This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out security gaps, ambiguities, and areas that could prove challenging to audit. The purpose of the posts is to highlight areas for future improvement, and to draw attention to issues for which entities may wish to apply greater diligence than is currently required by regulation.
“Every security professional will tell you that an information protection program is a fundamental component of any basic cyber security program and, rightfully so, it is included within the CIP-011-1 standard (notice the dash 1).
Let’s take a look at what CIP-011-1 says about information that needs to be protected. First we have to look up the definition of BES Cyber System Information in the NERC Glossary of Terms:
Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.
Audit alert: Previously in CIP Version 3 it was stated that, regardless of media, the information protection program “shall include, at a minimum…” specific types of information. This new definition states “Examples of BES Cyber System Information may include…”. Using “May instead of “Shall” could open up a can of worms in an audit. “Shall” was clear and prescriptive (relatively). “May” is unclear and subjective. And that isn’t event counting the first sentence which appears to be putting the Responsible Entity in a position of determining which “pieces” of information may or may not be useful to a malicious actor. I get where the SDT was going but I don’t think this is the correct definition to assure the right kind of information is being protected. Putting that aside for a moment…this definition tells me that an Information Protection Program better be incredibly detailed and specific. Vagueness leads auditors to use more of their professional judgement and that often leads to more potential violations. I understand that many utilities wanted more flexibility in the CIP standards but with that comes greater responsibility not to mention potentially a lot more work!”