Perle Systems Technical Notes - IOLAN SDSC HV and IOLAN SDSC LDC
NERC CIP Compliance Solutions
The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to “ensure that the bulk electric system in North America is reliable, adequate and secure.” As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America’s bulk electric systems. Perle has extensive experience in helping customers conform to industry security standards such as HIPAA and DSS PCI, improving their security and compliance posture. Table 1.0 includes many elements that align directly with the NERC CIP Standards, allowing you to easily meet and exceed the requirements that have been set forth. Table 1.0: NERC-CIP Compliance Elements by Perle IOLAN Terminal Servers
| Requirement | IOLAN Solution Feature |
|---|---|
| Electronic Security Perimeter – CIP-005 | |
| R2.1 - Deny Access by Default | All access is protected as a default configuration. |
| R2.2 – Enable only needed ports | Authorized administrators can enable individual physical serial ports that are to be used, leaving all others disabled. This includes known IP services such as Telnet port 23. |
| R2.3 - Secure dial-up access | Dial-up access using a routable PPP, or non-routable serial terminal program such as HyperTerminal, can have restricted access through ID/password authentication based on a local database or central AAA authentication server. |
| R2.4 – Strong Technical Controls | Perle IOLANs support RSA’s SecureID two-factor token authentication scheme for complete interactive access security. |
| R2.6 – Appropriate Use Banner | A configurable “appropriate use banner” can be displayed on the user screen upon all interactive access attempts. |
| R3.2 – Unauthorized Access attempts | Unauthorized access attempts are detected and will generate an alert message via a Syslog message or when used in conjunction with a centralized AAA server such as TACACS+ or RADIUS. |
| R5.3 – Session logging | Port buffers and keystrokes are recorded and can be reviewed on the IOLAN platform or via an external continuous logging server such as Syslog or NFS. |
| Systems Security Management – CIP-007 | |
| R2,1,2,3 – Ports and Services | Authorized administrators can enable individual physical serial ports that are to be used, leaving all others disabled. This includes known IP services such as Telnet port 23. |
| R5.3 – Secure Passwords | In conjunction with TACACS+ and RADIUS, user passwords can be managed in terms of password length, strength and change frequency. |
| R6.4 – Security Status Logs | Through the use of NFS port logging, Syslog and AAA accounting schemes such as TACACS+ and RADIUS. |
| Additional Key IOLAN Security Features | |
| SSL /TLS, SSH, HTTPS | Session data encryption using standard schemes such SSL and SSH are supported. Strong algorithms such as AES and 3DES are supported. |
| IPSEC VPN | Secure tunnels can be established between VPN peers such as Cisco routers, Windows and Vista IPSEC / L2TP clients. |
| TACACS+, RADIUS authentication and authorization | Unlike competitive serial terminal servers designed for substations, the IOLAN supports extensive authentication and authorization attributes for TACACS+ and RADIUS to enable complete centralized control of user access. |
| TACACS+, RADIUS accounting | Full support for TACACS+ and RADIUS accounting servers are available. |
| TACACS+, RADIUS alternate servers | To ensure full security, reliable access to AAA servers is required. IOLANs have the ability to access alternate AAA servers should the primary fail. |
| Firewall | IP address filter restricts port access to authorized IP addresses. |