NERC Compliance Best Practices for Critical Infrastructure Protection (CIP) v5

We have a number of US-based energy grid operators that are leveraging indeni’s capabilities to meet the NERC CIP v5 requirements, that are soon to be upon us all (April 2016). This blog post details how indeni can help in an effort to articulate what indeni can do for you, as well as what it can’t.

Let’s start with one challenge: a recent letter from the North American Reliability Corporation (NERC) discusses the challenges of categorization and protection of network devices and externally accessible devices. It starts with identifying the challenge of knowing what devices you have and where. This is important – keep track of what you own and its responsibilities. To this end, the Inventory Report feature in indeni will help you: at any given moment, you’ll have access to an up-to-date report (in Excel format) that will list the devices you own and auxiliary information pertaining to those devices.

That same letter re-enforces the concept that 15 minutes are considered as a critical downtime period. That is – a network device that is categorized as BCA (BES Cyber Asset) and is unavailable for 15 minutes can potentially have a disastrous impact on overall system stability:
“For example, a core network switch in either an Energy Management System (EMS) at a Control Center, or located within a coordinated protection system design at a Transmission station, could be rendered unavailable or have its performance degraded to the point that the EMS or protection system could not perform its expected reliability functions, leading to a condition whereby those systems could adversely affect the reliable operation of the Bulk Electric System in real time. Such a core network switch would meet the definition of a BES Cyber Asset.”

Switch, router, firewall, load balancer or any other network device. That includes Check Point, Cisco, Fortinet, Juniper and Palo Alto Networks firewalls. That also includes F5 load balancers. All squarely within indeni’s expertise.

To drastically reduce downtime occurrences, operators must deploy a system that can anticipate issues before they occur and provide early warning. That is exactly what indeni’s core functionality includes. With indeni, operators are already staying on top of the network configuration and are averting up to 90% of their sev-one issues.

In a separate document, NERC lists the challenges energy grid operators encountered on their way to implement the requirements under CIP v5. Here, one of the items is “Implementing solutions for new inventory and change management requirements” (which is CIP‐010‐1). It was even listed as a “high interest” item.

We’ve discussed the inventory challenge, but what about change management? How do you ensure that:

• The right users are configured on your network devices?
• The TCP/UDP ports that are open on your network devices are the right ones?
• The ports used on your switches are configured correctly (those that should be up are up, and those that should be down are down)?
• That DNS, NTP, and similar settings are done correctly and consistently?
• The correct operating system and software is being used? Even the specific hotfixes?

indeni’s Configuration Checks feature helps you here in conjunction with the Inventory Report feature. With indeni, you’ll be able to ensure your configurations match the requirements. If they don’t, you’ll get an alert indicating the misconfigured device and what the configuration should be. Specifically, indeni will help you meet these requirements (copied from CIP-010-01):

Develop a baseline configuration, individually or by group, which shall include the following items:

1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied.

…

Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes.

The bottom line here is that you’re not alone. Ensuring compliance with NERC CIP v5 is challenging and you will need to document new processes and roll out new solutions and functionality. We’re here for you to ensure you meet the deadline and pass with flying colors.

See what else Indeni can do for you to maintain your infrastructure in compliance.