Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the fifth standard, Physical Security of Critical Cyber Assets. The FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.
For previous blogs in this series see:
This standard requires “a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter.” (para 548 page 7422) Footnote 132 on the same page provides two key definitions:
Electronic Security Perimeter – the “logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled”
Physical Security Perimeter – the “physical, completely enclosed (‘six-wall’) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets means are housed and for which access is controlled”
Physical Security Plan
The following items are required to be included in the Physical Security Plan (para 561 page 7422 and CIP-006-1, para R1) that has been approved by a senior manager:
1. Require that all critical cyber assets are within a ‘six-wall’ physical security perimeter. If that is not physically possible the alternative physical security measures must be documented.
2. Identify all access points through each Physical Security Perimeter and document measures to control entry at those points.
3. Identify processes, tools, and procedures to monitor physical access to the physical security perimeter. Include procedures for the proper uses of access controls to include visitor pass management, response to loss of passes, and consequences for improper use of access controls.
4. Procedures for approving access authorizations and revocations.
5. Procedures for escorted access personnel not authorized for unescorted access.
6. Process for updating the physical security plan within ninety calendar days of any physical security system redesign or reconfiguration.
7. Requirement Cyber Assets used in the access control and monitoring of the Physical Security Perimeter(s) shall be treated as critical cyber assets.
8. Requirement for annual review of physical security plan.
Most chemical facilities can roll these requirements into their physical security plan for the entire facility. In fact, these requirements provide a good outline for that plan. If the facility cyber assets are extensive enough to require a separate cyber security plan, the facility will have to be careful to keep their access passes identifiably separate from those used for facility access.
Physical Access Controls
The physical security plan will provide for 24-hour a day, 7-day a week physical access controls to authorize access through the physical security perimeter. The Commission requires (CIP-006-1, para R2) that at least on of the following access control systems will be used:
· Card Key.
· Special Locks.
· Security Personnel.
· Other Authentication Devices.
All of these control systems have their own special requirements. Card key systems require that card readers on each access point be wired to a common controller containing an up-to-date access database. Keyed locks require key control procedures for limiting access to keys and promptly identifying lost keys. Other authentication devices, like biometric devices, have their own unique requirements.
Monitoring Physical Access
The physical security plan will provide for continuous monitoring of the access points to the physical security perimeter. The purpose of monitoring will be the prompt identification of unauthorized access to the critical cyber assets within the perimeter and provide for alerting an appropriate response force. According to the standard (CIP-006-1, para R3) there are two accepted method of effecting this monitoring requirement:
· Alarm Systems.
· Human Observation of Access Points.
Alarm systems need to announce the unauthorized opening of any door, gate or window providing access to the physical security perimeter. The announcement should specify which opening was accessed. Human observation can be by personnel within the perimeter or by remote observation via closed circuit television.
An integral part of monitoring physical access is the logging of each access event. This can be done by electronic, video or written records. Since the purpose of logging is to document every entry, authorized or not, written records must be maintainedby security personnel. Logs must be kept on hand long enough, the Commission requirement is 90 days, to allow for periodic reviews. Logs documenting unauthorized access should be kept with the report of the investigation of that entry.
Maintenance and Testing
The physical security plan must also document the maintenance and testing requirements for all devices in the physical security system (para 577 pages 7424-5). Records of the actual maintenance and testing will be held for the length of the maintenance cycle.