Are You Ready for Upcoming NERC Reliability Standard CIP‐003‐9 Changes?

How prepared are you for upcoming changes involving NERC Reliability Standard CIP-003-9?  Notably, one major upcoming change requires Low Impact Entities to develop a Vendor Electronic Remote Access Program.   

The Vendor Electronic Remote Access Program must consist of three parts: 

1. A method to determine a vendor established electronic remote connection 
2. A method to disable a vendor’s electronic remote connection 
3. A method to detect known malicious or suspicious traffic on the electronic remote connection 

Any vendor-initiated connection into the Entity’s network from outside must be determined, disconnected/prevented when necessary, and monitored for malicious activity. 

An important item that could challenge some Entities is making sure to understand what is considered remote access and what is not. Remote access is when a vendor is establishing a bi-directional connection into the systems that they support to perform work, such as patching, troubleshooting, or configuration updates. A unidirectional connection that leaves the site to provide data, such as telemetry or error logs would not be considered remote access. 

Determine 

Various methods are available to determine Vendor Electronic Remote Access.  A simplified method consists of having a documented process that pre-authorizes the connection.  This method is also beneficial in that it can provide additional evidence in support of CIP-003-9 Attachment 1 Section 3 Electronic Access Controls.  An alternative method would require establishing a connection where the vendor must first contact the site, the site then permits access, and the connection is shutoff once said communication is complete.  

Disable 

Disabling or preventing future access attempts can be implemented by putting basic methods in place.  On the physical side, disconnecting an ethernet cable will stop remote access.  On the electronic side, adjusting firewall rules or disabling remote access accounts will stop remote access. 

Detect 

Detection of known or suspicious malicious communications can be accomplished in a few ways, including installing anti-malware software, having an Intrusion Detection System (IDS) with alert capabilities, or implementing an Intrusion Prevention System (IPS) that can perform immediate termination and blocking. 

Understanding whether an entity is considered a vendor is not always straightforward.  For example, a Generator Owner (GO) that contracts with a Generator Operator (GOP) falls within the definition of an Entity vendor relationship.  The GOP is providing a service to the GO and therefore must fall under the CIP-003-9 Vendor Electronic Remote Access Program. As the GOP is also serving as a Responsible Entity for the site, they cannot be disconnected arbitrarily. Coordination between the GO and GOP must ensure that the site remains operational during adverse events.  

When such adverse events occur, the GO would need to make an earnest effort to contact the GOP prior to severing the Electronic Remote Connection, ensuring that the site can continue operating.  It is very important to have well- established procedures between the GO and GOP that document the connection and outline the methods in place to ensure proper operation of the site. 

How EPE can Help

At EPE, our team has expertise in NERC- CIP matters across North America and can help you navigate this topic with confidence and ease. To explore opportunities for collaboration to address your power system reliability and security needs, contact us using the form below.