Introduction
In various forms, Critical Infrastructure Protection (CIP) is beginning to be "mandatory" for several sectors from 2024, and that leaves 1 year to address the compliance tasks and be prepared. Given the computerization/digitalization of critical infrastructure, a large part of the compliance requirements is related to cybersecurity.
The CIP applies to power, financial, defence, transportation sectors, etc.
Refer to https://www.cisa.gov/2015-sector-specific-plans for more details.
The emphasis of CIP is on two things:
- Prevention and detection of attacks against the infrastructure, and
- Quick recovery and back-to-normal state after an unfortunate incident.
Preventing a malicious attack
This objective has the defensive approach - putting in place checks and controls, erecting barriers and implementing access control, identity control, hierarchical or role-based system of limited access, airgap / signal barrier control, prohibition of certain activities and segregation of duties, software security assurance (vulnerability assessment and pen-test), software component supply chain assurance, etc.
Most organizations have some controls and practices in operation, but many do not have these documented, and they do not practice the controls and checks on a consistent basis. One of the main challenges in demonstrating compliance is to formalize the practices already in place, and finding absent controls and checks - a process called Gap Analysis.
As an example, for power utilities and infrastructure organizations, the following cybersecurity requirements are mandatory.
- CIP-002-5.1a, CIP-003-7, CIP-004-6, CIP-005 (R1,R2,R4,R5), CIP-005-5-R2, CIP-005-6-R2 (for a vendor to Support CIP compliance requirements of a CIP-covered organization).
- CIP-007 specific requirements:
- Vulnerability assessment and documented processes for port scanning report (CIP-007-6-R1)
- Patch management and outstanding vulnerabilities report ((CIP-007-6-R2)
- Malware protection (CIP-007-6-R3)
- Logging and monitoring (CIP-007-6-R4)
- System and application access control and privilege management (CIP-007-6-R5)
- Security incident response plan, implementation, review/update, communication and drill/test - CIP-008-5 (R1-R3)
- Disaster recovery plan, implementation, review/update and drill/test - CIP-009-6 (R1-R3)
- Change management and vulnerability assessment plan, implementation, review/update and drill/test - CIP-010-2 (R1-R3), CIP-010-3 (R1-R3)
- Information protection plan, process, and implementation of controls - CIP-011-2, R1
- Supply chain security (CIP-013)
Each vendor of a CIP covered organization - whether software, hardware, or IT services vendor - is also required to support the organization with appropriate controls and prevention checks, and provide evidence of access control mechanisms, software security assurance, and software/hardware supply chain assurance. In addition, keeping track of software updates / upgrades, and security vulnerability monitoring and assessment is a huge challenge.
Many organizations struggle with software security assurance of high quality, such as:
- Access control
- Adequate logging and alerting mechanism
- Comprehensive listing of software components obtained from 3rd parties but included in the product
- Assurance of tamper-evident product (including software binaries)
- Implementation of intrusion prevention systems (in software and hardware)
Early quick detection of attacks against infrastructure
Several well-known mechanisms are mandated by CIP requirements, such as:
- Continuous monitoring and alerting
- Adequate logging,
- Intrusion detection and firewall systems
- Assurance of tamper-evident product (including software binaries)
- (Distributed) denial of service attack detection
- Incident reporting and management, etc
While many organizations have some controls in place, they almost always lack in monitoring and incident management on a consistent basis. This also takes a lot of discipline and resources to respond to alerts and event logs, even when overwhelming proportion of reported events do not require any action or response.
Quick recovery and back to normal state
In case of an event that requires response, organizations face challenges such as:
- Access and training for corresponding SOP, DR procedures for all the infrastructure components (software and hardware)
- Listing all IT resources with their product versions.
- Intrusion detection and firewall systems
- Listing all users with access to the products and level of access
Documents and resource links are found to be inadequate or outdated, and training ineffective. An integrated plan of action is usually missing or not practicable, with missing/inadequate/outdated information on steps to be taken. Software/hardware and IT services vendors must be highly supportive to the CIP compliant organization to participate in mock drills, preparing integrated plans and procedures, up to date list of deployed versions of software/hardware with corresponding DR steps. Such diligent support helps customer with real-life practical demonstration of compliance and readiness to respond to unfortunate events.
Why contact cyberSecurist
cyberSecurist specializes in addressing the software security assurance, software updates, vulnerability monitoring and software supply chain assurance aspects, apart from the process / procedures / controls and management of compliance auditing. Whether on-premises data center or hybrid cloud systems, we have expert engineers who will bring your organization up to expectations of CIP requirements, and support you in your continuous compliance tasks. We are agnostic to cybersecurity tools used by your organization, and can work in any environment with mix of cybersecurity tools from different vendors to ensure they serve your purpose, so that you are assured of meeting the following objectives.