CIP-003: The New Stuff - Part 4 - Transient Cyber Assets and Removable Media
(Originally posted on April 16, 2019)
While we were away we added the 003-7 requirements to our CIP Low Impact Compliance Software.
Very exciting stuff! We are looking for some testers for the new version…if you are interested let us know.
Also, on July 31st FERC approved CIP-003-8. It becomes effective on April 1, 2020. This only affects 5.2 and is included in this blog post.
So let’s get right to it…
The official title of CIP-003-7 R2 Att 1 S5 is:
Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation
This requirements is not as complicated as the title.
The verbiage for R2 S5 is shown below.
· R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
o Section 5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media. The plan(s) shall include:
§ 5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the use of one or a combination of the following in an ongoing or on-demand manner (per Transient Cyber Asset capability):
§ Antivirus software, including manual or managed updates of signatures or patterns;
§ Application whitelisting; or
§ other method(s) to mitigate the introduction of malicious code
§ ***5.2 has been updated for CIP-003-8*** 5.2 For Transient Cyber Asset(s) managed by a party other than the Responsible Entity, if any:
§ 5.2.1 Use one or a combination of the following prior to connecting the Transient Cyber Asset to a low impact BES Cyber System (per Transient Cyber Asset capability):
§ Review of antivirus update level;
§ Review of antivirus update process used by the party;
§ Review of application whitelisting used by the party;
§ Review use of live operating system and software executable only from read-only media;
§ Review of system hardening used by the party; or
§ Other method(s) to mitigate the introduction of malicious code.
§ 5.2.2 For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset.
§ 5.3 For Removable Media, the use of each of the following:
§ 5.3.1 Method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES Cyber System; and
§ 5.3.2 Mitigation of the threat of detected malicious code on the Removable Media prior to connecting Removable Media to a low impact BES Cyber System.
Despite the long title and legalese, the standard is relatively straight forward.
First let’s talk about the three types of devices in normal human language:
1. Transient Cyber Asset (TCA) - Are you going to connect a laptop up to a protective relay? This is a TCA. (Check out the NERC Glossary of Terms for the full definition here). Make sure you have a documented plan to check for and mitigate malicious code. This can be any of the methods listed in the requirement: antivirus, whitelisting, etc…
2. Transient Cyber Assets (TCA) managed by a Party Other Than the Responsible Entity - This is similar to #1 above, except the device is owned by someone else i.e. a contractor or vendor. The controls are different as well since you generally have zero, or limited, control of their device. Basically, you are making sure there is something in place to detect and mitigate malicious code. The updates to this section were to be sure that responsible entities took action to prevent the spread of malicious code to a BES Cyber Asset (BCA).
3. Removable Media - These can be a USB, external hard drive CDs, floppy disks, etc. Again, be sure you have a plan to detect and mitigate malicious code.
What is an acceptable mitigation plan?
If malicious code is detected, 95% of the time it makes sense to use a different TCA or removable media. Wipe the drive or toss the thumb drive and start fresh. It’s not worth the risk to continue using the device.
The other 5% depends on how critical the situation is. This may also be addressed by the Exceptional Circumstances plan.