NERC CIP-005

Electronic Security Perimeter

Background

NERC CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.

Version 5 of the NERC CIP Standards provide some significant changes that address issues that were addressed in Compliance Application Notices (CANs) and other NERC guidance. Version 5 reduces the requirements from five overarching requirements to two. Furthermore, Version 5 changes some terminology. Critical Cyber Assets are now known as BES Cyber Systems and non-Critical Cyber Assets and called Protected Cyber Assets (PCA).

Requirements (Version 3 and 4)

NERC CIP-005 R1 Electronic Security Perimeter

The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s).

NERC CIP-005 R2 Electronic Access Controls

The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

Version 5 adds the control of both inbound and outbound traffic. Additionally, all Remote Interactive Access will need to utilize encryption mechanisms for securing traffic, two-factor authentication mechanisms to authenticate users and the use of an intermediate system such that the remote Cyber Asset initiating access does not access the BES Cyber System directly (concept of a "Jump Server").

NERC CIP-005 R3 Monitoring Electronic Access

The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

In Version 5, this requirement is addressed in CIP-005-5 Table  R1 - Electronic Security Perimeter.

CIP-005-5

NERC CIP-005 R4 Cyber Vulnerability Assessment

The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually.

For Version 5, this requirement has been moved to CIP-010-5.

NERC CIP-005 R5 Documentation Review and Maintenance

The Responsible Entity shall review, update, and maintain all documentation to suppot compliance with the requirements of Standard CIP-005.

Version 5 addresses documentation maintenance in the Measures of each requirement.

 

Best Practice Tips

  • Ports and services between the control network environment and the corporate network should be enabled only through a DMZ and access permissions granted on a specific case-by-case basis. There should be a documented business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow.
  • A network diagram for each ESP that shows all access points, CCAs, CAs within the ESP and EACM assets is the easiest way for auditors to verify compliance.
  • Firewall rules need to be locked down as much as possible. Each set of rules should contain an explicit Deny-All, Any-Any rule. Provide a clear justification for all firewall rules.

How CRSI Can Help

CRSI can help your organization identify and develop protection processes and procedures of ESP access points and communications.

Develop mechanisms to control and monitor electronic access to all electronic access points

Assess the Electronic Security Perimeter's potential vulnerabilities to cyber events

Assist in the assessment of the security of firewall rules

Test every electronic access point and physically walk down the network to assist in discovery of potentially undocumented access points at least annually

Click here to find out more.  

References

Standard CIP–005:  Cyber Security — Electronic Security Perimeter(s)

NERC CIP-005