Proposed NERC Reliability Standards CIP-004-7 and CIP-011-3 (BCSI) Access Management

NERC CIP released their 2735-page proposed update yesterday. Here’s what you need to know

 

After three separate drafts and a multi-year effort beginning in 2019, NERC has finally approved the proposed changes to Reliability Standards CIP-004-7 and CIP-011-3. What are these changes and what spurred the change? Well, in short, the cloud and third-party services forced NERC to outline new security requirements to reconcile a shift away from on-premises data storage to file-level rights and permissions.

Why the Change?

As security stakeholders access data in the cloud, increased focus and guidance must be placed on protections within stakeholder control over third-party data storage and analysis systems. The proposed Reliability Standards maintain the security objectives supported in previous versions while expanding more flexibility for responsible entities to leverage third-party data storage and analysis systems. This expansion aims to enhance reliability by providing increased options for power and energy entities to leverage third-party data storage and analysis systems in a secure manner.

What’s New?

The proposed revisions clarify the requirements expected when using third-party solutions (e.g., cloud services) when storing BCSI. These revisions proposed by NERC, are as follows:

CIP-004-7:

  • This Standard continues to govern personnel risk assessment, training, security awareness, and access management. Changes include: 
    • Removes references to “designated storage locations” and brings focus to the requirements on provisioned access to the BCSI, not the location where the information is stored. This change allows entities to implement file-level rights and permissions, such as policy-based credentials or encryption, to manage access to BCSI.
    • A 6th requirements has been added that requires "an access management program(s) to authorize, verify, and revoke provisioned access to BCSI that includes the applicable requirement parts in Table R6 – Access Management of BES Cyber System Information".
    • Table R6 contains 3 proposed parts:
      • "Part 6.1 requires Responsible Entities to authorize provisioned electronic access and provisioned physical access to BCSI.
      • Part 6.2 incorporates into the access management program the deleted Part 4.4 obligations to verify individuals with provisioned access are still appropriate.
      • Part 6.3 incorporates into the provisioned access program the deleted Part 5.3 obligation to remove an individual’s ability to use provisioned access to BCSI for a termination action”
  • These changes apply to high impact BES Cyber Systems; medium impact BES Cyber Systems with External Routable Connectivity; and Electronic Access Control or Monitoring Systems (“EACMS”) and Physical Access Control Systems (“PACS”) associated with these high and medium BES Cyber Systems.

CIP-011-3:

  • This Standard addresses information protection of BCSI and consists of two requirements (R1 and R2).
  • The revisions to R1  states "Responsible Entity shall implement one or more documented information protection program(s) for BES Cyber System Information (BCSI) pertaining to “Applicable Systems” identified in CIP-011-3 Table R1 – Information Protection Program that collectively includes each of the applicable requirement parts in CIP-011-3 Table R1 – Information Protection Program," which applies to high and medium impact BES Cyber Systems and associated EACMS and PACS.
    • The proposed changes to R1, Parts 1.1 and 1.2, "clarify and simplify the requirement language. Proposed Part 1.1 removes redundant language. Proposed Part 1.2 includes more objective-level language to once again focus the protections on the BCSI itself. The proposed objective of Part 1.2 is “to mitigate the risks of compromising confidentiality.” The intent of proposed Part 1.2 is to protect BCSI from unauthorized access no matter where the BCSI is located or its state (i.e., in storage, transit, or use). Therefore, in focusing protections on preserving confidentiality, the requirements in proposed CIP-011-3 help ensure that BCSI is protected regardless of the location of the BCSI”
  • R2 requires "Responsible Entities to implement documented processes regarding BES Cyber Asset reuse and disposal, consistent with the applicable requirement parts."
Other Minor Modifications to the Standards were made to help to align the Standards with revisions to other Standards or initiative in other area are summarized as follows:
  • Interchange Coordinator or Interchange Authority is removed from the Applicability section
  • Replace SPS with RAS
  • The acronym for BES Cyber System Information (BCSI), has replaced all references to BES Cyber System Information except in certain circumstances, such as first use of the term and in headers of some tables

Implementation Plan:

NERC is proposing the following: “Implementation Plan provides that the proposed Reliability Standards shall become effective on the first day of the first calendar quarter that is 24 calendar months after the effective date of the Commission’s order approving the proposed Reliability Standards.”

What Does this Mean for You?

The proposed changes to NERC Reliability Standards CIP-004-7 and CIP-011-3 suggest an increased reliance on cloud-based services for asset owners and cybersecurity stakeholders within the North American power and substation sector. As IT-OT convergence has been an inevitable outcome of increased virtualization, the cloud has been a controversial topic. However, as security services have evolved to not only leverage cloud infrastructure, but rely on the cloud for delivery, it is inevitable that NERC would have to address and give guidance on this change.  

Stay tuned for future communications outlining what these recent changes to NERC CIP will mean for stakeholders within the North American power sector.

For more information on NERC CIP, and other compliance measures, please subscribe to the blog.

DeRISK Industrial - Solve cyber risk for ICS and OT asset owners and industrial enterprises