NERC CIP-005-5: Complying With the Electronic Security Perimeter Requirement

Christina Hoefer | April 3, 2019

A key driver of the NERC CIP regulations is to ensure that computer system networks that are vital to the operation of the Bulk Electric System (BES) have a sufficient level of protection, commensurate to their importance to a functioning society. One of the main ways the NERC CIP regulations do this is through mandating that organizations focus on the perimeter defenses of their computer networks. This is important enough to the NERC CIP standards that CIP-005-5 itself is titled, and focused exclusively on,Electronic Security Perimeters 1

The NERC CIP standards focus on what is commonly called a “Defense-in-Depth” 2 methodology, or the use of multiple defensive strategies so that a computer system will still be protected even if an attacker is able to defeat any one particular defensive strategy. An example of this is in the requirements which are focused on perimeter security. First, CIP-005-5 R1.1 states that:

“All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined Electronic Security Perimeter.”

As defined by the NERC CIP Glossary of Terms, an Electronic Security Perimeter (ESP) is the logical border surrounding a network to which BES Cyber Systems (BCS) are connected using a routable protocol. 3 An OT visibility solution such as SilentDefense can assist users in demonstrating compliance with this requirement by utilizing an interactive network map. The network map can automatically group assets by their network, allowing users to not only easily identify ESPs, but also identify all assets which are connected to a network containing BCS. Since many of the NERC CIP requirements apply to all assets which are connected to a network containing BCS (Protected Cyber Assets or PCAs), the interactive network map can be used to help ensure no devices which are not PCAs are connected to a network containing BCS.

While CIP-005-5 R1.1 requires the identification of a logical security boundary, R1.2 requires that all External Routable Connectivity which leaves an ESP must be through an identified Electronic Access Point (EAP). The interactive map included with an OT visibility solution, such as SilentDefense, makes it easy to help ensure that this is the case, as cross-network flows are easily highlighted and every connection with any device on the network is automatically added to the network map in real time.

To continue the defense-in-depth focus, CIP-005-5 R1.3 requires that all inbound and outbound access to an ESP (which must pass through an EAP) be allowed by access permissions, and that all other traffic is denied by default. As a completely passive OT monitoring solution, SilentDefense does not block traffic with access permissions. In general, a firewall will be used for this purpose. SilentDefense is often used to assist in the creation of those firewall rules, though. By using deep packet inspection of ICS protocols, such as DNP3 or Modbus, SilentDefense can identify those communications which are part of normal operations, and our customers use this intelligence to identify what traffic should be permitted through their ICS firewall.

Even with strong perimeter defenses and a robust set of access permissions, the defense-in-depth concept is further enforced through NERC CIP-005-5 R1.5, which states that entities must:

“Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.”

The best way to meet both the letter and the spirit of this requirement is to inspect the traffic which flows in or out of an ESP. And the best way to inspect the traffic is to focus on more than just the source and destination and look deeper into the packet to know exactly what specific ICS commands or controls are being used. To do that requires a tool built specifically for OT/ICS environments, and SilentDefense fits that bill. It features self-learning engines that allow users to automatically generate a baseline of current network communications. This baseline, along with the information available on the network map, can be used as evidence that only permitted access is occurring in the network. Furthermore, the baseline can be used by the built-in anomaly detection engines to whitelist legitimate network communications and alert in real-time if the baseline is violated. Undesired and suspicious hosts, protocols and operations will be reported immediately. Complementing its anomaly detection engines, SilentDefense also has over 1,600 ICS-specific threat indicators and protocol checks to detect known or suspected malicious communication, including data exfiltration and exploitation attempts.

To learn more about how SilentDefense can help you secure your OT/ICS network and make it easier to meet and demonstrate compliance with the NERC CIP standards, download our NERC CIP ebook or schedule a consultation with one of our cyber resilience experts.

Download the eBook