Low-Impact Requirements: Counting Down to Enforcement of CIP-003-6
Sept. 1, 2017, marked the start of the one-year countdown to enforcement of the CIP-003-6 low-impact requirements covering Physical Security Controls and Electronic Access Controls. While an entire year might seem like a long time, meeting that deadline still could be a challenge for some.
Existing physical access controls have, for the most part, met the Standards Requirements, only requiring the creation of documentation of those controls. Meanwhile, the implementation of Electronic Access Controls has proved to be more of a challenge, especially for entities with existing routable communications. In many cases, these routable communications have been in place for years and were originally managed using router technology for the express purpose of routing traffic into the facility without a focus on enhanced filtering.
With CIP-003-6 and the updated CIP-003-7 Electronic Access Controls submitted for Federal Energy Regulatory Commission (FERC) approval, documentation will be required to track the inbound and outbound communications the Responsible Entity “deems necessary.” For that documentation, there have been many questions on what is required, with the most common question being, “Isn’t the Access Control List sufficient documentation?” The answer is a resounding no.
Regional Entities have indicated they are looking for documentation similar to what is expected for CIP-005-5, Requirement R1, Part 1.3 — technical and operational justification for the allowed communications. The technical information has been, for the most part, easy to determine; however, the operational information has been more of a challenge. Several tools, such as Wireshark, are available to collect the information necessary to assist in determining the operational information, and in many cases, can identify communication traffic that should not be allowed.
Failure to provide the necessary documentation to the Regional Entities puts Responsible Entities in a position that may not satisfy the requirements. This could result in a minimum of an Area of Concern and, at the most, a Potential Violation.