Jump to content

Get Your
Free 30-Day Trial WhatsUp Gold

NERC CIP Cyber Security Standards

If you are working in the energy sector, here's what you need to know about the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards:

NERC coordinates electric industry activities designed to protect the industry's critical infrastructure from cyber threats. There are eight CIP standards (CIP-002-3 through CIP-009-3) which provide a framework for the identification and protection of Critical Cyber Assets to support reliable operation.

Event log management is essential to help you ensure and demonstrate compliance with NERC CIP standards.

Learn how you can meet NERC standards with WhatsUp Log Management Suite

  • Automatically collect Syslog and Windows event log files to keep a complete audit trail of access and manipulation of all "Critical Cyber Assets", including individual user account access and activity mandated by NERC CIP Standard CIP-007-3 R5 with WhatsUp Event Archiver
    • Enables multi-year data storage in compliance with regulatory requirements
    • Protects archived log files from tampering via cryptographic hashing — key for evidentiary use
  • Configure real-time alerts for key events (such as access, additions, deletions, manipulations and any other changes to Critical Cyber Asset hardware or software ) with WhatsUp Event Alarm
  • Prove compliance — generate and distribute key compliance-centric reports to all key stakeholders — security officers, auditors, IT or upper management

Secure and protect your critical information with WhatsUp Log Management Suite. We recommend using the following alerts and reports to provide management and compliance officers with key resources to demonstrate compliance with NERC CIP standards:

Featured Standards Recommended WhatsUp Log Management Suite Alerts and Reports
NERC CIP Standard CIP-003-3

B. Requirements

  • R6. Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor-related changes to hardware and software components of Critical Cyber Assets.

Windows Event Logs

  • Configuration changes to single or bulk devices
  • User login time and date
  • User responsible for change(s)
  • ACL or rights changes
  • Router, switch, firewall or IDS port or protocol changes
  • Addition or deletion of user credentials
  • System reboot or restart
  • Single or bulk device password changes
NERC CIP Standard CIP-005-3

B. Requirements

  • R3. Monitoring Electronic Access — The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.
    • R3.2. Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel.

D. Compliance

  • 1. Compliance Monitoring Process
    • 1.4. Data Retention
      • 1.4.1 The Responsible Entity shall keep logs for a minimum of ninety calendar days, unless: a) longer retention is required pursuant to Standard CIP-008-3, Requirement R2; b) directed by its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.
      • 1.4.2 The Responsible Entity shall keep other documents and records required by Standard CIP-005-3 from the previous full calendar year.
      • 1.4.3 The Compliance Enforcement Authority in conjunction with the Registered Entity shall keep the last audit records and all requested and submitted subsequent audit records.

Windows Event Logs

  • Directory Service Access Attempts
  • Directory Service Access - Success/Failure
  • Logon Failures - Active Directory
  • Logon Failures - Local Logons
  • Object Access Attempts - Success/Failure
  • Object Deletions
  • Password Reset Attempts by Administrators or Account Operators
  • Process (Program) Usage
  • User Activity in Auditing Categories
  • Computer Account Management - Success/Failure
  • Successful Network Logons - Workstations and Servers
  • Policy Change - Success/Failure
  • Account Management - Success/Failure
  • Directory Service Access - Success/Failure
  • System Events - Success/Failure

Syslog Events

  • User login time and date
  • User responsible for change(s)
  • ACL or rights changes
  • Addition or deletion of user credentials
  • System reboot or restart
  • Single or bulk device password changes
NERC CIP Standard CIP-007-3

B. Requirements

  • R2. Ports and Services — The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.
  • R5. Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.
    • R5.1.2.The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days.
  • R5.2.The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts.
    • R5.2.1.The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service.

Windows Event Logs

  • Directory Service Access Attempts
  • Directory Service Access - Success/Failure
  • Logon Failures - Active Directory
  • Logon Failures - Local Logons
  • Object Access Attempts - Success/Failure
  • Object Deletions
  • Password Reset Attempts by Administrators or Account Operators
  • Process (Program) Usage
  • User Activity in Auditing Categories
  • Computer Account Management - Success/Failure
  • Successful Network Logons - Workstations and Servers
  • Policy Change - Success/Failure
  • Account Management - Success/Failure
  • Directory Service Access - Success/Failure
  • System Events - Success/Failure

Syslog Events

  • User login time and date
  • User responsible for change(s)
  • ACL or rights changes
  • Addition or deletion of user credentials
  • System reboot or restart
  • Single or bulk device password changes