In June 2006, the North American Electric Reliability Council (NERC) standards for Critical Infrastructure Protection (CIP) — Cyber Security 1 were adopted. The roots of these standards can be traced back to the U.S. Energy Policy Act of 2005. In January 2008, the Federal Energy Regulatory Commission (FERC) approved these standards and directed that NERC should enhance and revise them going forward through the NERC standards-making process. Accordingly, in March 2008, NERC began the process of revising the standards in order to comply with FERC’s 706 directives. Currently, the NERC CIP standards do not apply to facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission.
The NERC standards discussed in this article are those specifically referring to cyber security, standard CIP – 005 (Cyber Security for Electronic Security Perimeters) and standard CIP – 007 (Cyber Security for Systems Security Management). The goal of this article is to offer a practical approach to meeting these requirements for facilities’ electric generating units determined to be critical assets with critical cyber assets (CCAs).
Overall, the NERC standards require that CCAs must be protected with an electronic security perimeter (ESP) and a six-walled physical security perimeter (PSP). Noncritical cyber assets within an ESP must receive the same protection under the standards as a CCA.
Standards CIP-005 and CIP-007
As previously stated, the CIP-005 standard requires establishing and documenting an ESP around CCAs, including certain other cyber assets, and the identification of communication penetrations through the perimeter. External access to the cyber assets within the ESP must be controlled, monitored, and logged 24/7 for both routable protocol and dial-up communications.
Where possible, a security-monitoring process is required to detect and alert for attempts at or actual unauthorized access. Where this is not technically feasible, access log review is required at least every 90 days. Note that communication through the ESP using a nonroutable protocol or dedicated telephone lines that are not dial-up accessible does not require monitoring under the standards.
The CIP-007-4 standard requires protection of critical cyber assets, including certain other cyber assets within the ESP (Figure 1).
1. Lacking cyber safeguards. This diagram shows a critical asset’s control system interconnected with an outside LAN/WAN environmental prior to implementation of the NERC CIP cyber security standards requirements. Courtesy: Industrial Defender
The protection requirements include, as a minimum:
-
Limiting the Internet protocol (IP) ports and services to only those necessary for operations.
-
Malicious software detection/prevention.
-
Account management controls.
-
Security status monitoring.
-
Security patch management.
Email
Comments
Print
Reuse
Comments (1)