This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out security gaps, ambiguities, and areas that could prove challenging to audit. The purpose of the posts is to highlight areas for future improvement, and to draw attention to issues for which entities may wish to apply greater diligence than is currently required by regulation.
Steve Parker, EnergySec
Version 5 of the NERC CIP standards appears to have taken a step backwards with respect to the protection of Electronic Security Perimeters. Previously, control, or at least the declaration of an access point, was required wherever data crossed the logical perimeter. This included data passing via non-routable protocols. In fact, in the CIP-005 Compliance Analysis Report published in May of 2012, this point was made clear:
A common error is to presume that an electronic access point is only required for routable networks. In fact, any data traffic that crosses the ESP requires an electronic access point somewhere. – Page 11
The basis for this position is CIP-005-3 R1.1, which states, “Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).”
While this approach created some awkward situations with certain classes of equipment, it did acknowledge the importance of protecting the perimeter regardless of access methods.
The requirement embodied in R1.1 has been removed in version 5. Additionally, version 5 is accompanied by new or updated definitions for a few related terms. Among these are Electronic Access Point and Interactive Remote Access. Both of these terms are defined as pertaining to routable protocols only, and contain no provisions regarding non-routable protocols. The requirements in version 5 of CIP-005 contain nothing pertaining to non-routable protocols (except mention of dialup access); therefore, it appears that serial connections (and similar non-routable connections) from cyber assets outside an ESP to cyber assets inside an ESP can be made with no required protections at all. Indeed, the SDT themselves suggested this in their guidance, which states, “Direct serial, non‐routable connections are not included as there is no perimeter or firewall type security that should be universally mandated across all entities and all serial communication situations.”
The SDT was correct to an extent. Serial and other non-routable protocols do not fit with traditional notions of network perimeter security. Nevertheless, such communication channels can be exploited. For example, recently disclosed DNP3 vulnerabilities may be exploited over serial communications links.
Non-routable communication links deserve consideration as part of any comprehensive security plan. Some potential protections include:
- Ensure that all devices involved in such communications are protected from unauthorized physical access
- Consider encryption or other protections for communication paths
- Provide additional monitoring and/or isolation for devices with non-routable communication links to potentially untrusted devices.
There are numerous nuances and “interpretations” that can be made with respect to the definitions and requirements. I’m sure this issue will receive scrutiny, and audit approaches may find a way to address this apparent deficiency. But on the surface, it seems that this is one area where the latest CIP standards have regressed.