CIP-003-8: Transient Cyber Assets and Friends

(Originally posted on November 8, 2020)

Welcome back to another interesting blog post about NERC/CIP standards!

If you’re like me and can’t remember which standards address PACS or alerts then www.ezcip.com is for you.

We created this tool to provide an easy way to filter standards and requirements by topic and classification.

I’d like to invite everyone to check it out and I hope you find it useful.

Transient Cyber Assets and Friends

Last time we covered Incident Response (IR), which is definitely long, but section 5 of CIP-003-8 is easily one of the most difficult requirements to implement for low impact assets.

First let’s simplify some things:

·         Transient Cyber Assets (TCAs)

·         Removable Media (RM)

·         Responsible Entity (RE)

·         Other than Responsible Entity (3rd Party)

If you need a refresher on TCAs and RM please check out first blog on this subject here.

Let The Fun Begin

First let’s review the main section.

ATT 1, Section 5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media. The plan(s) shall include: 

This is the most unnecessarily complicated sentence ever written.

They could have said: “Don’t forget to check your computers and usb drives for bad stuff before connecting to important stuff. Oh, and make sure you write it down.”

Make sure you have a plan to check TCAs and RMs for malicious code before connecting to BES Cyber Systems (BCS).

It Doesn’t Stop There

The subsections get more detailed.

5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the use of one or a combination of the following in an ongoing or on-demand manner (per Transient Cyber Asset capability):

·         Antivirus software, including manual or managed updates of signatures or patterns;

·         Application whitelisting; or

·         Other method(s) to mitigate the introduction of malicious code.

How will you, the RE, detect/prevent/mitigate malicious code on the TCAs so it doesn’t infect your BCS?

NERC provides two methods, antivirus (AV) software and application whitelisting, and leaves it open for a any number of methods preferred by the RE.

Ensure that your choice of method: 1) is easy for personnel to implement with limited supervision, 2) generates evidence with limited supervision, 3) actually provides a decent level of detection, prevention, or mitigation from malicious code, and 4) is included in your plan.

The most common method is to install centrally managed AV on your TCAs. This method also ensures the virus signatures are updated automatically.

3rd Party

Who doesn’t like parties?

5.2 For Transient Cyber Asset(s) managed by a party other than the Responsible Entity, if any:

5.2.1 Use one or a combination of the following prior to connecting the Transient Cyber Asset to a low impact BES Cyber System (per Transient Cyber Asset capability):

·         Review of antivirus update level;

·         Review of antivirus update process used by the party;

·         Review of application whitelisting used by the party;

·         Review use of live operating system and software executable only from read-only media;

·         Review of system hardening used by the party;

·         or Other method(s) to mitigate the introduction of malicious code.

TCAs owned by a 3rd party, contractors, or vendors can be difficult to vet before connecting to a BCS.

How do you convince a turbine control tech to let you scan their company laptop before they connect to your BCS?

If they do agree how do you even perform such a task and generate evidence?

NERC allows checking their AV update level, reviewing their application whitelisting, etc…

But who performs these reviews? Are these personnel trained? How do you generate evidence?

The easiest way to meet this requirement is to prohibit any 3rd party TCAs from connecting to the BCS; any connections to the BCS are to be made with TCAs owned by the RE.

A method can also be included in the contract with the 3rd party:

·         The contractor must provide a daily screenshot of a complete AV scan before connecting to the RE’s BCS.

·         The contractor must submit their malicious code prevention method to the RE for review before connecting to the RE’s BCS.

Whatever you decide to do ensure it is listed in your plan!

5.2.2 For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset.

This subsection is simple: If the 3rd party’s protections on their TCAs are weak or shoddy come up with a plan B, such as:

·         Prohibit the 3rd party from connecting their TCA to you BCS.

·         Force the 3rd party to use a TCA owned by the RE.

Here are the Friends

This subsection covers removable media which usually means a USB or other external drive.

5.3 For Removable Media, the use of each of the following:

5.3.1 Method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES Cyber System; and

5.3.2 Mitigation of the threat of detected malicious code on the Removable Media prior to connecting Removable Media to a low impact BES Cyber System.

A wise man once said “Treat a USB drive like toothbrush…would you ever use someone else’s toothbrush?”

This subsection can be summed up as the following:

·         Scan your RM for viruses before connecting to your BCS.

·         Make sure you are not using your BCS to scan for viruses.

·         If you detect something malicious, don’t connect the RM to the BCS. (Do we need to say this?)

The easiest way to meet this requirement is to scan the RM with a machine protected by the RE’s centrally managed AV. (As long as the machine is not a BCS.)

Again, make sure your method to meet this requirement is in the plan.

Well, I’ve head enough of TCAs and removable media for one day.

Next
Next

CIP-003-8: Incident Response