Versions Compared

Old Version 9

changes.mady.by.user Paulo Tsuchiya

Saved on

compared with

New Version Current

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Developing secure Industrial Control Systems (ICS) is a challenge for any Industry Infrastructure. The software platform offers features, tools, and configurations to help the NERC-CIP compliance processOriginating from the US Energy Policy Act 2005, NERC-CIP provides guidelines, requirements, and procedures to ensure the reliability and security of the bulk power system. It addresses cyber-attack risks, system protection, and vulnerability management. The standards aim to secure confidential information and system integrity, and the software platform includes features and tools to help organizations comply with NERC-CIP security requirements.

On this page:

Table of Contents
maxLevel3
stylenone

NERC-CIP

Security

Ensuring cyber security in control systems may initially seem daunting as it requires a commitment from the entire organization. Upper management needs to recognize the numerous benefits of a secure SCADA system. These advantages include ensuring system uptime, reliability and availability. Implementing good cyber security is smart business because a secure system is a trusted system, and customer retention and loyalty is built around trust. Vendors, system integrators, IT, and control engineers all share this responsibility.

There are many resources available now to help critical infrastructure SCADA systems enhance their security. For example, the standard ISA99 – Industrial Automation and Control Systems Security, establishes best practices, technical reports, and related information to define procedures for implementing and assessing electronically secure systems. Compliance with this standard can improve manufacturing and control system electronic security, help identify and address vulnerabilities, and reduce the risk of compromised confidential information and system degradation.

Government regulations also exist and continue to evolve to secure critical infrastructure industries. The most ambitious one for influencing government policy is the non-profit North American Electric Reliability Corporation (NERC) – Critical Infrastructure Protection (CIP) standard. Known as NERC-CIP, this standard has its roots in the Electricity Modernization Act – which is part of the US Energy Policy Act of 2005. Within the Energy Policy Act of 2005, there is a section which dictates that the NERC-CIP standard requires all power plants and electric utility facilities to develop new cyber security systems and procedures in accordance with a 3-year implementation plan. There are eight different CIP standards covering everything from Security Management Control and Critical Cyber Assets, to Incident Reporting and Recovery Plans.  Each one of the eight standards defines a series of specific requirements. The standards are:

CIP-002-1: Critical Cyber Asset Identification

CIP-003-1: Security Management Controls

Requirements References

NERC Standards CIP-002 through CIP-009 provide a cybersecurity framework for identifying and protecting Critical Cyber Assets to support the reliable operation of the Bulk Electric System. There are eight different CIP standards, each defining specific requirements:

NERC-CIP Standard

Requirement

Description

CIP-002-1: Critical Cyber Asset Identification

Requires identifying and documenting Critical Cyber Assets essential for the Bulk Electric System's operation.

R1. Critical Asset Identification Method

Develop and document a methodology based on risk assessment to identify Critical Assets.

R2. Critical Asset Identification

Create and annually update a list of Critical Assets, derived using the risk assessment method from R1, with regular reviews and necessary updates.

R3. Critical Cyber Asset Identification

Based on the Critical Assets list from R2, compile a list of Critical Cyber Assets for the functioning of each Critical Asset.

CIP-003-1: Security Management Controls

Requires Responsible Entities to implement security controls to protect Critical Cyber Assets.

R1. Cyber Security Policy

Create and enforce a cyber security policy that reflects the organization's commitment to securing Critical Cyber Assets.

R2. Leadership

Appoint a senior manager to oversee and ensure compliance with Standards CIP-002 to CIP-009.

R3. Exceptions

Record any deviations from the cyber security policy as exceptions, with authorization from a senior manager or their delegate.

R4. Information Protection

Establish a program to identify, categorize, and safeguard information linked to Critical Cyber Assets.

R5. Access Control

Develop and implement a program to control access to information associated with Critical Cyber Assets.

R6. Change Control and Configuration Management

Set up and document a process for change control and configuration management, addressing all changes to hardware and software of Critical Cyber Assets, in line with the established change control procedures.

CIP-004-1: Personnel and Training

Requires personnel with access to Critical Cyber Assets, including contractors, to undergo risk assessment, training, and security awareness.

R1. Awareness

Develop, document, and maintain a program to continually enhance the security awareness of personnel with authorized access to Critical Cyber Assets.

R2. Training

Implement and document an annual training program on cyber security for staff with authorized access to Critical Cyber Assets, reviewing and updating it as needed.

R3. Personnel Risk Assessment

Maintain a documented program to assess the risk posed by personnel with authorized access, in compliance with relevant legal and union agreements.

R4. Access

Keep updated lists of individuals with authorized access to Critical Cyber Assets, including details of their specific electronic and physical access privileges.

CIP-005-1: Electronic Security Perimeter

Requires protecting Electronic Security Perimeters and their access points where Critical Cyber Assets are located.

R1. Electronic Security Perimeter

The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter.

R2. Electronic Access Controls

The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

R3. Monitoring Electronic Access

The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

R4. Cyber Vulnerability Assessment

The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually.

R5. Documentation Review and Maintenance

The Responsible Entity shall review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005.

CIP-006-1: Physical Security of Critical Cyber Assets

Requires establishing a physical security program for Critical Cyber Assets.

R1. Physical Security Plan

Create and regularly update a physical security plan, ensuring senior management approval and addressing key security aspects.

R2. Physical Access Controls

Document and enforce operational controls to manage physical access at every entry point to secure areas, ensuring 24/7 operation.

R3. Monitoring Physical Access

Monitor all access points to secure areas round the clock, promptly reviewing and managing any unauthorized access attempts.

R4. Logging Physical Access

Log every instance of physical access, including unauthorized attempts, and monitor them consistently, following specified breach protocols.

R5. Access Log Retention

Retain all physical access logs for at least 90 days, and preserve logs concerning major incidents as per Standard CIP-008 requirements.

R6. Maintenance and Testing

Conduct regular maintenance and testing of all physical security systems, especially those related to access control, monitoring, and logging, to ensure their functionality.

CIP-007-1: Systems Security Management

Requires defining security procedures for Critical and non-critical Cyber Assets within Electronic Security Perimeters.

R1. Test Procedures

Ensure new and modified Cyber Assets within the Electronic Security Perimeter don't compromise existing cybersecurity controls.

R2. Ports and Services

Develop and maintain a process to enable only essential ports and services for normal and emergency operations.

R3. Security Patch Management

Establish a program for managing cybersecurity software patches, covering tracking, evaluating, testing, and installing patches for all Cyber Assets.

R4. Malicious Software Prevention

Implement anti-virus and malware prevention tools to protect all Cyber Assets within the Electronic Security Perimeter, where possible.

R5. Account Management

Set up technical and procedural controls for user access authentication and accountability, minimizing unauthorized access risks.

R6. Security Status Monitoring

Utilize automated tools or organizational processes to monitor cybersecurity-related system events for all Cyber Assets.

R7. Disposal or Redeployment

Define formal methods for the disposal or redeployment of Cyber Assets within the Electronic Security Perimeter, as per CIP-005 standards.

R8. Cyber Vulnerability Assessment

Conduct an annual cyber vulnerability assessment for all Cyber Assets within the Electronic Security Perimeter.

R9. Documentation Review and Maintenance

Regularly review and update cybersecurity documentation annually, documenting any system or control modifications within 90 days.

CIP-008-1: Incident Reporting and Response Planning

Requires managing Cyber Security Incidents involving Critical Cyber Assets, including identification, classification, response, and reporting.

R1. Cyber Security Incident Response Plan 

Create and regularly update a plan to respond to cyber security incidents, ensuring it covers essential response strategies and procedures.

R2. Cyber Security Incident Documentation

Maintain detailed records of all cyber security incidents for a period of three years.

CIP-009-1: Recovery Plans for Critical Cyber Assets

Requires recovery plans for Critical Cyber Assets aligned with business continuity and disaster recovery practices.

R1. Recovery Plans 

Develop and conduct annual reviews of recovery plans for Critical Cyber Assets, ensuring they address key recovery strategies.

R2. Exercises 

Perform at least one exercise each year to test the recovery plans, ranging from simple drills to full operational tests or actual incident recoveries.

R3. Change Control 

Revise recovery plans to reflect any new changes or insights gained from exercises or actual incident recoveries, and communicate these updates to relevant personnel within 90 days.

R4. Backup and Restore 

Ensure recovery plans contain detailed processes for backing up and storing information critical for restoring Critical Cyber Assets, including spare parts, configuration settings, and tape backups.

R5. Testing Backup Media 

Annually test backup media containing essential recovery information to verify its availability and effectiveness, with the option to perform tests offsite.


NERC-CIP Measures References

NERC Standard

Measures

CIP-002-1

Document the risk-based assessment methodology, compile and maintain a list of Critical Assets, create a list of Critical Cyber Assets, and keep records of annual approvals for Standard CIP-002-1 compliance. Regular updates to this documentation ensure adherence to the standard.

CIP-003-1

Document the cyber security policy, assign and record leadership roles, detail exceptions to the cyber security policy, implement and document an information protection program, manage and record access control processes, and maintain change control and configuration management documentation for Standard CIP-003-1 compliance.

CIP-004-1

Maintain documentation of security awareness programs, keep records of cyber security training programs, document personnel risk assessment procedures, and update lists of personnel with authorized access for Standard CIP-004-1 compliance. 

CIP-005-1

Document Electronic Security Perimeters, implement and record electronic access controls, monitor and log electronic access, conduct and document annual vulnerability assessments, and maintain access logs for Standard CIP-005-1 compliance.

CIP-006-1

Document the physical security plan, control physical access methods, monitor and log physical access, retain access logs, and maintain documentation for physical security measure testing for Standard CIP-006-1 compliance.

CIP-007-1

Document security test procedures, record port and service management, maintain a security patch management program, document malware prevention efforts, manage user accounts, monitor security status, and handle disposal or redeployment of Cyber Assets for Standard CIP-007-1 compliance. 

CIP-008-1

Maintain a Cyber Security Incident response plan and document the plan's reviews, updates, and testing processes for Standard CIP-008-1 compliance. Regular management of this plan is key to preparedness and effective response to cyber security incidents.

CIP-009-1

Document recovery plans, record recovery exercises, update and document changes to recovery plans, document backup and storage processes, and test and document backup media for Standard CIP-009-1 compliance.


Native Security Support

The platform offers native features, advanced tools, and support for third-party integration, which helps to implement NERC-CIP security requirements.

CIP-004-1: Personnel and Training

CIP-005-1: Electronic Security Perimeter

CIP-006-1: Physical Security of Critical Cyber Assets

CIP-007-1: Systems Security Management

CIP-008-1: Incident Reporting and Response Planning

CIP-009-1: Recovery Plans for Critical Cyber Assets

Security Measures For NERC Compliance

Several features can be enabled or configured on the software platform to help achieve better system security. The basic procedures are:

  • Enable software platform Domain user control with Windows Active Directory;

  • FrameworX is CFR 21 Part11 compliant. All features described in this rule must be enabled/configured.

  • Enable (Native TCP/IP protocol) communication compression;

  • Enable Project Cryptography (password protection);

  • Enable Tracing options;

  • Working alongside software platform, data can be stored using compression and cryptography techniques inside Microsoft SQL, avoiding data replacement.

  • Integration with other tools to provide auto backup and disaster recovery tools can also be used;

  • Choose a tested/certified Anti-Virus and system environment application control.

Requirement

NERC-CIP Standard

Solution

User Access

CIP-004
CIP-005
CIP-007

NERC-CIP Standard Reference

Requirements

Native security support

CIP-003

CIP-004

CIP-005

CIP-006

CIP-007

Access Control

Access

Electronic Access Controls

Monitoring Electronic Access

Account Management

Security Status Monitoring

User Administration features;

User rights are revocable by the Administrator or through Microsoft Active Directory;

Internal control and assignment of permissions (Displays, Alarms, Scripts)

Electronic Signatures (E-Sign);

Native features for solution management like Runtime Users and Policy Orchestrator.

Integration with Microsoft Active Directory
If AD integration is disabled, the software platform

Domain offers

provides:

  • Strong Passwords;

  • Password expiration control;

  • Inactivity auto-logoff;

  • Block/Unblock login after a sequence of wrong tries.

Access Control

CIP-003

CIP-

004
CIP-005Internal control and assignment of permissions (Screens, Alarms, Server Actions)
User Administration features.

007

Electronic Security Perimeter

CIP-003
CIP-005
CIP-007

Integration with Intrusion Detection/Control Systems

Ports and Services

Port data paths configurable;
Integration with third-party security systems (IDS/ICS)

Ex: SNORT
Port data paths configurable.Logging of Access and Usage

regarding Intrusion Detection and Control Systems.

CIP-003

CIP-

003

005

CIP-

004

006

CIP-007

CIP-008

Electronic Signatures;
Built-in

Change Control and Configuration Management


Native Tracking and Event Monitoring;

Native Audit Trail Database;

User-Defined

Custom Log Entries

for specific actions or unactions.

Workforce Management

CIP-004
CIP-007

User rights revocable by Administrator or through Microsoft Active Directory.

Security Software Management

CIP-007

Project cryptography;
Integration with software management solutions like McAfee Application Control / Policy Orchestrator.

Alerts and Notifications

;

Native tool for versioning solution;

CIP-005

CIP-007

CIP-008

Log and Trace of any kind of access and actions
Can send notifications in several forms, like

Alerts and Notifications

Send notifications using different methods and ways: SMS, Email, SNMP, WebServices, other protocol messages, etc.

Recovery Plans

CIP-009

Backup and Restore

Auto-Native feature for Auto-Backup

, integration with versioning software like Subversion or SVN;
Use Server redundancy (hot – standby);
Usage of RAID disks

;
Native support for Redundancy (hot–standby);


In this section:

Page Tree
root@parent
spacesV10