The Deadline is Here: Are your laptops and tablets ready for new cybersecurity regulations?
Many utilities worked around the clock to get in compliance with the CIP V5/6 requirements that went into effect on July 1, 2016. But one particularly impactful requirement didn’t go into effect along with the others: the Transient Cyber Asset (TCA) requirement that applies to laptops and USB drives used by field personnel. This requirement went into effect on April 1, 2017, after a 9-month buffer for utilities to get in compliance.
The TCA requirement is meant to secure one of the most vulnerable links – the laptop computers and tablets that are brought into sensitive environments such as substations. As FERC noted in Order 791, such transient devices can move between electronic security perimeters and could spread malware across Bulk Electric System (BES) Cyber Systems.
A notable aspect of the TCA requirements is that they apply even to laptops that are used to connect to a BES Cyber Asset (BCA) exclusively via a serial port. While devices that only use serial communications were excluded from CIP V3, the BCA definition in CIP V5/6 is more general and includes any programmable electronic device, immaterial of the means of communication. The bottom line is, if you are an asset management professional who uses a laptop or a tablet to connect to grid assets, your mobile device now has to meet this new NERC CIP requirement.
Current Challenges
So now that the TCA requirement is in effect, are utilities compliant? Initial attempts by many trying in-house, IT hardening techniques are running into some common issues:
- OLD ASSETS: Due to the age of some of the BCA, such as old relays, the software applications used to test them might require Windows XP or some other legacy environment. IT hardening typically disallows such software applications
- TESTING TROUBLES: Unforeseen circumstances come up while in the field, such as the need to connect to serial ports through a locked down USB port, which cannot be easily solved in the remote facilities where the testing occurs without providing administrative rights to the tester
So what is the right approach?
Start with the work processes that need to be protected and tailor IT security controls to them. The following are some of the elements of the test and maintenance work process:
- The correct test plans and configurations are needed for the task at hand.
- The test results need to be provided to the appropriate storage systems.
- The facilities may be remote without easy access to technical support for issues that arise.
- Various ports such as Ethernet, USB, and Serial are needed to connect to the BCA and the test instrument.
- Some of the BCA are old and can only be tested using old, unsupported software.
In order the facilitate these features, the following elements are needed:
- Transparent communication that automatically syncs the test plans and results on the device with the relevant servers and does it securely.
- Communication management that disables external communication while connected to BCA.
- Secure remote support that meets the NERC CIP requirements.
- Port management that enables the ports appropriate for the testing task at hand, while keeping the unnecessary ones disabled.
- Secure environment for executing old, unsupported software that are needed to test the aged BCA.
Doble is helping our customers implement compliant testing programs that meet and exceed new regulations for transient cyber assets.
Additional Resources
- NERC Glossary of Terms
- NERC Standards and Effective Dates
- NERC CIP-010-2 Requirement R4 for Transient Cyber Assets and Removable Media
- Blog Post: Cyber Security Regulations are Changing – Is Your Testing Program Ready?