Thursday, April 6, 2017

VoIP Phones, BES Cyber Asset or not?

Over at the WICF forum, there's an older discussion on inclusion of VoIP phones as a NERC CIP-applicable Cyber Assets.

Folks keep trying to differentiate between VoIP and POTS (Plain Old Telephone System) analog lines. Here's a newsflash:


A PBX (Private Branch Exchange) system is certainly a programmable electronic device, whether it is VoIP or Analog. Even the majority of Analog PBXs have the ability to be administered remotely via Telnet or similar protocols. Unless the Responsible Entity has analog phone lines that are directly-supplied local loops from the Telco, they do have a programmable device in their voice system. Even then, the Telco switch is programmable, but would fall under a communications system exemption due to the RE not having control over it.

Here's the problem, a VoIP phone does have an OS/firmware that can be updated, including with a hacked copy. It's a simple TFTP operation. It has a configuration that can be modified by the administrator and to a certain extent by the end user. So do smart cell phones (I've used a jail-break to hack my own phone in the past) and even some relatively dumb cell phones.

What it probably doesn't have is the ability to directly affect the BES as long as it is not included inside an ESP with zero internal technical controls (legacy philosophy alert: hard crunchy shell around soft gooey center) that is the minimum acceptable solution at the moment. This could really be a fine example of a situation where short-sighted compliance actually reduces security by forcing you to include VoIP systems inside your trusted perimeter rather than keeping them properly segregated as they should be.

The current comment form on Virtualization is trying to address similar issues. The definition of Cyber Asset is up for discussion. It's also asking specifically whether CIP-005-5 ESP Requirements are adequate to address isolation in a virtualized world, so the parallel may not be obvious, but many of the risks identified for virtualization are unaddressed for nearly-identical risks that apply to physical Cyber Assets.

Bringing in the concept of security zones and granular internal technical controls applied to Applicable Cyber Systems by grouped risk or impact rating has a lot more implications than just for virtual Cyber Assets.

8 comments:

  1. Your post is very nice, it helped me to gather important and new information on OT ICS. Thanks for sharing information

    ReplyDelete
  2. Thank you so much for the information. It was really good to know about Voip Phones. I have read a few similar blogs related to this and found it really good to know about Voip Phones West Palm Beach Fl which would make your blog more informative and enhance your knowledge. Keep up the good work.

    ReplyDelete
  3. You must should be careful while choosing your VoIP providers. There are various fake providers in the market who mislead you and drag you towards wrong services.

    ReplyDelete
  4. Need a quality yet affordable provider of VoIP service New York City? Legacy VoIP is one of the best options promoting various facets of VoIP and SIP capabilities. Get in touch with us today SIP trunks USA.(+) (240) 575-6890



    VoIP service provider Chicago

    ReplyDelete
  5. Need a quality yet affordable provider of VoIP service New York City? Legacy VoIP is one of the best options promoting various facets of VoIP and SIP capabilities. Get in touch with us today SIP trunks USA.(+) (240) 575-6890



    IT business support Long Island

    ReplyDelete
  6. Nice Blog!!
    Thank you to tell about VoIP systems.It you want to more about VOIP phones then click on given Url

    ReplyDelete
  7. Dasscom provides quality Call center Headsets in Bangalore for higher revel in of serving callers. A call center centralizes the administration of incoming product or service support from consumers.

    ReplyDelete