The NERC CIP standards specify cybersecurity measures required in the North American Bulk Electric System (BES) for grid control centers, large power plants and high-voltage substations. The standards are also used as guidance by many other stakeholders, even in other industries, around the world. A problem with the standards, however, is that they are written in abstract language that is difficult to interpret. For example, the standards effectively forbid OT systems to use IT Active Directory forests, and strongly encourage the use of Unidirectional Gateways – but neither the words “Active Directory” nor “Unidirectional Gateway” appear anywhere in the standards.
This is unfortunate, because Unidirectional Gateways really do strengthen and simplify NERC CIP security and compliance programs. Unidirectional Gateways are used routinely at the IT/OT interface in power plants – providing OT data to IT users and applications, with no risk at all of cyber attacks “leaking” through the gateways back into protected networks. Unidirectional Gateway technology is currently deployed to protect roughly 1/3 of the power produced in the North American grid. Unidirectional Gateways are also used to protect inter-utility ICCP connections in Balancing Authorities (BA’s) and Transmission System Operators (TSO’s). And the gateways are starting to be used to protect sub-networks of protective relays in power plants and high voltage substations.
| Number | Title | Specifies |
|---|---|---|
|
CIP-002 |
BES Cyber System Categorization |
Which kinds of computer systems must use which rules |
|
CIP-003 |
Security Management Controls |
How a CIP program must be documented |
|
CIP-004 |
Personnel & Training |
Background checks, training programs, etc. |
|
CIP-005 |
Electronic Security Perimeters |
Network segmentation & remote access rules |
|
CIP-006 |
Physical Security of BES Cyber Systems |
Physical security for areas containing CIP-covered systems |
|
CIP-007 |
Systems Security Management |
Anti-virus, security updates & other host-based measures |
|
CIP-008 |
Incident Reporting and Response Panning |
Security incident response rules |
|
CIP-009 |
Recovery Plans for BES Cyber Systems |
Backups & related measures |
|
CIP-010 |
Configuration Change Management & Vulnerability Assessments |
Planning for, documenting, & testing changes + periodic assessments |
|
CIP-011 |
Information Protection |
Rules for protecting design information, erasing systems before disposal, etc. |
|
CIP-012 |
Communications Between Control Centers |
Encrypted communications between grid control centers |
|
CIP-013 |
Supply Chain Risk Management |
Supplier risk assessments & related measures |
|
CIP-014 |
Physical Security |
Physical security measures for high-voltage substations |
NERC CIP standards recognize that Unidirectional Gateways are stronger than firewalls and in fact provide engineering-grade protection to industrial operations, rather than only IT-grade protection.
The standards express this recognition by providing exemptions from 37 requirements for unidirectionally-protected BES Cyber Systems – 37 out of the roughly 125 requirements in the standards family. It is unfortunate that, while the CIP drafting team clearly understood the benefits of using Unidirectional Gateways, their abstract language makes it difficult for readers of the standard to understand these same benefits.
The resources on this page are provided in hopes of clarifying the role of Unidirectional Gateways in simplifying and reducing the cost of strong NERC CIP security and compliance programs.
NERC CIP, the new TSA pipeline and rail directives and other regulations can be very expensive – to comply with and to prove to an auditor that you comply. Kathryn Wagner of Assurx joins us to look at what and how we can automate this process to save time and money.
NERC CIP is written in an abstract language – independent of technologies and network designs. Interpreting the standard for specific technologies and networks can be tricky. In this article, we look at one of the tricky bits in the standard: mixed-trust Active Directory servers.
Which is better – security or compliance? Suzanne Black of Network + Security Technologies brings a new perspective to this old question and covers a lot of other ground in the latest NERC CIP standards.
Download here Waterfall’s latest whitepaper: NERC CIP V5 Standards And Unidirectional Network Protection
Waterfall appoints cyber security veteran and industry leader to join their mission to protect critical infrastructure around the world
Waterfall’s Unidirectional CloudConnect® provides secure and easy integration of industrial networks with FireEye’s Threat Analytics Cloud Platform Rosh HaAyin, Israel – July 20, 2017 – Waterfall Security Solutions, a global leader in cybersecurity technologies for critical infrastructure and industrial control systems, today announced a global partnership with FireEye Inc., the intelligence-led security company, to integrate the FireEye cloud-based Threat Analytics Platform (TAP) with industrial networks using Waterfall’s Unidirectional CloudConnect. This joint solution enables FireEye customers to monitor and protect their ICS networks using the market-leading, cloud-based Helix service, while eliminating the threat of remote cyberattacks entering the monitored ICS environment. Industrial businesses
English
Français
Español
עברית
Deutsch
日本語
한국어
中文
اَلْعَرَبِيَّةُ