Walking the Ports and Services Gauntlet

Deck: 

An approach to complying with NERC’s new cybersecurity standard, CIP-007 (R2).

Fortnightly Magazine - September 2013
This full article is only accessible by current license holders. Please login to view the full content.
Don't have a license yet? Click here to sign up for Public Utilities Fortnightly, and gain access to the entire Fortnightly article database online.

If utility personnel responsible for cyber security compliance have had any exposure to the Critical Infrastructure Protection (CIP) program sponsored by the North American Electric Reliability Corp. (NERC), then reliability standard CIP-007 has more than likely generated some sort of reaction.

More specifically, requirement 2 of CIP reliability standard number seven (NERC CIP-007 R2) might be of particular interest to utility personnel who are responsible for meeting this requirement for NERC CIP compliance. The exact wording in version 4 of this NERC CIP requirement follows:
“R2. Ports and Services: The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled. 

“R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations. 

“R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s). 

“R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.” 

This full article is only accessible by current license holders. Please login to view the full content.
Don't have a license yet? Click here to sign up for Public Utilities Fortnightly, and gain access to the entire Fortnightly article database online.