This is the second in a series of pieces on the recently released FERC summary of the results of their 2018 CIP audits. In part one, we discussed why the document is worthy of your attention. Part two will discuss recommendations from the report, why it’s likely to be part of a future CIP version, and how current discovery and inventory management tools have matured to the point where they’re safe even in a production OT environment.
"Consider using automated mechanisms that enforce asset inventory updates during configuration management."
One core weakness in the CIP oversight structure from a security vantage point is the minimal reviews performed as part of the audit process to verify that the CIP-002 asset lists are correct. This reflects a weak spot in the standards themselves, some of which come from the structural constraints put on the drafting team.
There is a strong desire to avoid prescriptiveness in methods used to produce desired results. The only requirements are that the Registered Entity (RE) produce, maintain, and approve lists of cyber systems that are in scope for varying parts of the rest of the body of the standards.
Because the rest of the standards rely entirely on the inventory produced by the CIP-002 processes, failure to accurately produce or update the inventory lists have catastrophic outcomes further down the tree, leaving the RE exposed to a number of attack vectors.
This weakness is exacerbated by cloudiness introduced from the allowance to maintain lists of cyber systems rather than individual cyber assets. But in the field, no one seems to take advantage of that looseness. It is evident that a robust inventory is a key component upon which an entire program’s effectiveness hinges, making the value of an accurate inventory very high.
From an audit point of view (and even from the point of view of a robust self-governance model), there are limited steps to verify accuracy of inventory lists. Physical inspections are done to theoretically find anything connected to a wired network. It becomes problematic as cable runs have a bad habit of disappearing inside physical spaces that the inspector is unlikely to actually inspect (conduit inside concrete walls, for example), and physical inspection is very weak at identifying assets with routable connectivity or that use wireless connections.
Auditors review the written procedures to produce inventories. The evidence is that those procedures are followed in hopes of identifying gaps, but that leaves the possibility of operational areas that accidentally fall completely outside the procedures or of singleton devices that are missed purely due to oversight during installation.
This calls for the use of automated mechanisms as a practical matter. The good news is that the technology in this space has evolved significantly in the recent past. Modern, automated network inventory tracking systems have proven to be safe and effective, even in the most fragile of production environments.
From a security viewpoint, using these cybersecurity systems is a clear win, as they provide a much higher confidence level that all of your assets (each of which is also a threat if compromised) are tracked, profiled and are under consideration for every security control that you implement.
From a compliance or standards construction point of view, it’s less clear that this change is feasible. It could be done without being overly prescriptive by limiting the language to a slightly more complicated version of what FERC staff included in the report. It would greatly improve the ability of the regulators to verify correctness of inventory, with the attendant security gains. Where the idea potentially flounders is on the edge case in terms of size.
There are registered entities with medium impact cyber assets who shouldn’t, because the bright line criteria are too blunt a tool for proper delineation. For entities with a grand total of 30 medium impact cyber assets spread between their two control centers, change management is often largely manual or contains a minimum of automation. The notion of incorporating automated inventory management directly, or through network monitoring indirectly, may be overly burdensome.
This doesn’t represent a problem with the notion of automated inventory assistance, but rather points out a problem with the scoping of the standards as a whole. Scoping has been in place for several years now, and is baked into the system as a whole by this point, which may limit what can be done to manage other problems.
If FERC does move forward directing this as a future enhancement to the standards, the drafting team will thread the needle carefully in order to capture the benefits that can be gained without creating an undue burden on the smaller in-scope members of the community.
The good news is that unless your budget is hyper-focused on activities that only focus on compliance, automated inventory tools are an excellent investment of your security budget. They free up your subject matter experts to focus on downstream efforts to secure your assets, as opposed to spending resources to determine what the assets are. They scale well, since the same systems that can keep track of your CIP assets can also be used to track a general inventory.
Automated inventory tools also provide an excellent first-line defense if you aren’t spending great amounts of attention to your physical security or can’t because of the nature of your physical environment, so that you can spot unauthorized attachments to your network. The Verve Security Center leverages the same mechanisms used for inventory to provide end point remediation such as patch management, system hardening, or base profile change management. This means your investment scales to multiple functions, further freeing your SMEs to be able to better support compliance and security needs.