By Jay Abshier and Phil Marasco
Many people familiar with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards have been voicing the belief that the standards are flawed. Most of those criticisms can be summarized by two general statements: 1) Compliance is focused on documentation, and 2) A utility can be 100%-compliant with NERC CIP and still be very vulnerable.
First Flaw: Compliance is Focused on Documentation
This statement can be challenged by references to specific requirements in the CIP standards that require access controls, monitoring and other technical actions. But compliance checks are focused entirely on producing documentation that the requirements have been met. There are no requirements that the auditor or assessor verify the documentation by actually logging onto a firewall to review its rules or log onto devices to verify their configurations.
Protests that verification of the documentation is in the spirit of the standards ignores the fact that what counts is how the standard is written, not its intended meaning. As a result, assessments of CIP compliance are often done by individuals or companies that do not have extensive cyber security expertise and, following the letter of the standards, focus only on whether documentation can be produced. This feeds into the notion that a piece of paper or text document is more important than the result of a test or actual control validation. The U.S. federal government is dealing with this phenomenon right now while trying to overhaul its Federal Information Security Management Act (FISMA) standards.
Second Flaw: You Can Be Compliant and Still be Vulnerable
The existing requirements in the CIP Standards are actually pretty good. But, they do not address common methods of successfully attacking a protected network. For example, a preferred method of attack is to compromise a device on the outside that has connectivity to a device on the inside. Once compromised, the hacker can then get to the inside device and possibly give himself accounts on the internal systems that make his return much easier. CIP standards place the primary emphasis on how the perimeter is defined and protected, rather than actually monitoring internal systems. Because of this, too many organizations think "defense in depth" is doubling the number of firewalls instead of monitoring or validating the control's effectiveness by actually analyzing the traffic or the systems.
Suggestions to Improve the Standards
First, we recommend that section C (Measures) of each standard be modified to include more than a mere review of submitted documentation. Second, we recommend that specific cyber security principles that can delay, if not prevent, common methods of attack be added to the existing requirements.
Currently, the measures for determining compliance are primarily based on the existence of documentation. Unfortunately, standards that require that the auditing authority check the veracity of the documentation will increase the cost and time required for audits and compliance checks to unrealistic levels. Finding an acceptable compromise between the two extremes is necessary.
One solution might be to add a measure that requires that the auditing authority perform spot checks on randomly selected requirements. If a significant number of these spot checks identify required documentation that does not match the actual implementation, then the number of documentation checks performed should increase. Also, if there are significant discrepancies between the documentation and the implementation, perhaps requiring the entity being audited to pay for the increased costs should be considered.
It is understandable that standards should avoid being too detailed and prescriptive. First, detailed standards run the risk of implicitly endorsing a specific technical solution and second, prescriptive standards become obsolete more quickly than standards that are generic. However, there are several widely accepted cyber security principles that could be endorsed, if not required, that are not likely to become obsolete and do not prescribe specific technical solutions. As an example, we will look at the first line of cyber defense―the perimeter.
Recommendations for Improved Cyber Security Protections
The key elements of perimeter security that are examined are the demilitarized zone (DMZ), connection principles, data transfer, interactive remote access and monitoring.
DMZ: A firewall with a DMZ between the process control network (PCN) and the plant information network (PIN) is essential for effective cyber security. Non-firewall demarcation devices do not provide the rule granularity required, nor do they support a DMZ. The DMZ allows management and security tools, such as backup/recovery, intrusion detection systems (IDS) and anti-virus, to be segregated from both the PCN and the PIN. But its primary purpose is to provide a termination point for connections between the PCN and PIN. Forcing connections to terminate in the DMZ introduces a second obstacle between a hacker or malware in the PIN and the critical process control functions in the PCN. This can be termed as the "One Level, One Jump" rule.
Ideally, for example, if Active Directory (AD) type domains are used, the PCN, the DMZ and the PIN will be on separate domains that have limited trust between them. For example, the DMZ may trust the PCN, and the PIN may trust the DMZ, but not vice versa. Account credentials used in the PIN must not be the same as those used in the DMZ or the PCN, and different authorities must be used to authenticate the accounts. This more effectively implements the controls intended to be created by the implementation of electronic security perimeters (ESP). Much of the effectiveness of an ESP is reduced if it permits authentication across the ESP, based on common credentials that are used both inside and outside the ESP.