Electricity is a key component of the fabric of modern society and the Electric Reliability Organization (ERO), which is comprised of the North American Electric Reliability Corporation (NERC) and the six Regional Entities (Res), has a vision of ensuring a highly reliable and secure North American bulk power system (BPS). Some of the main objectives within this vision are ensuring the Cyber Systems and their associated Cyber Assets are protected against malicious activities and mis-operations.
NERC CIP is a set of standards designed to do just that. These standards provide requirements to protect the Bulk Electric System Cyber Systems (BCS) against potential cyber-attacks. New versions of these standards are adopted as an opportunity to strengthen the electric industry’s risk mitigation efforts.
On March 16th, 2023, FERC approved a new version of the NERC CIP-003 Standard. This is known as NERC CIP-003-9. In this new version, the changes put an emphasis on “Supply Chain Risk Management.” As electric industry entities are heavily dependent on vendors, contractors, and service providers for their BCS, there was a need to ensure appropriate controls were in place such that suppliers did not impose undo risk.
In NERC CIP-003-9 Requirement 2, entities that have identified assets containing low impact BES Cyber systems must have controls in place to adhere to their plans in accordance with Attachment 1. The addition for this version is Section 6 of this Attachment 1.
In this new section, entities registered as Generation Operators, Generation Owners, Reliability Coordinator, Transmission Operator, and/or Transmission Owners with low-impact BCS must implement a process to mitigate risk associated with vendor electronic remote access. This process must include the ability to:
- Determine vendor electronic remote access
- Ability to disable vendor electronic remote access
- And to detect known or suspected inbound and outbound malicious communications for vendor electronic remote access
ConsoleWorks and NERC CIP-003-9
NERC CIP regulations were first implemented in 2008 with multiple variations as threats escalated and as BPS entities automated more of their operations. Some may be thinking “if low-impact BCS’s exist, are there medium and high ones too?”. The answer to that is yes, but for the sake of time we will focus on only the low-impact asset owners.
For NERC CIP-003 version 9 the changes specifically focus on the risks associated to the low impact BCS, however the need for secure electronic remote access is not new or unique to the NERC CIP standards. These same controls have been in place for high and medium impact assets since 2015.
ConsoleWorks has been involved, engaged and providing solutions for electric system entities with high and medium impact BCS to ensure that their vendor, contractor and employees’ electronic remote access is secure, monitored and controlled.
Entities with high and medium impact BCS using ConsoleWorks as their Cybersecurity Operations Platform meet and exceed their regulatory compliance requirements and can leverage these same benefits, expanding the controls to their low impact BCS. For those entities that own high, medium and low impact assets that have not looked at how ConsoleWorks solves cyber security and compliance needs, let me take a moment and introduce you to your next platform. Likewise, for those entities that only have low-impact BCS and are now designing and planning for NERC CIP-003-9, we would like to provide you with the knowledge to choose ConsoleWorks as your platform.
The ConsoleWorks platform is built from the ground up to support the subtle (but extremely important) requirements of mission-critical applications across numerous architectures. It is a single platform for your critical infrastructure security, operations and compliance.
ConsoleWorks is the first solution to offer a unified system for cybersecurity personnel and operations personnel. It provides the same functionality regardless of business function or vendor, minimizing the number of technologies needed for the management of IEDs and other IT and OT assets. Core functionality includes, but is not limited to the following:
• Centralized Operations Portal
• Secure Remote Access w/ protocol break and session control
• Privileged Access Management
• Role-Based Access Management
• Policy Based Connection Types defined by User Role
• Device grouping by location and asset type
• Asset, Patch and Configuration Management
• Password Management and Control for endpoints (Assets)
• Logging, Event Management and Situational Awareness
• Pre-Defined and Custom Reporting
• Compliance Evidence Generation
Understanding NERC CIP-003-9
To gain a thorough understanding of each of these solutions, we would be more than happy to take the time to do a deep dive with you. For now, let’s focus on how these functions solve the requirements of NERC CIP-003-9. To do so, let’s dissect each functional requirement of the standard. Section 6 reads:
“Vendor Electronic Remote Access Security Controls: For assets containing low impact BES Cyber System(s) identified pursuant to CIP‐002, that allow vendor electronic remote access, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1. These processes shall include:
6.1 One or more method(s) for determining vendor electronic remote access;
6.2 One or more method(s) for disabling vendor electronic remote access; and
6.3 One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access”
ConsoleWorks secure remote access first starts with an architectural discussion on where to deploy your solution as each entity has different operational needs and different levels of risk tolerance. Once the architecture is determined and the appropriate controls are in place, the real magic starts to happen. The session journey starts by encrypting the initial connection between the end user’s device and the ConsoleWorks portal using an encrypted SSL/TLS (https) tunnel. Once this connection is established, it only allows the end user to see the front-end portal to ConsoleWorks to begin the authentication.
Authentication begins by interrogating the end user for information, known as credentials, in order to validate the user’s identity. This information can be configured and stored either in ConsoleWorks’ local access, remote identity management tools, and/or your MFA infrastructure. After the identity has been validated, that same identity goes through a series of authorization challenges to determine what access the identity has been provisioned for.
RBAC is used then to determine the end user’s visibility to devices, connection type, logs and even commands the user can execute. Keep in mind that we still haven’t connected remotely to any BCS assets yet. Once these controls have been satisfied, the end user can then either initiate, or request to initiate, a remote session with the devices that they are authorized to connect to.
This ensures that ConsoleWorks establishes, owns and controls each session to the asset within the OT environment. To the end user, the connection seems to be just a simple action of “Connect,” but behind the scenes ConsoleWorks connects on behalf of the end user to the assets using the native remote connectivity protocols of the asset.
One of the unique characteristics of ConsoleWorks, especially relevant for vendor support electronic remote access, is that the remote connection can be established all the way down to the Intelligent Electronic Device (PLC, RTU, RTAC) beyond the Human Machine Interface (HMI).
Since ConsoleWorks is the broker between the end user device and the cyber asset in the field, there are many actions that can be taken during each step of the connection chain. First and foremost, alerts can be sent to the asset owner when a vendor simply hits the front-end portal of ConsoleWorks. Within the RBAM the entity can define whether the vendor is allowed to authenticate and be provisioned to remotely connect to the cyber asset, or they can determine that an approval needs to occur at each request for access to devices.
ConsoleWorks provides an additional authorization workflow prior to allowing the connection. This essentially means that the vendor’s role only sees the assets you provision to them. To connect to the requested device, the user needs to submit a “Request for Access” to the authorizing personnel before they can connect.
That workflow allows the entity to validate the request and allow the connection with parameters such as when, where, what and how. Both features help in resolving Section 6 requirement 6.1 for determining vendor electronic remote access.
ConsoleWorks can also disable a vendor’s electronic remote access. Above we discussed the alerting, monitoring, and provisioning of remote access for vendors. This is important to understand because during these phases a decision is made on whether to allow or terminate a request to connect by the vendor and what systems and activities the vendor can perform. However, once a session is established by the vendor, how do we terminate that session?
Once a session is established, ConsoleWorks begins recording and monitoring every activity within that session. Most typical remote access solutions only record the session’s authentication, authorization, and creation. ConsoleWorks records every keystroke and pixel of the remote session. Why is this important? Because this is where parameters can be established for automated session termination along with alerts and reports for your compliance evidence are captured.
As mentioned, activities known as “events” can trigger automatic session termination and account lockouts. They can also send alerts that trigger the asset owner to terminate the vendor’s electronic remote access or simply allow the entity to login and shadow watch the vendor’s activities.
While this is for describing how to terminate a vendor’s electronic remote access, there is also the benefit of having the ability to provide a secure, logged and controlled, shared remote session for business operations. This would be where the vendor connects to the asset and the system administrator or device engineer, can work alongside the vendor as a co-pilot in the same remote session.
ConsoleWorks ensures that during the establishment of the vendor electronic remote access and through the activities of the session, strict controls are put in place that assist in detecting known or suspected malicious activities.
As mentioned previously, connections through ConsoleWorks are established over an encrypted tunnel and any access attempts not utilizing the authorized and defined tunnel are logged with action capability based on the events. RBAM and access control events are also monitored for malicious activity and can be correlated and alerted upon as well.
Adding to the detection of malicious inbound and outbound communication, ConsoleWorks establishes sessions on behalf of the user and these session protocols are controlled down to specific ports and service. Any attempts to connect in any other manner are recorded, correlated and alerted upon. Additionally, command sets can be blacklisted or whitelisted.
This means the commands that can be executed are limited to only those that have been authorized, and any unauthorized command communication structures are mitigated, recorded and provide alerting. Because these keystrokes are captured, events can be correlated to provide an automated termination of the vendor’s electronic remote access if the activity is determined to be suspicious.
Taking Your Next Steps to NERC CIP Compliance
ConsoleWorks provides a complete cybersecurity platform that provides entities the ability to manage their generation, transmission and distribution control system environment’s remote electronic access with more security and compliance controls on a single platform.
The mitigation of unauthorized changes, compromise from uncontrolled and unauthorized access, and the limitation of security controls in ICS equipment are a few of the reasons supply chain vendor risk mitigation is important and why the new NERC CIP-003-9 has been adopted.
ConsoleWorks is here to provide the necessary mitigation measures for entities to achieve compliance, increase situational awareness, improve cyber security maturity and do all this from a single solution.
We can help you achieve compliance with NERC CIP-003-9 as well as your other NERC CIP Standards and requirements needs. You can contact us here to start that conversation or email info@tditechnologies.com.
