CIP-003-7 Supplemental Material
Reference Model 5 – User Authentication This reference model demonstrates that Responsible Entities have flexibility in choosing electronic access controls so long as the security objective of the requirement is met. The Responsible Entity may choose to utilize a non-BES Cyber Asset located at the asset containing the low impact BES Cyber System that requires authentication for communication from the Cyber Asset(s) outside the asset. This non-BES Cyber System performing the authentication permits only authenticated communication to connect to the low impact BES Cyber System(s), meeting the first half of the security objective to permit only necessary inbound electronic access. Additionally, the non-BES Cyber System performing authentication is configured such that it permits only necessary outbound communication meeting the second half of the security objective. Often, the outbound communications would be controlled in this network architecture by permitting no communication to be initiated from the low impact BES Cyber System. This configuration may be beneficial when the only communication to a device is for user-initiated interactive access.
Routable Protocol
Routable communications entering or leaving the asset containing low impact BES Cyber System(s)
Non-BES Cyber System (Cyber Asset(s) performing electronic access controls)
Serial Non-routable Protocol
Low impact BES Cyber System
Asset containing low impact BES Cyber System(s)
Communication between a low impact BES Cyber System and a Cyber Asset outside the asset
Non-routable Protocol
Routable Protocol
Reference Model 5
Page 40 of 57
Made with FlippingBook - Online magazine maker