This is the second in a series of pieces on the recently released FERC summary of the results of their 2018 CIP audits. The introductory piece talked about why that document was worthy of your attention; this time I’ll talk about one of the recommendations from the report, why it’s likely to be part of a future CIP version, and how current discovery and inventory management tools have matured to the point where they’re safe even in a production OT environment.
10. Consider using automated mechanisms that enforce asset inventory updates during configuration management.
One of the core weaknesses in the CIP oversight structure from a security vantage point is that there are minimal reviews performed as part of the audit process to verify that the CIP-002 asset lists are correct. This reflects a weak spot in the standards themselves, some of which come from the structural constraints put on the drafting team. Because there is a strong desire to avoid prescriptiveness when it comes to the methods used to produce the desired results, the only requirements are that the Registered Entity (RE) produce, maintain, and approve lists of cyber systems that are in scope for varying parts of the rest of the body of the standards. Because the rest of the standards rely entirely on the inventory produced by the CIP-002 processes, failure to accurately produce or update the inventory lists can have catastrophic outcomes further down the tree, leaving the RE exposed to a number of attack vectors.
This weakness can also be exacerbated by the cloudiness introduced by the allowance to only maintain lists of cyber systems rather than individual cyber assets, but in the field no one seems to be actually taking advantage of that looseness, so we’ll leave that and the rest of the complexity introduced by the notion of cyber systems for another day. To be clear, though, it is pretty evident that a robust inventory is a key component upon which an entire program’s effectiveness hinges, which makes the value of an accurate inventory very high.
From an audit point of view (and even from the point of view of a robust self-governance model), there are limited steps that can be taken to verify accuracy of inventory lists. Physical inspections can be done to theoretically find anything that’s connected to a wired network, but that can be problematic as cable runs have a bad habit of disappearing inside physical spaces that the inspector is unlikely to actually inspect (conduit inside concrete walls, for example), and physical inspection is very weak at identifying assets with routable connectivity or that use wireless connections. Auditors can review the written procedures used to produce inventories and the evidence that those procedures are being followed in hopes of identifying gaps, but that leaves the possibility of operational areas that accidentally fall completely outside the procedures or of singleton devices that are missed purely due to oversight during installation.
All of this calls for the use of automated mechanisms as a practical matter. The good news is that the technology in this space has evolved significantly in the recent past. Modern automated network inventory tracking systems, such as the differing techniques used by the Verve software platform, have been proven to be safe and effective even in the most fragile of production environments. From a security viewpoint, using these systems is a clear win, as they provide a much higher confidence level that all of your assets (each of which is also a threat if compromised) are tracked, profiled and are under consideration for every security control that you implement.
From a compliance or standards construction point of view, it’s less clear that this change is feasible. It could be done without being overly prescriptive by limiting the language to a slightly more complicated version of what FERC staff included in the report, repeated above, and it would greatly improve the ability of the regulators to verify correctness of inventory, with the attendant security gains. Where the idea potentially flounders is on the edge case in terms of size.
Bluntly put, there are RE’s out there who have medium impact Cyber Assets who shouldn’t, because the brightline criteria are too blunt a tool for proper delineation. For entities with a grand total of 30 medium impact Cyber Assets spread between their two Control Centers, change management is often largely manual or contains a minimum of automation, and the notion of incorporating automated inventory management into that directly or through network monitoring indirectly may be overly burdensome.
This doesn’t represent a problem with the notion of automated inventory assistance but rather points out a problem with the scoping of the standards as a whole, but that scoping has been in place for several years now and is kind of baked into the system as a whole by this point, which may limit what can be done to manage other problems. If FERC does move forward at some point with directing this as a future enhancement to the standards, the drafting team will have to thread the needle carefully in order to capture the benefits that can be gained without creating an undue burden on the smaller in-scope members of the community.
The good news is that, unless your budget is hyper-focused on activities that only focus on compliance, automated inventory tools are an excellent investment of your security budget, because they free up your SME’s to worry about the downstream efforts to secure your assets rather than spending their time on just figuring out what those assets are. They scale well, since the same systems that can keep track of your CIP assets can also be used to track a general inventory. They also provide an excellent first-line defense if you aren’t spending great amounts of attention to your physical security or can’t because of the nature of your physical environment, so that you can spot unauthorized attachments to your network. Finally, the Verve Security Center, in particular, can also leverage the same mechanisms used to inventory to provide end point remediation such as patch management, system hardening, or base profile change management. All of which means your investment will scale to multiple functions thereby further freeing your SMEs to be able to better support compliance AND security needs.