During audit engagements that include identification and application of inbound and outbound access permissions on Electronic Access Point(s) (EAP(s)), MRO has observed an opportunity to enhance understanding of the compliance team’s monitoring approach.
The NERC Glossary of Terms[1] defines an EAP as “A Cyber Asset interface on an Electronic Security Perimeter that allows routable communications between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.” The keyword of the definition is interface, meaning this is applicable to only an interface and not the whole Cyber Asset as it was under version three of Reliability Standard CIP-005.
The importance of the interface is that for applicable systems of the standard (EAP(s) for High and Medium Impact BES Cyber Systems), when reviewing the inbound and outbound access permissions, only those interface(s) identified need to be reviewed for CIP compliance purposes. If the whole firewall is defined as the EAP, MRO staff then reviews all inbound and outbound access permissions. Please note that due to how NP-View functions, MRO will still ask for the full configuration files of the various network devices.
For CIP-005-7 R1 Part 1.3, this requires that both inbound AND outbound access permissions are applied. The applicable systems for this part are the EAP(s) for High and Medium Impact BES Cyber Systems. One common scenario resulting from CMEP activities is that there are multiple EAPs identified. One EAP will handle the inbound access permissions and the other identified EAP will handle the outbound access permissions. Based on the standard language, this could result in non-compliance due to not having inbound and outbound access permissions on the same EAP interface.
[1] https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf
– Jess Syring, Compliance Monitoring Manager, CIP