Overview
Developing secure Industrial Control Systems (ICS) is challenging for any Industry Infrastructure. The software platform offers features, tools, and configurations to help the NERC-CIP security compliance.
On this page:
Industrial Controls Systems and Security Standards
As Industrial Control Systems (ICS) move away from proprietary technologies and towards more standardized and open solutions, along with the growing number of connections between SCADA systems and office networks, Internet access increases the risk of cyber attacks.
There are many resources available now to help critical infrastructure SCADA systems enhance their security. For example, the standard ISA99 – Industrial Automation and Control Systems Security, establishes best practices, technical reports, and related information to define procedures for implementing and assessing electronically secure systems. Compliance with this standard can improve manufacturing and control system electronic security, help identify and address vulnerabilities, and reduce the risk of compromised confidential information and system degradation.
Additionally, government regulations are evolving to secure critical infrastructure industries. The North American Electric Reliability Corporation (NERC) – Critical Infrastructure Protection (CIP) standard, known as NERC-CIP, represents a significant effort in influencing government policy.
This standard has its roots in the Electricity Modernization Act – which is part of the US Energy Policy Act of 2005. Within the Energy Policy Act of 2005, there is a section which dictates that the NERC-CIP standard requires all power plants and electric utility facilities to develop new cyber security systems and procedures in accordance with a 3-year implementation plan.
NERC-CIP Security
There are eight different CIP standards covering everything from Security Management Control and Critical Cyber Assets, to Incident Reporting and Recovery Plans. Each one of the eight standards defines a series of specific requirements. The standards are:
CIP-002-1: Critical Cyber Asset Identification
CIP-003-1: Security Management Controls
CIP-004-1: Personnel and Training
CIP-005-1: Electronic Security Perimeter
CIP-006-1: Physical Security of Critical Cyber Assets
CIP-007-1: Systems Security Management
Several features can be enabled or configured on the software platform to help achieve better system security. The basic procedures are:
Enable software platform Domain user control with Windows Active Directory;
The software platform is CFR 21 Part11 compliant. All features described in this rule must be enabled/configured.
Enable (Native TCP/IP protocol) communication compression;
Enable Solution Cryptography (password protection);
Enable Tracing options;
Working alongside software platform, data can be stored using compression and cryptography techniques inside Microsoft SQL, avoiding data replacement.
Integration with other tools to provide auto backup and disaster recovery tools can also be used;
Choose a tested/certified Anti-Virus and system environment application control.
Requirement | NERC-CIP Standard | Solution |
User Access | CIP-004 CIP-005 CIP-007 | Integration with Microsoft Active Directory
|
Access Control | CIP-003 CIP-004 CIP-005 | Internal control and assignment of permissions (Displays, Alarms, Server Actions). User Administration features. |
Electronic Security Perimeter | CIP-003 CIP-005 CIP-007 | Port data paths configurable. Integration with Intrusion Detection/Control Systems (IDS/ICS) |
Logging of Access and Usage | CIP-003 CIP-004 CIP-007 CIP-008 | Electronic Signatures; Built-in Tracking and Event Monitoring; Audit Trail Database; User-Defined Log Entries for specific actions or unactions. |
Workforce Management | CIP-004 CIP-007 | User rights revocable by Administrator or through Microsoft Active Directory. |
Security Software Management | CIP-007 | Solution cryptography; Native features for solution management like Application Control and Policy Orchestrator. |
Alerts and Notifications | CIP-005 CIP-007 CIP-008 | Log and Trace of any kind of access and actions; Can send notifications in forms, like SMS, Email, SNMP, WebServices, other protocol messages, etc. |
Recovery Plans | CIP-009 | Auto-Backup, native versioning solution; Use Server redundancy (hot – standby); Usage of RAID disks. |