Proven Compliance Solutions Inc. (PCS) continually monitors the development and revisions to the NERC Reliability Standards and is providing this general update regarding several CIP Standards revisions that will be effective on October 1, 2022. If you need assistance with the upcoming changes, contact PCS to find out more about our services.
In Order No. 850, FERC issued a directive to develop modifications within the scope of the supply chain risk management Reliability Standards to include Electronic Access Control or Monitoring Systems (EACMS) associated with medium and high impact BES Cyber Systems (BCS). Then, in Chapter 2 of the NERC – Cyber Security Supply Chain Risks document, requirements were further extended to protect Physical Access Control Systems (PACS).
Supply chain risk management requirements were first incorporated in the following NERC CIP Standards:
- CIP-005-6 – Electronic Security Perimeters (Requirement 2, Parts 2.4 and 2.5);
- CIP-010-3 – Change Control Management and Vulnerability Assessments (Requirement 1, Part 1.6); and
- CIP-013-1 – Supply Chain Risk Management (the entire Standard).
The above Standard revisions are currently in effect until October 1, 2022 and have applied to high and medium BCS (with Protected Cyber Assets [PCA] included for CIP-005-6 R2.4 and R2.5). The Standards Development Team (SDT) for NERC Project 2019-03 Cyber Security Supply Chain Risks has updated the three target Standards to extend applicability beyond BCS (and PCA) to include EACMS and PACS. These updated Standards (CIP-005-7, CIP-010-4, and CIP-013-2) become effective October 1, 2022.
CIP-005-7 – A New Requirement (R3.1 and R3.2)
CIP-005-6 introduced Requirements 2.4 and 2.5 for determining and disabling vendor remote access sessions (including Interactive Remote Access and system-to-system) for high and medium impact BCS and associated PCAs. To extend those requirements to EACMS and PACS in CIP-005-7 presents a unique issue (for EACMS). Requirement 2.1 requires that all Interactive Remote Access utilize an Intermediate System to avoid direct access into applicable Cyber Assets. Therefore, adding EACMS and PACS to Requirements 2.4 and 2.5 creates a potential “hall of mirrors” whereby accessing an Intermediate System (which is a type of EACMS) would in itself require access to an Intermediate System, and so on.
To escape the requirement in R2 for vendors to access applicable systems (e.g., EACMS) only through an Intermediate System (another EACMS), the SDT has created in CIP-005-7 Requirement 3 (with Parts 3.1 and 3.2) specifically for EACMS and PACS. R3.1 corresponds to R2.4, and R3.2 corresponds to R2.5, but avoids the “hall of mirrors” by removing reference to “Interactive Remote Access” and “system-to-system” and replacing these with the term “authenticated vendor-initiated remote connections.” This approach allows protections on the first line of defense within an ICS network environment – the firewalls, for example, normally categorized as EACMS, as well as the first line of defense within the physical environment – the PACS.
CIP-010-4 – Extension of Vendor Identity and Software Integrity Verification Applicability
CIP-010-3 introduced Requirement R1 Part 1.6 to mandate that entities verify the identity of a software source (R1.6.1) and verify the integrity of the software obtained from the software source (R1.6.2) for all software destined for high or medium impact BCS. These measures are intended to address potential supply chain risks associated with a threat actor spoofing a vendor site, or perhaps inserting/injecting malware code into software between its legitimate vendor source location and the customer download. Entities have routinely put controls and processes in place to verify vendor sites with certificates or secure browsing methods and using hash values (vendor-supplied when available) to verify that the software the vendor produces matches exactly the software the entity receives.
In CIP-010-4, these protections are now required beyond high and medium impact BCS to EACMS and PACS devices. When obtaining new software, firmware, or patches for an EACMS or PACS device, the entity must also apply controls to verify vendor identity and software integrity. Many entities had already adopted the policy upon the effective date of CIP-010-3 to develop these controls for BCS, PCA, EACMS, and PACS. In those cases, no further actions are required. However, if the process has been limited to BCS, the entity will need to apply the same or a similar process to EACMS and PACS software/firmware as of October 1, 2022. Note that the wording of Requirement R1 Part 1.6 has not changed; the change is only in the Applicable Systems section of the requirement table for R1.6.
CIP-013-2 – Extension of Supply Chain Risk Management Plan Applicability
CIP-013-1 was the first revision of a risk-based CIP Reliability Standard addressing Cyber Security Supply Chain Risk Management (Cyber Security SCRM). CIP-013 requirements do not have a separate Applicable Systems section defining to which category of device the Standard applies. Applicability to high and medium impact BCS was therefore stated directly in the requirement text itself.
To extend cyber security supply chain risk requirements to EACMS and PACS, it was necessary for the SDT to modify requirement text directly in CIP-013-2. The bottom line is that everything an entity does to identify, assess, evaluate, and monitor risks to its BCS through its CIP-013 Plan, it must now also do to identify, assess, evaluate, and monitor risks to its EACMS and PACS. Below are the substantive changes to the specific sub-requirements now written in CIP-013-2:
- R1: Develop one or more SCRM plans – now includes “…for high and medium impact BES Cyber Systems and their associated EACMS and PACS.”
- 1: Process(es) used in planning for procurement of BES Cyber Systems – now adds “and their associated EACMS and PACS to identify and assess cyber security risks…”
- 2: Process(es) used in procuring BES Cyber Systems – now adds “, and their associated EACMS and PACS, that address the following…”
- 2.5: Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System – now adds “and their associated EACMS and PACS.”
- 2.6: Coordination of controls for (i) vendor-initiated Remote Access and (ii) system to system remote access with a vendor(s) – now changes to align with R3 of the new CIP-005-7 to read: “Coordination of controls for (i) vendor-initiated remote access.”
In summary, there is a consistency across the changes in the supply chain CIP Standards effective October 1, 2022 to address the growing threat environment the industry faces. These changes extend requirements to offer controls and protections not only to the crown jewels of the network (the BCS), but also to those devices that themselves offer an entry point to those crown jewels, either through the production network (EACMS) or through the physical gatekeepers (PACS).
If you’re responsible for monitoring NERC Standards activities and are looking for assistance with this effort, PCS has developed a web-based Standards Compliance Intelligence Portal (SCIP) that identifies standards in development and upcoming standards enforcement that is customized to each client’s needs and NERC registrations. Industry news and events, as well as regional and provincial activities are also tracked. For more information regarding SCIP or any other Reliability Standards compliance needs you may have, please contact Dale Zahn at 509.504.5496 or dzahn@provencompliance.com or visit our website at www.provencompliance.com.
