Choosing Between an Internal or Third-Party NERC CIP Vulnerability Assessment
While the NERC CIP Security Standards stipulate the minimum requirements to verify during a Vulnerability Assessment (VA), they do not state by whom this verification must be completed. One dilemma facing entities is whether to conduct a VA in-house or to hire a third-party to execute the assessment on their behalf. Some issues that may lead an entity to choose a third-party are:
- Lack of clear understanding of what information will be required to complete the VA or lack of a documented VA methodology,
- Concern regarding “checks and balances” within the entity where the same personnel that completed the work are the only ones equipped to execute the VA in order to assess the work,
- Lack of clear understanding of how the documentation at the conclusion of the VA may effect a NERC CIP audit, or
- Limited resource availability.
If the decision is made to proceed with a third-party to execute the VA, selecting which third-party can be the difference between a successful NERC CIP audit and one with Potential Violations (PVs).
Achieve the Requirements of CIP-010
The most important goal for any NERC CIP vulnerability assessment is to satisfy the minimum requirements of CIP-010, namely:
- Discover all access points to the electronic security perimeter (ESP),
- Verify enabled ports and services at each access point,
- Review controls for default accounts, passwords, and network management community strings for each ESP access point.
- Verify that only ports and services required for normal or emergency operations are enabled on each system, and
- Review the controls for default accounts for each system.
These simple objectives demand considerably more effort and expertise than many people expect. Moreover, these requirements don’t just apply to an organization’s BES cyber assets (BCA) and BES cyber assets within the ESP. They must address the systems that control and monitor both the ESPs and physical security perimeters (PSP) that protect them.
NERC CIP Vulnerability Assessment Preparation
Every VA begins with the identification and collection of baseline information. While this baseline information is required evidence for the NERC CIP standards under their respective sub-requirements, many times this information is not stored in a central location. Depending on whether the VA to be executed is for CIP 005 or CIP 007, N&ST senior consultants will ask the right questions to ensure that all baseline information needed is provided, such as:
- Do the firewall rulesets and/or router/switch access control lists, for access points to each electronic security perimeter (ESP), have justifications listed?
- Do the system ports and services lists for applicable cyber assets include justifications for each? For all IP protocols, including TCP and UDP?
- Do the shared and/or default account lists for access points to each ESP and applicable BES cyber systems or BES cyber assets include those for the operating system and all
- applications? Including both local and centralized accounts?
Proper and timely execution of the VA is dependent on the baseline information being complete and available at the start of the engagement.
Our NERC CIP CVA Methodology
N&ST has developed a flexible, proven approach to executing VAs that gets tailored to the needs and unique architecture of the entity. Led by senior consultants who have conducted VAs with numerous entities across multiple regions, N&ST will walk the entity through identifying which baseline evidence is needed and what options exist for collecting current environment information prior to starting the VA. Each approach to collecting current information has its pros and cons, as well as time frame required to complete. With guidance from N&ST senior consultants, choosing the most appropriate approach while minimizing the time needed from the entity resources ensures an efficient, cost effective VA. And while no two VAs are exactly the same, N&ST and its clients have successfully defended each at NERC CIP audits. N&ST consultants will ensure interpretations and documentation match the entity’s needs and expectations.
Every engagement begins with a survey of existing data sources. Where possible, the team will utilize your existing records and listings from CIP compliance and support activities. Often, this information will suffice for many or even most of the sub-requirements.
When the consultants do need more data, they know how to get it without modifying software or equipment configurations. Instead, they work with support staff to use native reporting and diagnostic functions available in most EMS, SCADA, and network devices to generate the requisite records and lists. These can serve other purposes as well. For example, responsible entities can use some of the lists to demonstrate compliance with CIP-007 Ports and Services.
As a final check on the raw data, N&ST will perform a physical walk-through of the facilities that house the BES cyber assets. They will verify the locations of the BES cyber assets, cabling, and other aspects of the equipment layouts.
N&ST will then perform numerous analyses and reviews. For example, they will:
- Verify schematics,
- Review access point configurations,
- Analyze network IP addresses and subnet masks,
- Examine accounts lists and control procedures, and
- Review records of password and configuration changes.
Finally, the consultants will document their observations, findings, and recommended remediation or mitigation activities.
Options to Collect Current Environment Information
This method requires having logical access to the BES cyber assets to extract the information needed using either command-line interface commands or navigating through the cyber asset’s graphical user interface. The benefit of using this method includes assurance that the information collected is accurate and complete. The cost, however, is that this method is time consuming as each BES cyber asset must be accessed individually.
Examples of direct information collection include:
- Commands such as netstat to extract a BES cyber asset’s listening ports,
- Access to Users and Groups lists in the operating system’s settings, and
- Access to network device firmware configuration to identify SNMP settings.
This method requires having remote access to the BES cyber assets to extract the information needed using third-party tools. The benefit to this method includes efficiency in that the information can be collected in batches. The cost, however, is that if it is not executed correctly, there is a risk the information may be incomplete.
Examples of active information collection include:
- Using a port scanner to identify a cyber asset’s listening ports,
- Using an enumeration tool to collect user lists and group lists, and
- Using an SNMP browser to verify community strings.
Our passion for Technical excellence and commitment to our clients’ business success results in practical solutions to complex problems.