Data Transfer: The basic rules for data transfer are the same as those for connections. Files should be pushed "up" from the PCN and pulled "down" from the PIN. Also, an anti-virus solution that scans files prior to their being written to disk is essential. The data transfer solution must use ports and services that are unlikely to be vulnerable. Avoid solutions that require NetBIOS, windows management instrumentation (WMI), etc. to be opened across the firewall. Ideally, the ports used should be configurable and a client/server model using account authentication is best.
Interactive Remote Access: Ideally, avoid interactive remote access. However, in the real world, it is likely to be required. First, require strong two-factor authentication to a device in the DMZ with a non-shared and unique account. Second ensure that the user's local PIN-based machine does not interact in any way with the PCN environment. The device establishing the second session from the DMZ to the PCN should enforce this. Third, leave interactive remote access accounts disabled until needed.
Monitoring: Monitor the DMZ in real time. This does not mean that someone must be constantly watching a dashboard, but that solutions are able to detect anomalous behavior, and alert someone who can quickly get to the dashboard to investigate. Also, monitoring solutions should be capable of terminating suspicious or anomalous communications. While this may occasionally cause inconvenience, it should not impede productivity, since time-critical process activity is usually not required between the PIN and PCN.
There are some specific principles that NERC CIP standards can require that will greatly improve cyber security.
Firewall and DMZ:
- Require a DMZ with a firewall between the PIN and the PCN.
- Require different account credentials in the PIN, DMZ and PCN.
- Terminate connections from the PCN to the PIN in the DMZ.
- Allow only outbound connection requests.
- Do not leave connections open.
Data and File Transfer:
- Push data up from the PCN and pull it down from the PIN.
- Use a client/server model with account authentication.
- Avoid using vulnerable services such as NetBIOS.
Interactive Remote Access:
- Require two-factor authentication.
- Isolate the user's local desktop from the PCN.
- Leave interactive remote access accounts disabled until needed.
- Enforce one level, one jump.
- Monitor the DMZ in real time.
- Automatically alert on suspicious or anomalous communications in the PIN.
- Automatically terminate suspicious or anomalous communications in the DMZ.
And, finally, verification of compliance with the CIP Standards should involve more than confirming the existence of documentation. The documentation should be checked for validity—at least on a spot-check basis—with detailed follow up if required.