In the past year or so, North American electric utilities have increased their focus on NERC CIP compliance standards. As a reminder, these standards have been issued by the North American Electric Reliability Corporation with emphasis on ensuring the bulk power system --- i.e., the main electric transmission grid --- is protected from cyberattack.
Of course a cyberattack can come from outsiders, including organized criminals, script kiddies or nation states; however, the NERC CIP 004 standard, in particular, focuses on protecting the grid from the "insider" threat. In other words, this standard helps to ensure that personnel who have authorized cyber or authorized unescorted physical access to "critical cyber assets (CCAs)" --- including contractors, service vendors or temporary employees --- have been appropriately vetted for their background and have the appropriate level of security training and awareness prior to gaining access to the CCAs.
A survey of the requirements
NERC CIP-004 has four primary requirements that include the following key points:
- Requirement 1 -- Awareness: This requirement mandates that an affected utility establish, maintain and document a security awareness program for those who have "…authorized cyber or authorized unescorted physical access" to critical cyber assets. An awareness program is really a good practice for any company. It will help evangelize expectations for employee security practices regardless of the NERC requirements.
At a minimum, each quarter the utility should reinforce sound security practices --- especially for the security of the critical cyber assets --- through:
a) direct communications (e.g., emails, memos, computer-based training, etc.)
b) indirect communications (e.g., posters, intranet postings, brochures, etc.)
c) management support and reinforcement (e.g., presentations, meetings, etc.)
- Requirement 2 -- Training: In this requirement, an affected utility must establish, maintain and document an annual cybersecurity training for the same group of employees covered in Requirement 1 (i.e., those with "…authorized cyber or authorized unescorted physical access"). The training should include discussions on the policies, access controls and procedures developed to protect from damage or "hacking" of the critical cyber assets. The training should include the following required items:
- Proper use of critical cyber assets.
- Physical and electronic access controls to critical cyber assets.
- Proper handling of critical cyber asset information.
- Action plans and procedures to recover or reestablish critical cyber assets following a cybersecurity incident.
- Requirement 3: Personnel risk assessment: The basic premise of this requirement is to ensure a background check has been performed on those individuals electronically accessing or physically touching the critical cyber assets. Some key points about the background checks and their performance are as follows:
- Each background check must include at least identity verification of the individual (e.g., Social Security number verification in the U.S.) and a seven-year criminal check.
- The background checks must be updated at least every seven years after the initial risk assessment was performed.
- Background checks may be performed for cause.
- The results of the background check must be documented and the results reviewed --- and the review documented -- by the utility per its documented risk assessment program.
- The risk assessments are to be performed in accordance with federal, state, provincial, and local laws and subject to existing collective bargaining agreements.
- Requirement 4: Access: The affected utility needs to maintain lists of personnel with authorized cyber or authorized unescorted physical access as mandated. These lists need to show the individual's specific electronic and physical access rights to critical cyberassets (e.g., READ, WRITE, DELETE, Physical Adjustment and Repair, etc.)
The lists need to be reviewed quarterly, and the performance of the reviews needs to be documented. Also, the lists need to be updated within seven calendar days of any change to access rights of those personnel listed. Remember, this also includes contractors and vendors as well as employees.
A final key requirement is that the utility shall revoke such access to Critical Cyber Assets within 24 hours (note: not working hours but "calendar" hours) for personnel terminated for cause (i.e., "hostile termination") and within seven calendar days for personnel who no longer require such access (i.e., "friendly termination" or friendly transfer).
At a minimum, the utility must maintain detailed records showing that the training was performed for each affected individual, at least annually, including the date the training was completed.
Most importantly, according to Version 3 of CIP-004, the individuals must be "...trained prior to their being granted such access except in specified circumstances such as an emergency." And here, the utility needs to have a documented program that addresses when an emergency access is authorized before the training can be given.
Hardest CIP to enforce
Although the requirements are straightforward, this has been one of the hardest CIP standards for utilities to consistently enforce. In NERC's monthly violation reports, CIP-004 is usually the second most violated reliability standard. In NERC's "Top 10 All Time Violated Standards," the March 2010 graph is displayed below.
See larger image
Because of the excessive frequency of the violations to CIP-004, in December 2009 NERC produced an analysis of the causes for these compliance failures. The conclusion by NERC first recognized that the violations for CIP-004 generally fell into one of four categories: 1) Documentation, 2) Access (i.e., access without training or clearance), 3) Training, or 4) Risk Assessment (i.e., background check). The number of violations in each category was about the same (20) with risk assessment causing the most failures (24).
Following this analysis, the NERC recommendations to utilities to reduce these violations included ensuring and verifying that employees, contractors and vendors have received training and background checks prior to access and that appropriate changes to access lists are made upon termination or transfer of employees/contractors/vendors.
Vendor guidance and "to do's"
For vendors working with electric utilities, it is in your and the utility's best interest to thoroughly understand these requirements and work closely together to ensure the requirements are not only met, but effectively and accurately documented. At the top of the list of things to do, the vendors need to keep the utility informed of any changes to personnel status that could impact the utility access control lists. In other words, if a vendor employee with a utility badge is terminated or resigns, it is of the utmost importance to inform the utility ASAP so they don't miss the 24-hour window for hostile terminations.
About the author
Ernie Hayden is the former CISO for the Port of Seattle, Group Health Cooperative and most recently Seattle City Light where he coordinated the efforts regarding NERC Critical Infrastructure Protection compliance. Ernie holds a CISSP and a Certified Ethical Hacker and lives in the Seattle area.
Send feedback on this tip to Editor@searchsecuritychannel.com.