Tuesday, March 4, 2008

System Security Management

Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the sixth standard, System Security Management. The FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.


For previous blogs in this series see:



System Security Management “deals primarily with changes made to the operating production systems and verification that such changes will not inadvertently have adverse effects.” (para 584 page 7425) As such it “requires responsible entities to define methods, processes and procedures for securing those systems determined to be critical cyber assets, as well as the non-critical cyber assets within the electronic security perimeter(s).”


It is important to note that this standard applies to cyber assets within the electronic security perimeter even though they may not be critical cyber assets. The reason for this is that, since the non-critical asset is within the electronic security perimeter, it can interact with the critical cyber assets without having to cross the protections provided by that perimeter.


Because of the technical nature of the variety of measures necessary to meet the requirements of this standard, the discussion in today’s blog will be limited. I just do not have the technical qualifications to do much more than report the requirements. Likewise, chemical facilities need to insure that the personnel implementing these types of measures have the proper training and experience.


Test Procedures


This standard requires that Responsible Entities establish test procedures to “… ensure that new Cyber Assets and significant changes to existing Cyber Assets within the ElectronicSecurity Perimeter do not adversely affect existing cyber security controls.” (CIP-007-1 para R1 page 1) A significant change would “include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware.”


Ports and Services


Included in this standard is the requirement to “establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled.” (CIP-007-1 para R2 page 2). Servers, computers and other electronic equipment come with communications ports that allow for communication between that device and the outside world. Ports that are not required for system communications have to be disabled or blocked to stop unauthorized access to the system.


Security Patch Management


Software providers and equipment manufacturers frequently provide security patches for their software to correct short comings in their systems. This standard requires that Responsible Entities “shall establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).” (CIP 007-1 R3 page 2)


An evaluation of the patches must be conducted and documented within 30 days of its release. If there is some technical reason that a patch should notbe installed, that reason needs to be documented along with the mitigating actions taken to protect against the threat addressed by the patch.


Malicious Software Prevention


Most computer users are aware of anti-virus software. This standard requires the use of “…anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). (CIP 007-1 R4 page 2). This provision also requires that a management system be established to track, evaluate, test and install updates and malware signatures.


Account Management


This standard requires that Responsible Entities “shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.” (CIP-007-1 R5 page 2) This section provides minimum standards for password management. Passwords (R5.3 page 3) must:


·        Be a minimum of six characters, and


·        Consist of a combination of alpha, numeric, and “special” characters, and


·        Be changed at least annually or more frequently based on risk.


Security Status Monitoring


Responsible Entities are required to “implement automated tools or organizational process controls to monitor system events that are related to cyber security.” (CIP-007-1 R6, page 3) Either system must provide for issuing security alerts. Logs of these security events must be maintained and reviewed periodically.


Disposal or Redeployment


The cyber assets within the electronic security perimeter will not stay there forever. Equipment updates and process changes will require equipment to be removed from that system. This standard includes requirements to “establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s)….” (CIP-007-1 R7 page 4) These processes must include the erasing of stored data to prevent unauthorized retrieval of security data.


Chemical Facilities


Once again it becomes obvious that cyber security issues are a lot more complex than just requiring passwords to access control systems. The technical requirements of this standard for evaluating and testing patches and software updates alone argue to the participation of an IT security professional in the security planning process.

No comments:

/* Use this with templates/template-twocol.html */