MAPPING GUIDE
NERC CIP Compliance with
Nozomi Networks’ Solution
1. Introduction
Electric utilities have become increasingly aware of traffic, and reporting capabilities to demonstrate compliance.
cybersecurity threats and the operational impacts they pose to The system also provides anomaly detection for early
their assets, operations, and grid reliability. Any cyber scenario attack identification and prevention, as well as workbooks
that can adversely affect reliability of the Bulk Electric System to strategically prioritize remediation efforts to identified
(BES) threatens the integrity of the grid, health and human vulnerabilities for more efficient risk management.
safety, and critical services that sustain our daily lives.
The Federal Energy Regulatory Commission (FERC) continues
to increase the security and resilience of the U.S. power grid,
encouraging registered entities to enhance their awareness
The electricity sector is undergoing
and defensive capabilities to the cyber threat landscape.
Its regulators and utility members work in coordination significant changes that are unprecedented
to stay proactive in the face of increased technological in both transformational nature and rapid
dependence, digital interdependence, and increasing risks pace. Such extraordinary evolution presents
and vulnerabilities. new challenges and opportunities for
reliability, resilience, and security. Advances
The North American Reliability Corporation (NERC) is a
in technology, customer preferences,
FERC-certified body tasked with establishing and enforcing
reliability standards, as well as soliciting feedback to policies, and market forces are altering the
continually update mandated and enforced security controls generation resource mix and challenging the
to improve overall cyber and physical security. The Critical conventional understanding of the reliability
Infrastructure Protection (CIP) standards are a subset of role of baseload power that was traditionally
NERC standards that specify the minimum cybersecurity provided by large, centralized generating
requirements to support the reliability of the electrical system
units. While efforts are underway to address
applied to BES operators in the U.S., Canada, and Mexico.
these risks, the management of reliability,
The Nozomi Networks platform supports mandated NERC-CIP resilience, and security will require increased
cybersecurity standards for operational technology (OT) and focus by all.
industrial control systems (ICS). The solution offers custom
NERC Long-Term Reliability Assessment, 2020
queries and assertions for monitoring and analyzing network
MAPPING GUIDE
NERC CIP Compliance with Nozomi Networks’ Solution 1
�2. Additional Standards to Come
To reduce cybersecurity risks and exposure, NERC is in the impact BES Cyber Systems, tackling cybersecurity awareness,
process of developing a new standard requiring internal physical security controls, electronic access controls,
network security monitoring within a trusted Critical cybersecurity incident response, and transient cyber assets
Infrastructure Protection networked environment for all and removable media.
high impact BES Cyber Systems with and without external
Lastly, NERC continues to grapple with the addition of
routable connectivity and medium impact BES Cyber Systems
distributed energy resources as outlined in the Department of
with external routable connectivity. The standard could also
Energy’s October 2022 report, “Cybersecurity Considerations
include medium and low impact BES Cyber Systems in the
for Distributed Energy Resources on the U.S. Electric Grid.”
future. Given the increasingly sophisticated methods by which
Distributed Energy Resources (DER) are small-scale power
attackers gain access to critical systems, it is critical that
generation, flexible load, or storage technologies (typically
entities move beyond protection of the electronic security
from 1 kilowatt to 10,000 kilowatts) that can provide an
perimeter and implement dynamic, persistent monitoring
alternative to, or an enhancement of, the traditional electric
measures.
power system.
FERC has also issued a recent order approving CIP-003-9
Per the report, “existing cybersecurity standards and best
requiring remote access security controls for low impact
practices, such as multifactor authentication, endpoint
BES Cyber Systems. According to NERC, “the incredible
detection and response (EDR), encryption, and a skilled and
scale and diversity of low impact BES Cyber Assets across
empowered security team, may need to be refined for specific
Control Centers, substations, and generation resources of
DER deployment use cases … Broad industry involvement is
all types, the idea of having a base cyber security plan with
key to the development, approval, and implementation of
required sections to mitigate high level risk areas rather than
robust DER cybersecurity standards. The U.S. Department of
prescriptive device-level requirements is a manageable way
Energy (DOE) will continue to engage DER operators; vendors;
for all entities to document how they meet the cyber security
developers; owners; aggregators; utilities; and other Federal,
objectives for the assets containing low impact BES Cyber
state, and local partners to ensure the wide adoption of the
Systems.” The extended CIP-003 standard tasks utilities
standards and best practices.”
with demonstrating security management controls for low
MAPPING GUIDE
NERC CIP Compliance with Nozomi Networks’ Solution 2
�3. Nozomi Networks Solution Support for
NERC CIP Standards
Nozomi Networks Support
Standard Requirement Security Objectives
for OT/ICS Networks
CIP-002-5.1a: BES Cyber Identify and categorize BES Categorize inventory,
System Categorization Cyber Systems and their prioritizing critical systems,
associated BES Cyber Assets understand and analyze
COMPLETE
for the application of cyber assets and risk indicators,
security requirements severity scoring, and
recommendations
CIP-003-8: Security Specify consistent and Centralize network visibility,
Management Controls sustainable security provide security access
management controls that management, analyze
establish responsibility and communications and COMPLETE
accountability to protect BES protocols, set and review
Cyber Systems security management for BES
across locations
CIP-004-6: Personnel & Minimize the risk against Create custom CIP reports,
Training compromise that could lead to dashboards, and queries for
misoperation or instability in training materials with nodes
PARTIAL
the Bulk Electric System categorized as most at risk
with clear visual markers and
detailed alerts
CIP-005-7: Electronic Manage electronic access Detect unauthorized network
Security Perimeter(s) to BES Cyber Systems by access, use of cleartext
specifying a controlled passwords and unencrypted
Electronic Security Perimeter remote access, and manage COMPLETE
assets based on uniquely
assigned electronic security
perimeters
CIP-007-6: System Security Manage system security by Monitor traffic specific to
Management specifying select technical, ports, switches and control
operational, and procedural networks. Track BES assets by
PARTIAL
requirements in support MAC, vendor, product lifecycle,
of protecting Bulk Electric IP, role, OS, firmware version,
System patch level, and more
CIP-008-6: Incident Mitigate the risk to the reliable Monitor events and centrally
Reporting and Response operation of the BES as the manage network monitoring,
Planning result of a Cyber Security consolidate and correlate
Incident events and alerts, report events COMPLETE
and incidents and remediate
with leading incident response
partnerships and integrations
MAPPING GUIDE
NERC CIP Compliance with Nozomi Networks’ Solution 3
�3. Nozomi Networks Solution Support for NERC CIP Standards
Nozomi Networks Support
Standard Requirement Security Objectives
for OT/ICS Networks
CIP-010-4: Configuration Prevent and detect Monitor baseline
Change Management and unauthorized changes configurations with change
Vulnerability Assessments to BES Cyber Systems by notifications and alerts
specifying configuration for change and version
COMPLETE
change management and control, reviewing relevant
vulnerability assessment vulnerabilities and appropriate
requirements patches and updates with
available workbooks
CIP-012-1: Communications Protect the confidentiality Streamline security
between Control Centers and integrity of Real-time management of OT/ICS data
Assessment and Real-time from one network to range
monitoring data of operations and locations PARTIAL
with real time monitoring of
communications between
control centers
CIP-013-2: Supply Chain Risk Mitigate cyber security risks Utilize deep packet inspection
Management to the reliable operation of of industrial protocols to
the Bulk Electric System (BES) perform configuration
by implementing security management on assets and PARTIAL
controls for supply chain risk devices, monitoring and
management reporting vulnerabilities,
security events, and incidents
CIP-007-6: System Security Management is the most often security monitoring solution. NERC-CIP regulations carry legal
violated standard as its complexity across OT networks is obligations, mandating utility companies to conduct thorough
difficult to master. The standard requires responsible entities risk assessments, conform to a foundational cybersecurity
to define and document methods, processes, and procedures framework, and implement specialized security measures
for securing those systems determined to be Critical Cyber and industry best practices. Furthermore, these entities
Assets, as well as the Non-critical Cyber Assets within the are obligated to confirm their compliance and establish
Electronic Security Perimeter(s). It is impossible to manually comprehensive contingency strategies.
log granular details about each asset, its activity and traffic
Failure to comply could result in monetary fines, sanctions, or
patterns, amounts of transferred data, protocols and function
other penalties. Forthcoming standards will include internal
codes, source and destination ports, connection attempts,
network security monitoring, extending risk management
software and firmware versions and updates in real time.
practices to low-impact cyber systems, and incorporating
Asset owners must consistently exhibit compliance, distributed energy resources.
highlighting the necessity for an automated and ongoing
MAPPING GUIDE
NERC CIP Compliance with Nozomi Networks’ Solution 4
�4. The Nozomi Networks Platform
Nozomi Networks provides real-time network intelligence, • Asset Intelligence that delivers accurate device profiles that
monitoring and AI-powered threat detection. This enables enhance anomaly and threat detection capabilities.
a proactive approach to risk management and ultimate • Vulnerability monitoring that groups alerts into incidents,
reduction. It also provides real-time alerts to threats and providing security and operations staff with a simple, clear,
and consolidated view of what’s happening on you’re the
anomalies within an industrial control network. Our solution
network.
includes a flexible and intuitive interface for reporting and
• Threat Intelligence updated regularly with data and analysis
operational oversight.
to continuously detect and respond to emerging threats.
Develop a higher level of cybersecurity maturity • Rapid detection of anomalies, including cyberattacks, cyber
demonstrating NERC CIP compliance with: events and critical process variable irregularities.
• Virtual Nozomi Networks sensors that collect network data, The example substation and SOC architecture below shows
analyze it and generate a highly accurate report packed the deployment of Nozomi Networks’ OT/IoT anomaly
with actionable insights and recommendations resulting in detection and monitoring solution. A wide variety of
a reduced mean-time-to-respond (MTTR). appliances, a flexible architecture, and integrations with other
• An Asset Inventory that delivers a detailed inventory of systems allow us to provide a solution tailored to meet the
assets on the network, along with actionable insights into needs of your organization.
communications patterns, helping mitigate security risks
and increase SOC productivity.
SOC VANTAGE VANTAGE IQ
System Emergency
Control Control
Center Center WAN
Engineering
Operator Stations Station Printer
LOCAL
MANAGEMENT
Substation
WAN CONSOLE
Mirror / SPAN
GPS Redundant
Time Communication
Server Gateways Redundant
GUARDIAN SMART
Switches
Redundant POLLING
Station
Computers
IEC 61850-8-1
Ethernet Ethernet
Ring Ring
Mirror/SPAN Mirror /SPAN
Redundant Redundant
Switches Switches
GUARDIAN SMART GUARDIAN SMART
Bay Bay Bay POLLING POLLING
Control Control Control
Unit Unit Unit
Bay Control & Bay Control & Bay Control &
Protection Unit Protection Unit Protection Unit
Remote I/O Remote I/O Remote I/O
Security Management LAN
Sample Deployment Architecture for Substations SOC
MAPPING GUIDE
NERC CIP Compliance with Nozomi Networks’ Solution 5
� 5. Conclusion
NERC-CIP requires utilities and their responsible stakeholders the specified controls. Maintaining compliance with all of
to develop baseline practices for cybersecurity visibility and these requirements cannot be achieved by a single product,
threat detection, adopt defense in depth security practices, technology, or team. Instead, it requires a collaborative
and protect sensitive information. The standards also ecosystem of partners and technologies, seamlessly
encourage strong perimeter and remote access controls, operating across the various business units to ensure ongoing
real-time monitoring, business continuity planning, adequate compliance.
change management policies, and robust cybersecurity
Nozomi Networks stands as your ally in navigating the
training for staff and employees.
complexities of NERC-CIP compliance. We look forward to
The NERC-CIP regulations encompass a wide range enabling your organization to be successful in your NERC-CIP
of extensive and intricate directives, spanning diverse journey.
skillsets of personnel for the secure implementation of
Let's get started Schedule a demo with our experts to understand how
Book a Demo
Nozomi Networks can help streamline your NERC CIP
nozominetworks.com/contact
compliance program.
Nozomi Networks accelerates digital transformation by protecting the world’s critical infrastructure,
industrial and government organizations from cyber threats. Our solution delivers exceptional network
and asset visibility, threat detection, and insights for OT and IoT environments. Customers rely on us to
minimize risk and complexity while maximizing operational resilience.
© 2023 Nozomi Networks, Inc. | All Rights Reserved. nozominetworks.com
MAPPING GUIDE
NERC CIP Compliance with Nozomi Networks’ Solution 6
NN-NERC-CIP-8.5x11-001
