An approach to complying with NERC’s new cybersecurity standard, CIP-007 (R2).
Chris Sincerbox is a consulting engineer with ABB Ventyx. He’s spent 27 years working on energy management systems (EMS), including designing and implementing security compliance on EMS and distribution management systems.
If utility personnel responsible for cyber security compliance have had any exposure to the Critical Infrastructure Protection (CIP) program sponsored by the North American Electric Reliability Corp. (NERC), then reliability standard CIP-007 has more than likely generated some sort of reaction.
More specifically, requirement 2 of CIP reliability standard number seven (NERC CIP-007 R2) might be of particular interest to utility personnel who are responsible for meeting this requirement for NERC CIP compliance. The exact wording in version 4 of this NERC CIP requirement follows:
“R2. Ports and Services: The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.
“R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations.
“R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s).
“R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.”