One of our customers (you know who you are, thanks!) made us aware of a new practice guide titled “ERO Enterprise CMEP Practice Guide: Assessment of SVCHOST.EXE” published exactly two weeks ago today on September 15th, 2020. NERC seldom releases guidance like this, so they shouldn’t go unnoticed. They’ve published 3 such Critical Infrastructure Protection (CIP) specific guides including this one since 2017 according to their website. The CMEP Practice Guides are described as “provid[ing] direction to ERO Enterprise CMEP staff on approaches to carry out compliance monitoring and enforcement activities.” Based on that statement, not only should they not go unnoticed but they also shouldn’t be taken lightly due to the fact that NERC (North American Electric Reliability Corporation), and the ERO (Electric Reliability Organization) Enterprise adopts these guidance policies and audits according to their language.

Figure 1

The practice guide summarizes the CIP-007-6 R1.1 requirement to establish a process for enabling only those ports on each in scope asset that is needed for its function, and provide evidence to demonstrate that need. The quality of that evidence is the focus of the guide, specifically regarding a rather important Window system process called svchost.exe. Svchost.exe is integral to the function of shared service processes as it can reduce system resource consumption by doing some of the heavy lifting for port management. Therein lies the problem; svchost.exe serves as a host for many services, and specifically Dynamic Link Libraries (DLLs) and whatever port they need opened on their behalf. Here’s an example of my Windows 10 workstation’s task manager details tab in Figure 1 (click to expand).

 

As you can clearly see, that is in fact a bunch of svchosts! There is a much easier way to see what’s behind each of (Read more...)