Lew Folkerth's most recent article addresses remote access, including compliance with CIP-005 R2.1 - R2.5 and with CIP-005 R1.3. Lew provides his usual mix of good compliance advice and good security advice. And he doesn't particularly try to separate the two, since he points out a number of ways in which good security practices aren't strictly required, but they will reduce your compliance risk as well as your security risk - e.g. by documenting that there is no Interactive Remote Access coming into your ESP that isn't coming through an Intermediate System.
As always, Lew's articles are worth reading, even if you don't have to comply with NERC CIP for Medium or High impact assets.
As always, Lew's articles are worth reading, even if you don't have to comply with NERC CIP for Medium or High impact assets.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment