on May 25, 2016The NERC CIP compliance reports in RSA NetWitness are based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) program requirements.
The CIP program coordinates NERC’s efforts to improve physical and cyber security for the bulk power system of North America as it pertains to reliability. This includes standards development, compliance enforcement, assessments of risk and preparedness, disseminating critical information via alerts to industry, and raising awareness of key issues.
Dependencies
The NERC CIP compliance reports have the following dependencies.
| SA Rules | SA Lists | App Rules |
|---|---|---|
| Access to Compliance Systems Details Access to Compliance Systems Summary Accounts Created Accounts Deleted Accounts Modified Admin Access to Compliance Systems Details Admin Access to Compliance Systems Summary Antivirus Signature Update Failed Remote Access Details Failed Remote Access Summary Firewall Configuration Changes Firmware Changes on Wireless Devices Group Management Logon Failures Details Logon Failures Summary Router Configuration Changes Successful Escalation of Privileges Details Successful Escalation of Privileges Summary Successful Remote Access Details Successful Remote Access Summary User Access Revoked User Access to Compliance Systems Details User Access to Compliance Systems Summary | Administrative Users Compliance Data Compliance Systems | account:created account:deleted account:modified account:logon-success access:remote-failure access:remote-success av:signature-update config:fw-config-changes config:firmware-config-changes account:group-management account:logon-failure config:router-change access:privilege-escalation-success access:user-access-revoked |
Citations
The NERC CIP reports have the following Citations.
| Report Rule | Citation Number | Citation Description |
|---|---|---|
| Access to Compliance Data - Detail | NERC CIP-003-4 R3: | The Responsible Entity shall implement and document a program to identify, classify and protect information associated with Critical Cyber Assets. |
| Access to Compliance Data - Top 25 | NERC CIP-003-4 R3: | The Responsible Entity shall implement and document a program to identify, classify and protect information associated with Critical Cyber Assets. |
| Accounts Created | CIP-007-4 R5.1.1 | The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. |
| Accounts Deleted | CIP-007-4 R5.1.1 | The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. |
| Accounts Modified | CIP-007-4 R5.1.1 | The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. |
| Admin Access to Compliance Systems - Detail | CIP-007-4 R5.1.2 | The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of 90 days. |
| Admin Access to Compliance Systems - Top 25 | CIP-007-4 R5.1.2 | The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of 90 days. |
| Antivirus Signature Update | NERC CIP-007-4 R4.2 | The Responsible Entity shall document and implement a process for the update of antivirus and malware prevention "signatures." |
| Escalation of Privileges - Detail | NERC CIP-004-4 R4.1: | The Responsible Entity shall review the lists of its personnel...or any change in the access rights of such personnel. |
| Escalation of Privileges - Top 25 | NERC CIP-004-4 R4.1: | The Responsible Entity shall review the lists of its personnel...or any change in the access rights of such personnel. |
| Failed Remote Access - Detail | CIP-005-4a | Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. |
| Failed Remote Access - Top 25 | CIP-005-4a | Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. |
| Firewall Configuration Changes | NERC CIP-003-4 R6: | Change Control and Configuration Management. |
| Firmware Changes Wireless Devices | NERC CIP-003-4 R6: | Change Control and Configuration Management. |
| Group Management | NERC CIP-007-4 R5.1.1: | The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. |
| Logon Failures - Detail | CIP-005-4a | Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. |
| Logon Failures - Top 25 | CIP-005-4a | Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. |
| Router Configuration Changes | NERC CIP-003-4 R6: | Change Control and Configuration Management. |
| Successful Remote Access - Detail | NERC CIP-005-4a R3: | Monitoring Electronic Access. |
| Successful Remote Access - Top 25 | NERC CIP-005-4a R3: | Monitoring Electronic Access. |
| User Access Revoked | CIP-004-4 R4.2 | The Responsible Entity shall Revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets |
| User Access to Compliance Systems - Detail | CIP-007-4 R5.1.2 | The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of 90 days. |
| User Access to Compliance Systems - Top 25 | CIP-007-4 R5.1.2 | The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of 90 days. |
