Download this page as a PDF
Traditional security testing tools and services can increase risks to BES reliability while failing to fulfill CIP requirements. Our vulnerability testing methodology is tailored to EMS and SCADA environments.
Choosing Between an Internal or Third-Party NERC CIP Cyber Vulnerability Assessment
While the NERC CIP Security Standards stipulate the minimum requirements to verify during a Cyber Vulnerability Assessment (CVA), they do not state by whom this verification must be completed. One dilemma facing entities is whether to conduct a CVA in-house or to hire a third-party to execute the assessment on their behalf. Some issues that may lead an entity to choose a third-party are:
- Lack of clear understanding of what information will be required to complete the CVA or lack of a documented CVA methodology,
- Concern regarding "checks and balances" within the entity where the same personnel that completed the work are the only ones equipped to execute the CVA in order to assess the work,
- Lack of clear understanding of how the documentation at the conclusion of the CVA may effect a NERC CIP audit, or
- Limited resource availability.
If the decision is made to proceed with a third-party to execute the CVA, selecting which third-party can be the difference between a successful NERC CIP audit and one with Potential Violations (PVs).
Achieve the Requirements of CIP-005 and CIP-007
The most important goal for any NERC CIP vulnerability assessment is to satisfy the minimum requirements of CIP-005 R4 and CIP-007 R8, namely:
- Discover all access points to the electronic security perimeter (ESP),
- Verify enabled ports and services at each access point,
- Review controls for default accounts, passwords, and network management community strings for each ESP access point.
- Verify that only ports and services required for normal or emergency operations are enabled on each system, and
- Review the controls for default accounts for each system.
These simple objectives demand considerably more effort and expertise than many people expect. Moreover, these requirements don’t just apply to an organization’s critical cyber assets (CCA) and cyber assets within the ESP. They must address the systems that control and monitor both the ESPs and physical security perimeters (PSP) that protect them.
NERC CIP Cyber Vulnerability Assessment Preparation
Every CVA begins with the identification and collection of baseline information. While this baseline information is required evidence for the NERC CIP standards under their respective sub-requirements, many times this information is not stored in a central location. Depending on whether the CVA to be executed is for CIP 005 R4 or CIP 007 R8, N&ST senior consultants will ask the right questions to ensure that all baseline
information needed is provided, such as:
- Do the firewall rulesets and/or router/switch access control lists, for access points to each electronic security perimeter (ESP), have justifications listed?
- Do the system ports and services lists for applicable cyber assets include justifications for each? For all IP protocols, including TCP and UDP?
- Do the shared and/or default account lists for access points to each ESP and applicable cyber assets include those for the operating system and all
- applications? Including both local and centralized accounts?
Proper and timely execution of the CVA is dependent on the baseline information being complete and available at the start of the engagement.
Our NERC CIP CVA Methodology
N&ST has developed a flexible, proven approach to executing CVAs that gets tailored to the needs and unique architecture of the entity. Led by senior consultants who have conducted CVAs with numerous entities across multiple regions, N&ST will walk the entity through identifying which baseline evidence is needed and what options exist for collecting current environment information prior to starting the CVA. Each approach to collecting current information has its pros and cons, as well as timeframe required to complete. With guidance from N&ST senior consultants, choosing the most appropriate approach while minimizing the time needed from the entity resources ensures an efficient, costeffective CVA. And while no two CVAs are exactly the same, N&ST and its clients have successfully defended each at NERC CIP audits. N&ST consultants will ensure interpretations and documentation match the entity’s needs and expectations.
Every engagement begins with a survey of existing data sources. Where possible, the team will utilize your existing records and listings from CIP compliance and support activities. Often, this information will suffice for many or even most of the sub-requirements.
When the consultants do need more data, they know how to get it without modifying software or equipment configurations. Instead, they work with support staff to use native reporting and diagnostic functions available in most EMS, SCADA, and network devices to generate the requisite records and lists. These can serve other purposes as well. For example, responsible entities can use some of the lists to demonstrate compliance with CIP-007 requirement R2, Ports and Services.
As a final check on the raw data, N&ST will perform a physical walk-through of the facilities that house the cyber assets. They will verify the locations of the cyber assets, cabling, and other aspects of the equipment layouts.
N&ST will then perform numerous analyses and reviews. For example, they will:
- Verify schematics,
- Review access point configurations,
- Analyze network IP addresses and subnet masks,
- Examine accounts lists and control procedures, and
- Review records of password and configuration changes.
Finally, the consultants will document their observations, findings, and recommended remediation or mitigation activities.
Options to Collect Current Environment Information
This method requires having logical access to the cyber assets to extract the information needed using either command-line interface commands or navigating through the cyber asset’s graphical user interface. The benefit of using this method includes assurance that the information collected is accurate and complete. The cost, however, is that this method is time consuming as each cyber asset must be accessed individually.
Examples of direct information collection include:
- Commands such as netstat to extract a cyber asset’s listening ports,
- Access to Users and Groups lists in the operating system’s settings, and
- Access to network device firmware configuration to identify SNMP settings.
This method requires having remote access to the cyber assets to extract the information needed using third-party tools. The benefit to this method includes efficiency in that the information can be collected in batches. The cost, however, is that if it is not executed correctly, there is a risk the information may be incomplete.
Examples of active information collection include:
- Using a port scanner to identify a cyber asset’s listening ports,
- Using an enumeration tool to collect user lists and group lists, and
- Using an SNMP browser to verify community strings.
Our passion for Technical excellence and commitment to our clients’ business success results in practical solutions to complex problems.