CIP-003-7 Supplemental Material
Reference Model 2 – Network-based Inbound & Outbound Access Permissions The Responsible Entity may choose to use a security device that permits only necessary inbound and outbound electronic access to the low impact BES Cyber System(s) within the asset containing the low impact BES Cyber System(s). In this example, two low impact BES Cyber Systems are accessed using the routable protocol that is entering or leaving the asset containing the low impact BES Cyber System(s). The IP/Serial converter is continuing the same communications session from the Cyber Asset(s) that are outside the asset to the low impact BES Cyber System(s). The security device provides the electronic access controls to permit only necessary inbound and outbound routable protocol access to the low impact BES Cyber System(s). When permitting the inbound and outbound electronic access permissions using access control lists, the Responsible Entity could restrict communication(s) using source and destination addresses or ranges of addresses. Responsible Entities could also restrict communication(s) using ports or services based on the capability of the electronic access control, the low impact BES Cyber System(s), or the application(s).
Routable communications entering or leaving the asset containing low impact BES Cyber System(s)
Routable Protocol
Cyber Asset(s) providing electronic access controls
Network
Low impact BES Cyber System
Serial Non-routable Protocol
IP/Serial Converter
Low impact BES Cyber System
Asset containing low impact BES Cyber System(s)
Communication between a low impact BES Cyber System and a Cyber Asset outside the asset
Routable Protocol
Non-routable Protocol
Reference Model 2
Page 37 of 57
Made with FlippingBook - Online magazine maker