DRAFT Voice Communications in a CIP Environment Critical Infrastructure Protection Committee Implementation Recommendation May 22, 2017

Transcription

1 DRAFT Voice Communications in a CIP Environment Critical Infrastructure Protection Committee Implementation Recommendation May 22, Introduction The Critical Infrastructure Protection Committee (CIPC) developed this document to provide implementation recommendations for CIP Reliability Standard CIP This document is not intended to establish new requirements under NERC s Reliability Standards, to modify the requirements in any existing reliability standards nor provide an Interpretation under Section 7 of the Standard Processes Manual. Additionally, there may be other ways to fulfill the obligations of the requirements that are not expressed within this document Background Voice communications have the potential to adversely impact the Bulk Electric System (BES). Voice communications may consist of directives from Reliability Coordinators, generator ramping and curtailment orders from a Generation Control Center, breaker operation requests from a Transmission Control Center, etc. These voice transactions may take various forms and be transmitted across many different technologies. Regardless of the transport mechanism, it is the information conveyed to the recipient during the voice transaction that has the potential to impact the BES Scope The purpose of this CIPC implementation recommendation is to assist NERC Registered Entities in developing an approach to categorizing voice communication systems, including those conducted over technology infrastructure such as Voice-over-IP (VoIP) telephony systems, under CIP Reliability Standard CIP This document also offers options for managing and protecting Cyber Assets that are used to transport voice communications in accordance with applicable NERC CIP Standards. The specific objectives of this guidance document are to: Provide implementation recommendations for the categorization of voice communications under Reliability Standard CIP Provide suggested guidance for the use and protection of Cyber Assets used for voice communications, particularly within Control Center environments, including issues surrounding authenticity and integrity.

2 This document provides guidance to Registered Entities in four areas: Differentiating voice transport technology from the voice communication asset itself Potential mechanisms for securing voice transactions Categorizing Cyber Assets used for transport of voice communication Options for securing voice transport Cyber Assets 1.3. Definitions The following definitions are provided to convey a common understanding of terms that are used in this document: VoIP Voice communication Voice-over-IP Verbal communication over telecommunications infrastructure which may be used by Registered Entity personnel to conduct a verbal transaction in support of BES reliability decision-making. 2 Voice Communications and Voice Transport Mechanisms Bulk Electric System (BES) operational decisions fall into one of two categories: automated or manual. Voice communication supports manual performance. Information and/or commands received via voice provide instructions for performing routine or emergency tasks. As such, voice communication alone cannot directly impact the BES. The decision rules and execution of those rules by humans is where impact to the BES can be realized. Regardless of underlying technology, voice communications fall into the category of decision support. They are used to support decision-making but cannot in and of themselves directly impact the reliability of the BES. The mechanism used to transport voice communication should be evaluated separately from the voice communication itself. Common transport mechanisms include but are not limited to: satellite phone, cellular phone, analog phone ( plain old telephone service [POTS]; public switched telephone network (PSTN]; Private Branch Exchange [PBX]), and VoIP phone. These mechanisms provide transport capability for voice transactions but take no direct actions to automatically impact the BES. 3 Categorization of Cyber Assets used for Voice Transport Cyber Assets used to support of voice communications need to be assessed to determine their impact on the reliable operation of the BES, per CIP Registered Entities should use the criteria in CIP to determine whether these are associated Cyber Assets, which, if compromised, pose a threat to the BES Cyber System by virtue of: (a) their location within the Electronic Security Perimeter (Protected Cyber Assets [PCAs]), or (b) the security control function they perform (Electronic Access Control or Monitoring Systems Implementation Recommendation Voice Communications in a CIP Environment 2

3 [EACMS] and Physical Access Control Systems [PACS]). Registered Entities should use the same criteria to evaluate Cyber Assets involved in voice communications as that used for categorizing and protecting other Cyber Assets. 3.1 Cyber Assets Used for Voice Transport designated as Protected Cyber Assets When Cyber Assets used to transport voice communications are located within a pre-defined Electronic Security Perimeter (ESP), they would be categorized as Protected Cyber Assets (PCAs) due to their direct relationship to a BCA. For security reasons, it is not recommended that a Registered Entity use a shared PBX or other telecommunications infrastructure for both voice transport across Cyber Assets within an ESP and those outside an ESP. In general, the security controls available on this type of technology platform are limited. Additionally, many of the platforms themselves do not allow for implementation of the full suite of requirements that are listed in the NERC CIP standards (e.g. CIP-005-5, Interactive Remote Access requirements). It is further recommended that Registered Entities consider relocating all voice transport Cyber Assets to outside an ESP all together for additional security. 3.2 Cyber Assets Used for Voice Transport designated as Electronic Access Control or Monitoring Systems [EACMS] [pending] Implementation Recommendation Voice Communications in a CIP Environment 3

4 3.3 Evaluation and Classification of Cyber Assets A nominal CIP decision tree is a guide for determining applicability and classification of Cyber Assets used in the transport of voice communications. Voice Transaction Cyber Asset Adverse BES Impact Within 15 Minutes? BCA Within an ESP? PCA Performs Physical Access Control? PACS Performs Electronic Access Control? EACMS Out of Scope Implementation Recommendation Voice Communications in a CIP Environment 4

5 4 Options for Securing Voice Transport Technologies When voice transport technologies are categorized as subject to the NERC CIP standards, various technical controls are available. Specific technical control guidance should be sought from vendors and/or by referring to standards such as NIST s SP and SP For purposes of this section, VoIP was selected for demonstrative purposes. Protections will vary based on technology type. 4.1 Example: VoIP Cyber Assets Fundamentally, VoIP infrastructures are similar to other networked environments consisting of endpoints (phones) and servers. It is important also consider whether the VoIP infrastructure would extend the ESP of a given BCS or negatively impact a Registered Entity s ability to comply with the CIP standards Hardware Phones Many dedicated VoIP phones have embedded operating systems. The capabilities of these platforms vary widely; however, all allow for configuration and software/firmware updates to be deployed either locally or remotely. As such, VoIP phones are likely to be defined as Cyber Assets and subject to the requirements of CIP as well as associated physical security and personnel security requirements for the BCS in which they are located. Many dedicated VoIP phones also contain embedded network switches and at least one additional Ethernet port. This allows for the phones to be placed in an environment without significant rewiring of a facility as they can be placed in-line by using existing Ethernet connections. These network interfaces should be assessed to determine if they could create an unintended access points into the ESP and, if so, be reconfigured and/or disabled. Hardware VoIP phones are often configured to automatically connect and receive configuration from a server/pbx. This functionality should be disallowed within ESPs at a network level in order to prevent the automatic accidental association/provisioning of undocumented and unsecured phones Software Phones VoIP phones are often implemented via software running on multi-use Cyber Assets such as desktop and laptop PCs. Thus, software phones would not necessarily be considered independent Cyber Assets; instead, the pre-existing categorization of the hosting asset as BCA or PCA would apply. In addition, VoIP software is often configured to automatically connect and receive configuration from a server/pbx. This functionality should be disallowed within ESPs at a network level in order to prevent automatic accidental provisioning of undocumented and unsecured phones. Implementation Recommendation Voice Communications in a CIP Environment 5

6 VoIP phone software also should be included with the Registered Entity s software management programs in place for CIP, such as patch management, baseline configuration management, etc VoIP servers / PBXes Unlike other Cyber Assets, those involved in providing telephone services are also exposed to risks associated with the phone network(s) being serviced. It is strongly recommended that VoIP phones (hardware or software) required within ESPs be connected to a dedicated server/pbx which does not cross the boundary of a given ESP. Security controls being implemented for the VoIP PCAs may not be appropriate for the non-cip VoIP phones. Additional administrative burden and/or user experience challenges within non-cip zones may not be desired. Implementation Recommendation Voice Communications in a CIP Environment 6