CIP-003_Workbook_10152019

CIP-003-7 Supplemental Material

Reference Model 3 – Centralized Network-based Inbound & Outbound Access Permissions The Responsible Entity may choose to utilize a security device at a centralized location that may or may not be at another asset containing low impact BES Cyber System(s). The electronic access control(s) do not necessarily have to reside inside the asset containing the low impact BES Cyber System(s). A security device is in place at “Location X” to act as the electronic access control and permit only necessary inbound and outbound routable protocol access between the low impact BES Cyber System(s) and the Cyber Asset(s) outside each asset containing low impact BES Cyber System(s). Care should be taken that electronic access to or between each asset is through the Cyber Asset(s) determined by the Responsible Entity to be performing electronic access controls at the centralized location. When permitting the inbound and outbound electronic access permissions using access control lists, the Responsible Entity could restrict communication(s) using source and destination addresses or ranges of addresses. Responsible Entities could also restrict communication(s) using ports or services based on the capability of the electronic access control, the low impact BES Cyber System(s), or the application(s).

Firewall, Router Access Control List, Gateway or Other Security Device (Cyber Asset(s) performing electronic access controls)

Location X

Routable Protocol

Routable communications entering or leaving the asset containing low impact BES Cyber System(s)

Routable Protocol

Network

Low impact BES Cyber System

Non BES Cyber Systsem

Non BES Cyber System

Asset containing low impact BES Cyber System(s)

Communication between a low impact BES Cyber System and a Cyber Asset outside the asset

Non-routable Protocol

Routable Protocol

Reference Model 3

Page 38 of 57

Made with FlippingBook - Online magazine maker