This shouldn't come as a surprise. Lowering scope to achieve compliance is commonplace. Yet, when things are moved out of scope, there is a risk of increasing one or more attacks. By sticking to CIP, however, does the juggling of scope hurt the overall goal of security? Not really.
"The security programs [at installations required to comply with CIP], work because of the layered security controls. It is a defense-in-depth mentality, and because the attack surfaces – while significant – are so few and so specialized, and so well-obfuscated, these security programs work," said Phil Grimes, senior security consultant with RedLegg Security Services.
Grimes spent years helping entities operating critical infrastructure organizations better understand their security posture and in some cases helped determine CIP compliance. "CIP does work. That's why we haven't seen a major breach in the U.S. or Canada. We've seen this kind of thing happen in other places, but because of these protections, it's proven to work. But it's not the end all, be all."
So, after an entity achieves CIP compliance, where do the weak points still exist? CSO Online asked Grimes to share some war stories, which we've outlined by section below. However, there is an interesting crossover, as many of the problems Grimes outlined can also apply to organizations outside of the energy sector.
CIP-004-6 (personnel and training)
Awareness programs. Every company has them for the most part, and some are more effective than others. However, when it comes to CIP, the focus is more on the existence of a policy that outlines quarterly awareness training that discusses cybersecurity practices. Such training could include physical security practices as well. However, what these programs actually consist of is left to the facility itself to determine.
This section also includes identity confirmation for personnel, a process for checking and evaluating criminal history, and personnel risk assessments. There is also a requirement for audit records addressing identity and access management (IAM) and electronic access.
The IAM-related records have to be assessed once every 15 months, and show that user accounts, account groups, roles and privileges are correct and updated. This is where most facilities get into trouble, because the documentation often isn't updated, or accounts for those who left the company are not deactivated within an acceptable amount of time.
However, while awareness training and access monitoring are important to CIP, the people are almost always placed out of scope when a consultant arrives to conduct testing. "Every time a consultant comes in to perform an assessment, the people are out of scope. Attacking this surface is out of scope in almost every engagement, because [the organization] knows they're going to lose. They know that this part of the program is weak, and they refuse to implement something stronger; because it means that we have to invest in our people, and they don't want to do it. It's not a blinking box that we can configure and leave it be," Grimes said.
Sign up for CIO Asia eNewsletters.