Interested in linking to "How Can the NERC CIP Standards Be Improved?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
Connection Principles: As mentioned above, connections should not be allowed to traverse from the PCN to the PIN, but be forced to terminate at a device in the DMZ (One Level, One Jump). Also, the direction of the connection is important. Devices in the PIN should not be allowed to open connections in the DMZ, and devices in the DMZ should not be allowed to open connections in the PCN. The reverse is preferred―only allow outbound connection requests.
Also, where possible, the connections should not be left open. Some applications, such as historians, require continuous connections. If this is the case in your environment, then the importance of keeping the devices segregated and hardened with the latest security patches is elevated, and they must be constantly monitored in real time.
Data Transfer: The basic rules for data transfer are the same as those for connections. Data and files should be pushed "up" from the PCN and pulled "down" from the PIN. Also, an anti-virus solution that scans files prior to its being written to disk is essential, which typically rules out any database-to-database transfers. The data transfer solution must use ports and services that are unlikely to be vulnerable. Solutions that require NetBIOS, Windows management instrumentation (WMI), etc. to be opened across the firewall should be avoided. Ideally, the ports used should be configurable, and a client/server model using account authentication is best.
Interactive Remote Access: Ideally, interactive remote access should be avoided. But in the real world it is likely to be required. If required, the first key principle is to require strong two-factor authentication to a device in the DMZ with a non-shared, unique (and therefore traceable) account. The second key principle is to ensure that the user's local PIN-based machine does not interact in any way with the PCN environment (in violation of the One Level, One Jump rule). The device establishing the second session from the DMZ to the PCN should enforce this. The third key principle is to leave interactive remote access accounts disabled until needed.
Monitoring: The monitoring solutions implemented in the DMZ should employ real-time monitoring. This does not mean that someone must be constantly watching a dashboard, but that the solution is able to detect anomalous behavior and alert someone who can quickly get to the dashboard to investigate. Also, monitoring solutions should be capable of terminating suspicious, anomalous communications. While this may occasionally cause inconvenience, it should not impede productivity, since time critical process activity is usually not required between the PIN and PCN.
There are some specific principles that NERC CIP standards can require that will greatly improve cyber security. In summary, these are:
Firewall and DMZ
Data and File Transfer
Interactive Remote Access
And finally, verification of compliance with the CIP Standards should involve more than the existence of documentation. The documentation should be checked for validity―at least on a spot-check basis with detailed follow-up if required.
Jay Abshier, CISSP, is a security consultant at Sentigy
Phil Marasco, CISSP, is a security consultant at Securicon.