Changes in NERC CIP v5 – Enforcing Remote Access Requirements
by Yariv Lenchner
The North American Electric Reliability Corporation (NERC) recently approved the latest version of the Critical Infrastructure Protection (CIP) standards. Some of the biggest changes in the new standard revolve around how utilities are monitoring and controlling remote access to critical systems.
The updates to the standard are not new to the industry. In fact, many of the changes were previously outlined in NERC’s industry advisory on remote access guidance. In v5, the prior recommendations have become requirements. This is a clear demonstration that NERC and the industry see an existing and growing threat to critical infrastructure through existing remote access methods.
So what are the primary remote access requirements that NERC will now be enforcing?
While there is significant confusion over the broad requirements, NERC CIP v5 privileged access guidelines are clear. It requires that a terminated employee have all remote access capabilities revoked within 24 hours of their departure. In addition, any shared password that the employee had access to must be changed within 30 days.
Both requirements are best practices that every business should employ. What’s interesting about this regulation is that shared accounts, which are typically privileged or administrative accounts, represent a greater threat to any organization because of the broad access they can provide to anyone with the password. Shared accounts are typically treated with much stricter requirements than regular user access accounts.
The problem for utilities is that these shared accounts are typically used on a daily basis by several employees and even contractors. Immediately changing these passwords if an employee leaves the organization could prevent access to critical systems for many other employees, which can have severe implications for that energy utility. In an ideal scenario, passwords to shared accounts should be changed immediately as soon as an employee with access to them is terminated. For many utilities, this is very difficult to accomplish, which is why NERC has given them a 30-day grace period.
This is an area where CyberArk has been working with utilities to eliminate this 30-day threat window when dealing with remote access. CyberArk Privileged Account Security can be a powerful tool in complying with NERC CIP, while also improving a utility’s security posture. Our solution enables a utility to change privileged passwords to shared accounts immediately after an employee is terminated, automatically making the changes without the need to manually update other users of the shared account. This secures the organization for rogue access, while enabling the rest of the company to do their jobs as normal.
Additionally, the remote access requirement laid out in NERC CIP v5 is a stripped-down version of the recommendations made in the organization’s 2011 guidance document, Industry Advisory – Remote Access Guidance. While the new requirements are certainly a good move (remote access must use multi-factor authentication, encryption and the usage of an intermediate device), some were left out. We recommend implementing all the requirements from both documents to be on the safe side, especially the requirement for monitoring and logging all user activity. Again, our Privileged Account Security solution supports the full spectrum of remote access requirements, including those left out of NERC CIP v5.
As the threat to the critical infrastructure industry grows, the NERC standards provide a great starting place for utilities to lock down their systems. But these requirements should be a starting place and not a destination – utilities and other critical infrastructure companies need to take the next step to make sure they’re eliminating as many vulnerabilities as possible. For more information on how your organization can lock down shared account and control remote access, you can get more information here.