NERC Compliance Best Practices for Critical Infrastructure Protection (CIP) v5
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
This article explains how indeni helps US-based energy grid operators meet NERC CIP v5 requirements by solving inventory and change-management challenges that affect operational reliability. It describes the need to accurately know what devices exist, where they are, and their configurations because a BES Cyber Asset being unavailable for 15 minutes can critically impact bulk electric system stability; indeni provides an Inventory Report (Excel) and Configuration Checks to address these needs. The outcome described is reduced downtime through early warning and prevention (averting up to 90% of sev-one issues) and practical support to develop baselines, monitor changes, and document compliance for CIP-010-1 requirements.
What inventory capabilities does indeni provide to help meet NERC CIP v5 requirements?
indeni provides an Inventory Report feature that produces an up-to-date Excel report listing the network devices you own and auxiliary information about those devices. This inventory helps operators know what devices exist and where they are, which is a core challenge identified by NERC for device categorization and protection. Maintaining a current inventory supports CIP requirements around tracking assets and is a foundation for developing baseline configurations and monitoring changes under CIP-010-1.
How does indeni address change management and baseline configuration requirements in CIP-010-1?
indeni’s Configuration Checks work together with the Inventory Report to help develop and enforce baseline configurations individually or by group. The checks validate items called out in CIP-010-1 such as operating system or firmware versions, logical network-accessible ports, and applied security patches. indeni monitors configurations (consistent with the expectation to check at least once every 35 calendar days), alerts on deviations, and indicates which devices are misconfigured and what the configuration should be, enabling documentation and investigation of unauthorized changes.
What operational benefits does indeni claim for energy grid operators facing the April 2016 CIP v5 deadline?
The article states that indeni’s core functionality provides early warning and problem anticipation to drastically reduce downtime occurrences, helping operators avert up to 90% of sev-one incidents. This proactive monitoring and configuration validation is intended to prevent conditions where a BES Cyber Asset (for example a core switch, router, firewall, or load balancer) is unavailable or degraded for 15 minutes—a period NERC identifies as potentially disastrous to system stability. indeni also aids in documenting processes and rolling out solutions needed to meet the CIP v5 compliance deadline.
We have a number of US-based energy grid operators that are leveraging indeni’s capabilities to meet the NERC CIP v5 requirements, that are soon to be upon us all (April 2016). This blog post details how indeni can help in an effort to articulate what indeni can do for you, as well as what it can’t.
Let’s start with one challenge: a recent letter from the North American Reliability Corporation (NERC) discusses the challenges of categorization and protection of network devices and externally accessible devices. It starts with identifying the challenge of knowing what devices you have and where. This is important – keep track of what you own and its responsibilities. To this end, the Inventory Report feature in indeni will help you: at any given moment, you’ll have access to an up-to-date report (in Excel format) that will list the devices you own and auxiliary information pertaining to those devices.
That same letter re-enforces the concept that 15 minutes are considered as a critical downtime period. That is – a network device that is categorized as BCA (BES Cyber Asset) and is unavailable for 15 minutes can potentially have a disastrous impact on overall system stability:
“For example, a core network switch in either an Energy Management System (EMS) at a Control Center, or located within a coordinated protection system design at a Transmission station, could be rendered unavailable or have its performance degraded to the point that the EMS or protection system could not perform its expected reliability functions, leading to a condition whereby those systems could adversely affect the reliable operation of the Bulk Electric System in real time. Such a core network switch would meet the definition of a BES Cyber Asset.”
Switch, router, firewall, load balancer or any other network device. That includes Check Point, Cisco, Fortinet, Juniper and Palo Alto Networks firewalls. That also includes F5 load balancers. All squarely within indeni’s expertise.
To drastically reduce downtime occurrences, operators must deploy a system that can anticipate issues before they occur and provide early warning. That is exactly what indeni’s core functionality includes. With indeni, operators are already staying on top of the network configuration and are averting up to 90% of their sev-one issues.
In a separate document, NERC lists the challenges energy grid operators encountered on their way to implement the requirements under CIP v5. Here, one of the items is “Implementing solutions for new inventory and change management requirements” (which is CIP‐010‐1). It was even listed as a “high interest” item.

We’ve discussed the inventory challenge, but what about change management? How do you ensure that:
- The right users are configured on your network devices?
- The TCP/UDP ports that are open on your network devices are the right ones?
- The ports used on your switches are configured correctly (those that should be up are up, and those that should be down are down)?
- That DNS, NTP, and similar settings are done correctly and consistently?
- The correct operating system and software is being used? Even the specific hotfixes?
indeni’s Configuration Checks feature helps you here in conjunction with the Inventory Report feature. With indeni, you’ll be able to ensure your configurations match the requirements. If they don’t, you’ll get an alert indicating the misconfigured device and what the configuration should be. Specifically, indeni will help you meet these requirements (copied from CIP-010-01):
Develop a baseline configuration, individually or by group, which shall include the following items:
1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied.…
Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes.
The bottom line here is that you’re not alone. Ensuring compliance with NERC CIP v5 is challenging and you will need to document new processes and roll out new solutions and functionality. We’re here for you to ensure you meet the deadline and pass with flying colors.
See what else Indeni can do for you to maintain your infrastructure in compliance.