Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the fourth standard, Electronic Security Perimeter. The FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.
For previous blogs in this series see:
The Electronic Security Perimeter standard “requires identification and protection of the electronic security perimeters inside which all critical cyber assets are located, as well as all access points.” (para 477, page 7415) Every critical cyber asset identified in the first standard must be protected within an electronic security perimeter, though there may be more than one such perimeter at any given facility.
Because of the technical nature of the variety of measures necessary to meet the requirements of this standard, the discussion in today’s blog will be limited. I just do not have the technical qualifications to do much more than report the requirements. Likewise, chemical facilities need to insure that the personnel implementing these types of measures have the proper training and experience.
Adequacy of Electronic Security Perimeters
The Commission takes the stand that no single defensive measure provides adequate protection of the critical cyber assets. This is due to the fact that every perimeter defensive measure, like firewalls, still depends on adequate maintenance or response by people. Thus they require that each electronic security perimeter include at least two separate defensive measures, providing defense in depth (para 496 page 7417).
Protecting Access Points and Controls
The Commission requires a “responsible entity to implement organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter.” (para 505 page 7417) The use of digital certificates, two-factor authentication and encryption systems are examples of controls that meet this requirement (para 511 page 7418).
Monitoring Access Logs
This standard requires that “responsible entities to implement electronic or manual processes for monitoring and logging access at access points to the electronic security perimeter at all times.” (para 512 page 7418) An electronic system is preferable since it can provide for real-time detection and reporting "for attempts at or actual unauthorized access.”
Manual review of all logs should be conducted periodically. For automated systems the review should be done to confirm that the system is reporting properly; avoiding too many false positives yet detecting unauthorized access. For systems without automated reviews the manual review of access logs is the only way to detect unauthorized access or attempts at unauthorized access (para 526 page 7419).
Manual review does not necessarily mean that every entry needs to be reviewed. Statistical tools are available to determine how many entries need to be reviewed to detect unacceptable events. When using this technique it is important in insure that a random sample of log entries is used for the review (para 528 page 7420).
The standard requires that a responsible entity is required to “perform a cyber vulnerability assessment of the electronic access points to [an] electronic security perimeter at least annually.” (para 529 page 7420) When significant modifications are made to the electronic security perimeter a new vulnerability assessment should be made, even if the previous review was made less than a year before.