This post is the first of a series of blog posts from many in the Electric Power Cyber Security community illustrating what are believed to be gaps in the NERC CIP regulations that govern cyber security in the electric power sector. Over the next 30 days, these gaps will be spotlighted in the hopes that discussion will lead to improvements in the regulations.
Michael Toecker, Digital Bond
“The NERC CIP V5 regulations have a single clause in CIP-007 that address the potential use of removable media, this is CIP-007 R1.2. In it, entities are required to ‘protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media’. This is arguably an improvement from NERC CIP v3, which had no specific restrictions against the use of physical ports.
Despite the slight improvement in CIP V5, the problem is that the regulation doesn’t address protections for Removable Media that is considered necessary by entities. I’ve been doing this for a while, and the most common infection vector in Electric Power systems I’ve consistently seen is the use of Removable Media by authorized personnel, removable media that was deemed necessary at the time and regretted later. My anecdotal experience is backed up by numerous articles, presentations, and actual news stories regarding cyber events originating from uses of Removable Media. The transferring of patches, license keys, control system software updates, moving logic and HMI files between systems and backing up systems can all be considered necessary uses of Removable Media. What is missing is how we minimize the risk to the bulk electric system from Removable Media threat vectors.”
Read more via NERC CIP Technical Gap – Removable Media | Digital Bond