By Michiko Sell, Supervisor NERC CIP Services
Often times we are fully dependent upon ‘implementation plans’ or ‘proposed builds’ that are provided by Original Equipment Manufacturers (OEMs) of Industrial Control Systems (ICS). If asked “do things ever go as planned?” that will likely result in a resounding “no!”. Well, why should we assume that these plans and proposals are any different when it comes to our network configurations?
When implementing any new and/ or changes to your network architecture, do you employ any type of management of change process? Does anyone review the deployed configuration to reconcile it to the approved plan or proposed configuration? Are all ports and services reviewed for necessity? Are connections to the BCS via routable protocols? Can you monitor external traffic to your protected systems?
Well, if you are an owner of a high or medium impact BES Cyber System, the answer should be “absolutely”. How about for the low impact BES Cyber Systems? How about for your non-CIP systems? If not, why not? Is it time, resources, or lack of management support? How comfortable are you with the security of your BES Cyber System from an attack that originates from the business or corporate network? Remember not all threats are external to your entity too. Still comfortable?
Ultimately, you need to know what your network configurations and network connectivity are. Plans and proposals and supporting documentation may not be what was installed and may have likely morphed over the years to be something very different. As our business needs change and communications requirements are stretched, we cannot depend on what others tell us about our systems. Especially if you are relying on documentation from years ago.
What was secure yesterday may not necessarily be secure today. Comb through your network configurations and network connectivity. Question your OEMs on the necessity of port and services used. Has the technology changed to impact the need of certain ports and services to provide contracted services? We know that cyber threats are evolving constantly. Has the OEM deployed additional security controls in response? Is your system current as configured?
If the access control devices are located at your facility, you should maintain a library of your current running configuration files for each device that controls access to your systems for both the Informational Technology (IT) and Operational Technology (OT) networks. These devices are the gateways into your systems. Even if dependent upon third party support of these devices, it is permissible and highly recommended that you have these running configuration files made available to you upon your request. If you do not know with certainty what is in place to secure your network connectivity, you may have a false sense of security.