How Access Card Readers are an Achilles Heel for NERC CIP Cyber Asset Lists
Having conducted numerous Mock Audits and Gap Analyses for our clients, I am beginning to see a troubling pattern. A majority of the registered entities we have visited have failed to properly include the access card reader(s) on their NERC CIP Cyber Asset list. This post will spell out in detail what NERC and FERC expect from a registered entity and most importantly, why.
As many of you know, access cards and access card readers are one of the main devices used to protect your NERC CIP Critical Assets and Critical Cyber Assets from the “bad guys”. While many registered entities employ this technology, most do not properly protect the one device that shields their assets from being tampered with. We are going to look at how the IP addresses assigned to your access card readers are not being protected and what can happen as a consequence.
If you have a card reader system for your Physical Security Perimeter (PSP) that has an IP address associated with it, you must include it in your Critical Cyber Asset list. Because the devices are “IP networked”, controlled, monitored and administered they need to be included as per CIP-002 R 3.1, when that PSP protects access to a control center, critical assets or critical cyber assets. To not include these devices is a finding during an audit that WILL lead to a FERC investigation, you can bet on that. If the card readers are not protecting any of the areas mentioned, then why even label them as part of the PSP? The purpose of a PSP is to protect and monitor access to critical assets in much the same way the ESP electronically protects and monitors access to critical cyber assets. This is the reason the language in CIP-005 and CIP-006 are so very similar. Better to err on the side of caution just in case the auditor is particularly astute on what FERC wants to be considered “compliant”.
Examples of what can happen if you fail to properly protect the access card readers are:
- IP addresses can be used to fail the door or doors “open” – basically turning off the access card reader
- IP addresses can be used to turn off the alarm portion of the card reader making it easy to access the CCA area without being detected for an undetermined amount of time
- IP addresses can be used to back-track into the corporate network and do much more harm than just disabling an access card reader
You will definitely suffer a severe financial loss from the fine that will be issued when an auditor discovers this oversight.
James Holler is the Founder of Abidance Consulting.
This month we thought we would try something new. We are going to hold a conference call on October 1st at 2:30pm CST with our latest staff member, Randal Blanchette—the former lead CIP and ICP enforcer at FERC. For those who want to participate on this call and to ask Randal questions related to this and other CIP related subjects, please email us at firstname.lastname@example.org and put CIP Conference Call in the subject line.