by Michiko Sell, Supervisor NERC Services
NAES NERC has been actively evaluating the network security controls implemented by third party OEMs of Industrial Control Systems for several registered entities. Recently E-ISAC released a Cyber Bulletin (Posting ID 138889) regarding a possible misconfiguration leading to the security vulnerability for the Siemens SPPA-T3000 control system. Since January 1, 2020, CIP-003-7 Requirement 2, Attachment 1, Section 3 – Electronic Access Controls for Low Impact Bulk Electric System Cyber System (BCS) owners, requires that only necessary inbound and outbound routable communications between a Low Impact BCS to a Cyber Asset outside of the asset containing the Low Impact BCS be permitted. This requirement applies to all OEMs that not only provide off-site monitoring and remote tuning and instrumentation services, but who also support the routers and firewalls that control these routable communication paths to facilities outside of the registered entity’s physical boundary. As an operator of hundreds of generation facilities, NAES has worked closely with Siemens, GE and other third-party support providers to evaluate cyber security issues that may expose entities to undue risk developing valuable expertise. To date, the CIP Team has successfully engaged in numerous EAC evaluations since 2019 both internal and external to the NAES fleet.