Various North American Electric Reliability Corp. (NERC) critical infrastructure protection requirements are focused on TCP/IP ports and services. Specifically, the system owner is required to perform periodic assessments to ensure only those ports and services required for system operation are enabled. These assessments are typically performed with a network scanning tool such as Nmap or Nessus.

portion of a CSM display

Cyber Security Manager (CSM) also is useful to network support personnel as a tool for discovering misconfigurations and investigating suspected intrusion attempts. Even a small network can generate a huge volume of netflow data, far more than a network engineer can examine without specialized tools. In configuring CSM, a system administrator includes information about IP addresses and ports and services:

  • IP addresses of all servers, clients and networking equipment that are part of the control system
  • Information as to which clients are expected to communicate with which servers, including client and server ports and protocol.

Connection from an unexpected server port likely would be declared a violation by a NERC auditor. And, the details of such an instance typically would not cause an alarm to be issued, nor would it ever likely be of interest to a system operator. However, CSM can be a part of a continuous security assessment and compliance regime, as well as a powerful tool for use by network support personnel in investigating network misconfiguration and misuse.