While the NERC Critical Infrastructure Protection (CIP) standards encompass many different aspects of security and responses, some of the most difficult to implement are the standards focused on network
management because of the state of network management tools in the OT environment today.
The Veracity OT Network Controller provides a micro-segmented network with full visibility into every end point, switch, and port on the network. The network switches will block any traffic at the port that does not have a rule in the controller explicitly allowing communications via a specified protocol between devices. The following sections will highlight important NERC-CIP standards that are supported by an SDN solution.
CIP-007-6 1.x – Ports and Services
The standard requires that network ports only allow logical access to responsible entities. SDN creates a micro-segmented network that blocks any communication from unauthorized devices via unauthorized protocols at the port of the switch. Traditional networks only block such access at a firewall and only if the firewall is configured properly. In addition, SDN provides the ability to document every port on every switch and the endpoints that are communicating through them.
CIP-010-4 Configuration Change Management
Section 1.x of CIP-010-4 requires that a baseline of the configuration be documented, and any changes require validation. With the Veracity OT Network Controller, the entire configuration can be exported to a CSV. In OT networks, changes can happen quickly when there is downtime. Operators will make changes to the network to keep the process running. The SDN controller will log all changes to the network eliminating tedious port scans and time-consuming physical inspections, making the audit required by CIP-010-4 2.1 simple.
CIP-005-7 1.x Electronic Security Perimeter
This requirement states that all applicable cyber assets connected to a network via a routable protocol reside within an electronic security perimeter. In a traditional network, this is done via segmenting using either VLANs or firewalls. VLAN and firewall configuration can take 10-40 hours per firewall to do properly. With an SDN network, because it is a micro-segmented network, all devices are within their own electronic security perimeter as part of the setup of the network. Because the network controller manages the switches, there is no additional labor time required for configuration of VLANs or firewalls. In addition, lower level firewalls are no longer required as part of the system eliminating the need to validate no changes to the firewalls have occurred.
Conclusion
The spirit of the NERC-CIP standards requires a micro-segmented network for full compliance. The Veracity OT Network Controller utilizing software defined networking provides a true micro-segmented network that is also easy to configure and audit. Changes are logged and unauthorized devices are denied access at the switch port level. To learn more about how Veracity Industrial Networks can help make NERC-CIP compliance easier, please contact us.
