The NERC CIP v5 standards will be enforced beginning in July of this year, but version 6 is already on the horizon. Previously, we examined the differences between v3 and v5, and we saw how the CIPs related to cybersecurity were evolving. This pattern continues in v6, with changes coming to some of the cyber CIPs and the addition of standards regarding “transient cyber assets and removable media,” but the major changes in v6 have to do with scope-- which facilities are required to comply, and at what level they must comply: low, medium or high impact. We’ll examine some of the differences coming up in CIPv6 and what they will mean for the industry.
Impact and Scope
In CIPv5, the classification of NERC-covered facilities was split into three categories: low, medium and high impact, in order to better fit requirements to the actual facilities to which they were being applied. For instance, a low impact facility doesn’t require as much protection as a high impact facility, because the likelihood of it being attacked and the consequences of it being down are relatively low. However, getting these classifications correct takes trial and error, and CIPv6 has expanded on some of the requirements for low impact facilities. The good news is that companies without low impact facilities will be mostly unaffected by these scope changes.
Removable Media and “Transient Assets”
New in CIPv6 is R4 of CIP-10-2, regarding removable media such as USB sticks and other “transient cyber assets.” The goals of this addition are two-fold: preventing unauthorized access and unauthorized code execution, malware for example. Here are some critical points about this new regulation:
- R4.1 - Requires “a spreadsheet identifying the authorized software for each Transient Cyber Asset, individually or by group, OR a record in an asset management system that identifies the authorized configuration for each Transient Cyber Asset individually or by group.”
- R4.2 and 4.3 - Companies must “use method(s) to deter, detect, or prevent malicious code” on transient assets and removable media, and provide proof of doing so.
- R4.7 - Companies must “evaluate Transient Cyber Assets, within 35 calendar days prior to use, to ensure security patches are up-to date,” as well as update documentation.
Physical Security of Non-Programmable Cyber Assets
Although most of the attacks on cyber infrastructure come through programmable systems, NERC is adding a crucial section of CIP-006-06 focusing on “non-programmable assets” or “systems without external routable connectivity.” Things like cabling can either be physically secured OR entities can show sufficient logical protection in other areas preventing those type of attacks, such as encryption, alarms or monitoring.
Preparing for CIPv6 and Beyond
With CIPv5 enforcement beginning in 2016, many organizations are still working towards compliance to that standards. Pieces of v6 will take effect between 2016-2018, so teams will need to begin addressing the new requirements almost immediately. NERC deadlines have been known to be pushed back, however, and version 4 of the CIP standards was bypassed entirely for version 5. Additionally, the Federal Energy Regulatory Commission (FERC) must approve the NERC processes, and the bounce back and forth between NERC and FERC can cause extra delays.
Despite the rigid classifications, most of the CIP standards are common security best practices. Removable media is an easy attack vector to miss, but the consequences of a malicious USB stick can be drastic, as Sony found out the hard way. Furthermore, business is increasingly conducted remotely, and transient assets will continue to make up more and more of the hardware with access to critical data and systems. These new standards help address that trend before it becomes even more of an issue.
Evolving regulatory standards require adaptable compliance solutions. Nobody wants to dedicate a significant portion of time and money on a solution, only to find their work is out of date and must be redone. CIPv6 will mostly affect entities with low impact facilities, but CIPv7, CIPv8? We don’t know exactly what will be in these newer versions of the standards, but we have an idea of the direction in which NERC is moving. Asset discovery and inventory, security patches, configuration monitoring and testing. As important as it is to check the box off for compliance, a more holistic view of environment visibility and resilience will prepare organizations for the future mutations of NERC and other compliance standards. UpGuard can test all your configurations and serve both as a single system of record for compliance, and a cornerstone of a cyber resilience strategy. The first 10 nodes are free.