NERC CIP Reliability Standards CIP-005, CIP-006 and CIP-007 require that ports and services on certain devices be disabled if not required for “normal and emergency operations.”  The devices to which this applies include:

• Critical cyber assets (CCAs) within an electronic security perimeter (ESP).
• Access points to the ESP(s).
• Cyber assets used in access control and monitoring of the ESP(s).
• Cyber assets used in the access control and monitoring of the physical security perimeter (PSP).

This may at first glance seem like an easy thing to do, but many NERC-registered entities indicate that ports and services identification is among the most challenging aspects of achieving NERC CIP compliance.  This is because determining why a particular port or service has been enabled on a cyber asset, and whether it should still be enabled, is very difficult in many cases.  This process becomes even more difficult due to the fact that production systems – such as SCADA and DCS servers – should never be scanned for open ports using automated tools (like those regularly used on IT networks) due to the considerable risk of degrading or disabling the system.

Encari’s consultants have many years of experience in identifying and disabling unnecessary ports and services on industrial control systems.  Our consultants will:

1. Identify open ports and services using a variety of software tools that do not risk degrading or disabling the system, as well as using purely “manual” methods.
2. Verify, for each open port or service, the process(es) or system(s) that require it to be open.  This may require reviewing network or system documentation, interviewing system owners, contacting vendors, etc.
3. For those ports and services that are in use, confirm that the processes or systems using them are authorized and required by normal or emergency operations.
4. For ports or services whose use is required neither by normal nor emergency operations, develop with the client an appropriate procedure for disabling them, while testing to ensure that required processes or systems are not impacted.
5. For cases in which a port or service cannot be disabled due to technical limitations, identify compensating measures to mitigate risk exposure, as required by the NERC CIP Reliability Standards.
6. Document all of the above procedures because the NERC CIP Reliability Standards (as well as good security practices) require that they be performed on a regular basis.
7. Provide knowledge transfer to clients' staff members so they may apply these tools and procedures on an ongoing basis in the future, independently of external assistance.