Thursday, April 6, 2017

VoIP Phones, BES Cyber Asset or not?

Over at the WICF forum, there's an older discussion on inclusion of VoIP phones as a NERC CIP-applicable Cyber Assets.

Folks keep trying to differentiate between VoIP and POTS (Plain Old Telephone System) analog lines. Here's a newsflash:

A PBX (Private Branch Exchange) system is certainly a programmable electronic device, whether it is VoIP or Analog. Even the majority of Analog PBXs have the ability to be administered remotely via Telnet or similar protocols. Unless the Responsible Entity has analog phone lines that are directly-supplied local loops from the Telco, they do have a programmable device in their voice system. Even then, the Telco switch is programmable, but would fall under a communications system exemption due to the RE not having control over it.

Here's the problem, a VoIP phone does have an OS/firmware that can be updated, including with a hacked copy. It's a simple TFTP operation. It has a configuration that can be modified by the administrator and to a certain extent by the end user. So do smart cell phones (I've used a jail-break to hack my own phone in the past) and even some relatively dumb cell phones.

What it probably doesn't have is the ability to directly affect the BES as long as it is not included inside an ESP with zero internal technical controls (legacy philosophy alert: hard crunchy shell around soft gooey center) that is the minimum acceptable solution at the moment. This could really be a fine example of a situation where short-sighted compliance actually reduces security by forcing you to include VoIP systems inside your trusted perimeter rather than keeping them properly segregated as they should be.

The current comment form on Virtualization is trying to address similar issues. The definition of Cyber Asset is up for discussion. It's also asking specifically whether CIP-005-5 ESP Requirements are adequate to address isolation in a virtualized world, so the parallel may not be obvious, but many of the risks identified for virtualization are unaddressed for nearly-identical risks that apply to physical Cyber Assets.

Bringing in the concept of security zones and granular internal technical controls applied to Applicable Cyber Systems by grouped risk or impact rating has a lot more implications than just for virtual Cyber Assets.


  1. Your post is very nice, it helped me to gather important and new information on OT ICS. Thanks for sharing information