CIP-003-8: The Physical Side of CIP
(Originally posted on June 11, 2020)
I don’t know about you but the days are all starting to run together when working from home.
That just gives us all more time to get more work done!
I know I’ve been busy working on a website, EZ-CIP, for all impact classifications. This site makes the standards, requirements, and topics easier to find.
It allows you to filter by impact classification, topics, and any other combination.
This website is free and we hope you find it as useful as we do.
Last blog post we had fun covering Cyber Security Awareness.
So now let’s head on down to Low Impact Physical Security Controls!
Cybersecurity controls are not very effective if they can be easily bypassed.
Example: plugging directly into a console port on a low impact firewall.
This is the intention of CIP-003-8 R1.2.2. (I realize that the main points of the requirement are in R2 ATT 1 Sec. 2; but it is much easier to reference R1.2.2….please forgive me.)
Let’s look at part 1 of this requirement.
Each Responsible Entity shall control physical access based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and
NERC is allowing you to determine how to control physical access to protect your BES Cyber Systems (BCS).
Depending upon the physical size of your BCS you have many options to control physical access such as: 1) a simple door lock with a sign-out sheet for the key, 2) put the BCS in a lockbox with a fingerprint reader with access controlled by a PCS, or 3) put a perimeter fence around the entire asset and control access through a gate with a security guard.
All of these are acceptable; however, your Regional Entity auditor may frown upon your use of a perimeter gate as access when an interior door could be used, thus limiting access to the BCS to only required personnel and not the entire plant site.
The easiest way, in my opinion, to meet this part of the requirement is with a Physical Access Control System (PACS) and card readers at each individual access point. This provides access to individuals based upon their access privileges.
But the PACS also provides evidence. No matter which physical control you use, it must evidence of who accessed the BCS.
Part 2
(2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access to control(s) implemented for Section 3.1, if any.
The intentions of this requirement are to prevent us from plugging into the firewall console port from our earlier example.
Access should be controlled to the firewalls, or other Cyber Asset that controls electronic access to the BCSs, similar to controlling access to the BCS itself. The same physical access control may protect both the BCS and Cyber Asset.
Again, don’t forget about gathering evidence. If you can’t prove it happened it didn’t happen.
I think we beat this horse dead.