Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems (see “Critical Cyber Asset Identification”), we look at the second standard, Security Management Controls. Again, the FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what fits into chemical facility systems.
Management Commitment to Security
The main requirement of this standard (para 342, page 7403) is that corporate management accepts responsibility for securing the critical cyber assets of the facility. This is acceptance is evidenced by the adoption of a corporate cyber security policy and the designation of “a senior manager to direct the cyber security program and to approve any exception to the policy.”
The idea is that only with a senior member of management championing security can the facility be assured of the necessary support for its security program. Adequate allocation of resources, internal conflict resolution, and interpretation of legal requirements all require senior management control. Security decisions may also impact other business decisions. Only a senior member of management will insure that those security requirements are given adequate weight in the business decisions.
Most chemical facilities are not going to require a separate cyber security policy. The cyber assets on the production side (as opposed to the enterprise systems) will be limited enough that the cyber security policy discussed here will be part of the corporate security policy. Large, continuous-process operations on the other hand rely much more on an extensive electronic network to control their operations, so they may require a separate cyber security policy.
Discretion to Grant Exceptions
This standard recognizes that technical, financial or even business reasons may require that exceptions to that policy must be made (para 361, page 7404). The standard does require, however, that any exceptions must be documented and approved by the designated senior manager. That documentation must include the reason for the exception and what mitigation efforts will be put in place during the period of the exception.
The commission emphasizes that there is a difference between an exception to corporate policy and an exemption to the requirements of the Reliability Standards. For a chemical facility this would be similar to the difference between policy and the CFATS regulations. No one at the facility or corporate level can authorize an exception to a regulatory requirement; that can only be done by the regulatory authority.
The procedure for granting exemptions to the security policy should be incorporated in that policy. The procedure should include requirements for documenting the reason for and duration of the exception as well as the special procedures to be put into place to mitigate the increased security threat. Procedures also need to be included for emergency exception approval by local management with a time limit to get formal approval.
Change Control and Configuration Management
The standard requires that cyber security policy include (para 388, pages 7406-7) a “a process of ‘change control and configuration management’ for adding, modifying, replacing, or removing critical cyber asset hardware orsoftware.” There are two reasons for this requirement. First to ensure that changes to the critical cyber assets are made with full consideration of the security consequences. Second to ensure that all personnel affected by the change are notified of the change.
An interesting component of this portion of the standard is the requirement “to take actions to detect unauthorized changes to critical cyber assets (para 397 page 7407), whether originating from inside or outside the responsible entity.” With the large number of computer intrusions seen in the news every day (viruses, trojan horses and botnets to mention a few), the commission wanted responsible entities to establish procedures for discovering unauthorized changes as quickly as possible.
The security policy should address how changes are made to cyber assets. This would include provisions for vendor updates and patches for software. It should also address requirements for using tools like anti-virus software and periodic system tests to insure that there have been no unintentional or unapproved changes made to the system.
In today’s world the interconnectedness of electronic devices and systems is increasing all of the time. Control systems that used to be stand alone systems are now connected to the Internet to allow for vendor troubleshooting and support and may be connected to enterprise software to update inventories and batch recipes. Every point of connection is a point of possible intruder entry. FERC calls for responsible entities to establish “a mutual distrust posture” to “protect a control system from the ‘outside world’”. (para 401 page 7408).
The commission explains a ‘mutual distrust posture’ this way (footnote 111, page 7408):
“An architecture with a mutual distrust posture could involve various hardware or software mechanisms or manual procedures to restrict and verify access to the control system from these outside sources. Examples include: firewalls; data checking software(s); or procedures for manually implementing a connection to allow a vendor to perform maintenance work.”
Any policy should include provisions for verifying compliance. This is especially true of a security policy since it does little to directly contribute to the bottom line and frequently inconveniences employees and contractors. Provisions must be made for internal (facility level) and external (corporate level) audits of compliance. The Corporate Security Officer should review results of those audits with the view to revising policies and procedures as necessary to insure future compliance.