November 5, 2024
Supply Chain Team Wary of Changing Access Control Terms
The team considering changes to supply chain standards may leave two key definitions in their form due to scope creep and communication issues.

By Holden Mann

ATLANTA — The drafting team considering changes to supply chain standards may leave two key definitions in their current form due to concerns over scope creep and communication issues.

The definitions relate to electronic access control or monitoring systems (EACMS) and physical access control systems (PACS), which affect NERC reliability standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments).

NERC initiated Project 2019-03 after FERC directed it last year to develop rules expanding the supply chain protections to include EACMS. (See FERC Finalizes Supply Chain Standards.) The standard authorization request (SAR) also cited the changes recommended in NERC staff’s supply chain risks report in May. (See “Supply Chain Report Recommends Expanding Standards” in NERC Standards News Briefs: May 8-9, 2019.) NERC requested the standards drafting team (SDT) also consider revising the definition of PACS as well.

Supply Chain
| Pixabay

Both definitions apply only to those systems that provide electronic or physical access control to high and medium impact cyber systems. In addition, the definitions would explicitly cover virtual cyber assets, defined as an operating system, firmware or application hosted on shared cyber infrastructure, which are not addressed in the current standard.

In its meeting last week, the standards drafting team (SDT) discussed a suggestion from FERC earlier this year to split the definition of EACMS. Under the proposed change, the existing term would be replaced by EACS (electronic access control system) and EAMS (electronic access monitoring system). Sharon Koller of American Transmission Co. pointed out that using two terms would allow FERC greater precision when doing further work on the standards and help operators avoid confusion.

“There’s somewhat of a contradiction in the usage of the term, and it causes me to question whether FERC used the term EACMS in the order because it’s the only term that existed, or if in fact FERC intends for this standard to cover all of those things,” Koller said. “I’m a proponent of trying to move forward with the two split terms rather than keeping EACMS on the table, [which] I think … just prolongs the pain for industry.”

However, some SDT members felt accepting the changes now could lead to confusion with other standards teams that rely on the original definitions. Communicating proposals to industry could prove difficult as well, with multiple standards using different terminology that must be explained each time.

Discussion over PACS followed similar lines, with the team debating a suggestion to remove alerting and logging functions from the current definition of PACS. These, along with monitoring functions, would be reclassified as physical access monitoring systems (PAMS).

Here the drafting team was more divided: Some members advocated changing the PACS definition to keep the approach to physical and electronic systems aligned, while others said since compromising physical security would give attackers access to electronic systems as well, it made sense for one SDT to consider both. Balancing this viewpoint were those who criticized the inclusion of PACS as an unnecessary expansion of the team’s remit that would place an additional burden on members.

“We’re trying to meet this rigorous timeline that FERC suggested, and … it’s not a mature standard yet. We’re trying to understand it and digest it,” said Jason Snodgrass of Georgia Transmission. “You’re trying to get a whole new realm of your corporation to understand [these] standards … I would be on the side of the fence to recommend patience and stick to the FERC directive.”

Despite the deadline of 24 months given in FERC’s October 2018 order, the SDT decided these questions were compelling enough to keep the EACMS and PACS definitions as is for the initial ballot and comment. This is expected to run from late January through early March, though depending on the team’s schedule it may be moved forward by a few weeks. Team members will meet again in person following the conclusion of the ballot to review the responses and decide whether to adopt the suggestions.

CIPSupply Chain

Leave a Reply

Your email address will not be published. Required fields are marked *