Implement NERC CIP v5 Using USP

You can implement NERC CIP v5 compliance that is tailored to your specific business requirements and network topology using a Unified Security Policy (USP). View compliance reports from the violations dashboard at any time, and verify compliance with each specific regulation. If a regulation is not in compliance, identify the specific device and rule that is causing the violation.

Overview

To implement best practices or the compliance regulations of a standard, you need to create a USP Matrix containing the compliance zones required by the standard. The compliance zones are placeholder zones into which you place your network zones, using SecureTrack zone hierarchies. Your existing zones can then be collected into these compliance zones, to ensure compliance monitoring of your entire network. To ensure that you maintain ongoing compliance as your network topology evolves, we recommend that you periodically review the hierarchy of your compliance zones.

NERC zones of protection are unique to each company, and vary based on their specific critical cyber asset structure and segmentation. The granularity of the connections between the zones of protection, internal networks, and the internet will also vary by company.

The NERC CIP compliance zones are:

  • EACMS - Network for managing cyber assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems
  • PACS - Network for managing physical access control systems, such as motion sensors, electronic lock control mechanisms, and badge readers
  • Control Center - Network for managing the NERC assets
  • Substation - Network for managing smaller generators that are not co-located with the control center
  • Corporate - Internal corporate network
  • DMZ
  • Internet

Create the USP

Before you create this USP, make sure all the required compliance zones have been created (see Network Zones).

  1. Browser > USP Viewer.
  2. Click +ADD UNIFIED SECURITY POLICY.
  3. Select NERC CIP from the menu. The zones required for NERC CIP appear.

  4. For each required zone displayed, select the appropriate compliance zone.

  5. (optional) Enter the USP description.

  6. Click Create.

The NERC CIP USP has now been created. You can click on the card to view the matrix in the USP Builder and modify the policy as needed.

The following requirements are defined in the USP matrix:

Source / Destination

EACMS

PACS

Control Center

Substation

Corporate

DMZ

Internet

EACMS

 

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

PACS

CIP 5 R1.5

CIP 5 R1.1

 

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

Control Center

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.5

CIP 5 R1.1

 

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

Substation

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.5

CIP 5 R1.1

CIP 5 R1.5

CIP 5 R1.1

 

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

Corporate

CIP 5 R2.1

  • restricted access to designated intermediate system

CIP 5 R2.1

  • restricted access to designated intermediate system

CIP 5 R2.1

  • restricted access to designated intermediate system

CIP 5 R2.1

  • restricted access to designated intermediate system

 

Best Practice

  • Restricted

Best Practice

  • Restricted

DMZ

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

CIP 5 R1.2

  • Blocked

Best Practice

  • Restricted

 

Best Practice

  • Restricted

Internet

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

CIP 5 R1.2, CIP 7 R1.1

  • Blocked

Best Practice

  • Blocked

Best Practice

  • Restricted

 

NERC CIP regulation 005-5 Rule 1.5 (ANY not allowed in source or destination) and Rule 1.1 (comments in all rules, Last hit < 90) applies to all cells in the matrix.

SecureTrack will identify any current violations of the policy. All access requests that are submitted from SecureChange will also be checked for violations. This process makes sure you have ongoing NERC CIP v5 compliance.

NERC CIP v5 Regulations

CIP-005-5 Table R1 – Electronic Security Perimeter

 

Requirement

Unified Security Policy Implementation

1.1

All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.

  • Create a universal security policy map that identifies all zone to zone connection relations with insecure services, protocols, or ports.

All rules related to a NERC zone must comply with the following requirements:

  • The rule must have a comment
  • Rules with explicit traffic must be implemented
  • Rules that are not used for the last 90 days must be removed.

1.2

All External Routable Connectivity must be routed through an identified Electronic Access Point (EAP).

  • Apply the unified security policy to the relevant FW’s
  • Deny all connections from the internet zone

1.3

Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default.

  • Configure the matrix to limit the inbound and outbound traffic to the specific applications, servers and protocols needed using the access type restricted.
  • Configure the rule properties to add a comment describing the reason the access was granted.

1.5

Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.

Configure the matrix to deny access to the cyber assets in the NERC zones to all traffic that has ANY as a source, destination, or service. Services not explicitly identified will be denied when the access type is restricted.

CIP-005-5 Table R2 – Interactive Remote Access Management

 

Requirement

Unified Security Policy Implementation

2.1

Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset.

Configure the matrix to allow only the designated intermediate systems to the cyber assets in the NERC zones using the access type restricted.

CIP-007-5 Table R1– Ports and Services

 

Requirement

Unified Security Policy Implementation

1.1

Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.

Configure the matrix to deny access to the cyber assets in the NERC zones from the internet using the access type blocked