How Access Card Readers are an Achilles Heel for NERC CIP Cyber Asset Lists

Article title
logo

Having conducted numerous Mock Audits and Gap Analyses for our clients, I am beginning to see a troubling pattern. A majority of the registered entities we have visited have failed to properly include the access card reader(s) on their NERC CIP Cyber Asset list. This post will spell out in detail what NERC and FERC expect from a registered entity and most importantly, why.

As many of you know, access cards and access card readers are one of the main devices used to protect your NERC CIP Critical Assets and Critical Cyber Assets from the “bad guys”. While many registered entities employ this technology, most do not properly protect the one device that shields their assets from being tampered with. We are going to look at how the IP addresses assigned to your access card readers are not being protected and what can happen as a consequence.

If you have a card reader system for your Physical Security Perimeter (PSP) that has an IP address associated with it, you must include it in your Critical Cyber Asset list. Because the devices are “IP networked”, controlled, monitored and administered they need to be included as per CIP-002 R 3.1, when that PSP protects access to a control center, critical assets or critical cyber assets. To not include these devices is a finding during an audit that WILL lead to a FERC investigation, you can bet on that. If the card readers are not protecting any of the areas mentioned, then why even label them as part of the PSP? The purpose of a PSP is to protect and monitor access to critical assets in much the same way the ESP electronically protects and monitors access to critical cyber assets. This is the reason the language in CIP-005 and CIP-006 are so very similar. Better to err on the side of caution just in case the auditor is particularly astute on what FERC wants to be considered “compliant”.

Examples of what can happen if you fail to properly protect the access card readers are:

  • IP addresses can be used to fail the door or doors “open” – basically turning off the access card reader
  • IP addresses can be used to turn off the alarm portion of the card reader making it easy to access the CCA area without being detected for an undetermined amount of time
  • IP addresses can be used to back-track into the corporate network and do much more harm than just disabling an access card reader

You will definitely suffer a severe financial loss from the fine that will be issued when an auditor discovers this oversight.

James Holler is the Founder of Abidance Consulting.

This month we thought we would try something new. We are going to hold a conference call on October 1st at 2:30pm CST with our latest staff member, Randal Blanchette—the former lead CIP and ICP enforcer at FERC. For those who want to participate on this call and to ask Randal questions related to this and other CIP related subjects, please email us at james.holler@abidanceconsulting.com and put CIP Conference Call in the subject line.

Comments
  • Reply

    This is blatantly incorrect. A critical cyber asset is by definition an asset ESSENTIAL to the operation of the critical asset. Every identified critical asset that I’m aware of can operate exceedingly well without a card reader — an electronic access card reader or physical security system is NOT essential to the operation of a critical asset and therefore should NOT be included in the list of critical cyber assets. With the exception of card readers and some other physical security devices that have to reside outside a physically protected area for obvious reasons (i.e., cameras, etc), cyber-based physical security components only have to be protected to the CIP-006 R.2.2 requirements (note: these devices do not necessarily have to reside inside a true PSP either — these components ONLY have to be protected to the CIP-006, R2.2 requirements). Subjecting cyber-based physical security components, through their misidentification as a critical cyber asset, to the gamut of NERC CIP standards rather than just the CIP-006, R2.2 requirements increases your client’s exposure to audit findings and subsequent penalties.

Leave a Reply

One Platform. Every Solution.
AssurX Quality + Compliance ManagementA single versatile system can improve quality, compliance and streamline workflow
Don't Miss A Post

Subscribe to our blog to receive an email when we publish new content.

Recommended posts
Recent Posts
Categories
One Platform. Every Solution.
AssurX Quality + Compliance ManagementA single versatile system can improve quality, compliance and streamline workflow