Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Top 3 Ways ICS Patrol Streamlines NERC CIP Compliance

Christina Hoefer | June 10, 2019

Utility operators in the United States and Canada must keep pace with the evolving and stringent regulatory requirements of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards. Maintaining compliance with NERC CIP has now become even more crucial as standards become stricter and fines more costly, as evidenced by the $10 million fine that was recently issued, the largest public fine in NERC CIP’s history.

As Forescout designs and develops new product features, we always strive to further simplify compliance with threat detection, operational awareness and ICS cybersecurity requirements for NERC CIP. With the release of ICS Patrol, our optional selective scanning module, we’ve proven our commitment to innovation and operational excellence for utilities.

With ICS Patrol, utility asset owners can achieve a deeper level of visibility not accessible with passive monitoring alone. With this optional module, users can access a host of new tools to help manage compliance with the evolving NERC CIP requirements.

Below are just a few of the NERC CIP requirements that ICS Patrol helps manage:


CIP-004-6 R4.2 and CIP-004 R4.3

Requirement (CIP-004-6 R4.2):
Verify individuals with active electronic access or unescorted physical access have authorization records at least once each calendar quarter.

How ICS Patrol Helps:
While SilentDefense provides strong capabilities for identifying users who have logged in using cleartext protocols, ICS Patrol™ allows organizations to document when any user has logged into a Windows system.

Requirement (CIP-004 R4.3):
Verify that all electronic access of all user accounts, user account groups, or user role categories are legitimately assigned to the appropriate responsible entity.



CIP-007-6 R2.1

Requirement (CIP-007-6 R2.1):
Track, support and manage patching processes for evaluating and installing cybersecurity patches for applicable assets at a minimum of every 35 calendar days. Tracking must include the identification of sources responsible for the release of patches and the applicable cyber assets that are updatable, and for which patching sources exist. This process must be documented into a mitigation plan that specifies planned actions of identified patches and timeframe to complete identified mitigations.

How ICS Patrol Helps:
Patch levels are not always communicated across the network. The ability to query which patches have been applied and documenting when they were applied provides important documentation when compliance with regulatory standards is audited.

Many NERC CIP requirements mandate documentation to prove that an organization has been compliant not only at a single point in time, but also that they have been compliant throughout the audit period. The ability to easily generate documentation of compliance through regularly scheduled queries assists with the mitigation plan reporting process and enforcement of policy.



CIP-010-2 R2.1

Requirement (CIP-010-2 R2.1):
Monitor at least once every 35 calendar days for changes to the baseline configuration, including operating system versions, software installed, and security patches applied. This includes defining processes, procedures and templates for the development and maintenance of baseline configurations.

How ICS Patrol™ Helps:
Queries can be made to document that an asset matches the baseline, or “Golden Image” configuration and to identify when variations exist. While this can be done manually, it’s very time-consuming and subjects the process to human error.


The ability to automatically identify these changes using ICS Patrol™ helps organizations save time and money by verifying both the configurations and ensuring auditable documentation exists.

ICS Patrol is yet another advancement that offers more visibility, control and choice to our customers. Streamlining NERC CIP compliance efforts is just one of the many benefits that SilentDefense 4.0 offers our customers.

If you want to learn more about ICS Patrol and how it streamlines compliance efforts with this ever-changing and critical set of standards, check out our solution brief.

Forescout ICS Patrol

Demo RequestForescout PlatformTop of Page