CIP-005-5 (electronic security perimeter)
The electronic security perimeter (ESP) is the control systems, server room, telecom room and so on. The critical cyber-assets will fall under this section of CIP. For the most part, entities covered by CIP will spend a good deal of time and energy constructing a hard exterior (the ESP), but assets contained within – the guts – are soft. "We're talking fairytale darkness here, all of the stuff you see on television when the power grid goes down, that's going to happen when the ESP is successfully breached," Grimes said.
You would think that the ESP would be the ultimate hard point, but it isn't in most cases. physical access controls (PACs) are not covered under the ESP section. For example, video cameras are a weak point, as they're not considered when it comes to the ESP.
A lot of facilities have high-tech cameras in place, but they're not keeping these systems in a maintained environment. Instead, they're often using default credentials and are regularly left in a state that mirrors what one would expect form a test environment, not production.
"By trivializing the severity of the importance of an asset, and not including it in the ESP or not properly protecting in the ESP – these can then be used for further attacks," Grimes adds. As such, attackers can use these ancillary systems to leverage further attacks that can result in a physical breach of the ESP.
"Why we haven't seen that, frankly, I'm amazed. Because, the state of some of the facilities I've walked into, if somebody really wanted to get in there, they probably already have and just haven't caused any damage," he says, comparing the situation to Swiss cheese.
Compounding the issue with ESP security are the technical feasibility exceptions (TFEs). These systems are outdated, or in severe need of a patch, or are easily knocked offline. In many cases, there is no known vulnerability in these systems, Grimes said, but the critical nature of the operation makes any potential disruption a risk the business is unwilling to accept.
While these systems are exempt from scope, Grimes added, they are often significantly out of date (e.g., Windows 2003, Windows XP), poorly defended, or poorly maintained. Nevertheless, the organization will accept that risk, the potential damage notwithstanding.
CIP-006-6 (physical security)
This is where physical access to systems comes into play, and for the most part focuses on policies supporting a specific physical security plan.
PAC systems are covered here, as well as human security, fences, seismic monitoring, video monitoring and locks. Yet, the documented existence of these controls is all a facility needs to ensure CIP compliance. The technical aspect of these systems is secondary, assuming it becomes a consideration at all (it rarely does). "I've had one instance where I found a video monitoring system exposed to the internet with default credentials on a high-level BES (bulk electric system) cyber asset," Grimes explained.
Sign up for CIO Asia eNewsletters.