Supporting NERC CIP-005 R2
Requirement 2 of CIP-005 requires access controls at the electronic perimeter. I think most of us read it and see firewalls as a big part of the solution. However, there are implications beyond just putting in a firewall with a good rule set. R2 requires control and documentation of the ports and services that control access to critical items.
FireMon supports R2. If you asked me how FireMon could help meet R2, I’d name at least two features. Rule Documentation is the big feature that lots of energy companies can use to put port/service justification directly on top of the rule. Policy Report, which shows why access is allowed, is useful, too. But I think folks are really looking for the efficiency of Rule Documentation, where that justification information is automatically taken from the change process, and they avoid cost of creating documentation manually.
But if you asked our customers, you might get a different answer. I was working with one of our NERC-impacted customers this week, and they were using a FireMon feature for NERC that I’d never thought of. They looked at R2 and saw the implication that there needs to be some accounting of who has access to those critical assets and what services they are using to access them.
The firewall logs were the obvious answer to the accounting problem, but finding the right logs and pulling the right information was going to be expensive. Enter FireMon’s Traffic Flow Analysis (TFA) report.
TFA inspects a rule and shows which sources are accessing which destinations over which services. We built TFA to help create better rules from ones that are too broad. But by turning the TFA report on for all the rules that allow access to critical assets, our customer can pull an accounting report at any time.
This is another example (and there are a lot) of a great way to use our most popular new feature.