; see Figure 2.
concepts:
For this reason, the technical security controls
defined by CIP focus on control of access and
• bility to enable or disable unused or unneeded
A communication of field devices.
ports and services – or compensating factor that
will mitigate risk, such as physical security
• Security patches and firmware upgrades ESP
• nti-virus and malware protection – driven by the
A
Field Devices
operating system
- erely due to the widespread deployment of
M Data Gathering/
Security Risk/Surface Area
the Windows® operating system, the use of a Substations
non-Windows OS might reduce the possibility
of targeted attack. Devices that operate on a Comms
non-Windows OS might be inherently immune to
typical virus and malware threats and less likely
to be targeted by hackers or persons intent on
causing harm. In any case, user login monitors
and alarms and use of discrete passwords Control
System
minimize risk.
• ndividual, not shared, accounts – as mentioned in
I Business Support
CIP-003 controls, privileges should be defined on a
per-role basis
Enterprise Infrastructure
- Logs and audit trails –
- ogin and failed login attempts generate mapable
L Figure 2. Proper device configuration is a key step in CIP
alarm indications compliance.
• Any access requires valid, strong password
- evices that support centralized password
D
management facilitate the requirement for
password control.
White paper | 08
11. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
• sers can be assigned different levels of access
U
based on need
- View Only
- Other levels/privileges
- dministrator who can control access by other
A
users
• All passwords are stored, hidden or encrypted
• quipment should be wiped on disposal, either
E
by memory erase or physically destroying the
microchip if necessary
- f a device fails, it might be difficult to effectively
I
erase memory. Look for devices that have
removable media.
CIP-008 Incident Reporting and Response
Planning relates to the managing and handling of
reports and logs. While collecting and storing logs for
historical reference is necessary, how that retention
is done is determined by the hardware and the
organization’s capabilities.
• emote electronic download of user logs, SOE
R
log, system log and control log facilitates data
documentation for reports and compliance audit
trail, compared to collection via a physical tap.
White paper | 09
12. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Finding your compliance solution
CIP guidelines are drawn to identify the desired goal; of patches and updates that are anticipated to be
it is up to the organization to institute the hardware, needed for substation devices, the organization
software and processes that best allow it to meet might consider segregating the router and substation
these goals. controller, excluding the Substation Controller,
from the electronic security perimeter. This might
For example, the utility can determine where its reduce point-to-point testing time and effort due to
physical and electronic security perimeters begin application of patches and upgrades.
and end. Figure 3 shows a typical substation where
the control house, in essence, is the physical Bottom line: the organization is responsible for
security perimeter. Electronic security perimeters are writing the procedures that make compliance to CIP
effectively constructed around the devices such as guidelines efficient and effective.
router and dial-up control that are communication
end points. Depending on the number and frequency
Pole top/
remote IEDs
SCADA Pole top/
Phone
Electronic security Master remote IEDs
Pole top/
perimeter remote IEDs
Pole top/
remote IEDs
Wireless
Dial up Router
comms
Substation
DMS/HMI
controller
Discrete I/Os
IEDs Cap IEDs Other smart
legacy LTCs
relays bank meters devices/IEDs
RTU
Physical security perimeter
Figure 3. The utility should keep the ESP as small as possible.
White paper | 10
13. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Conclusion
One requirement CIP guidelines don’t spell out is the need for adaptability and intra-
organization cooperation. Security is an arms race, and the electric utility requires
considerable cooperation and integration within the organization to stay agile enough
to adapt to changing challenges and still meet compliance.
Careful consideration of hardware and software choices will help the utility institute
the continual modifications that are needed to meet the moving target of critical
infrastructure protection. Flexible asset access controls are a must to mitigate
changing risks. Above all, dedicated intra-organization communications and training
that emphasize security make every employee part of the solution – and assure that
security is a successful process.
White paper | 11