A defense-in-depth strategy is one that protects organizations from attacks that bypass the first layer of security controls. It is a well understood concept, and one that has been adopted by most organizations over the years. However, until recently, the North American Electric Reliability Corporation (NERC) presented a gap where regulation required securing the electronic security perimeter (ESP), but there were no further security controls beyond the network perimeter. If utilities followed NERC CIP, and then went no further, they would be exposed to attacks that bypassed that first layer of defense.

Upon direction from the Federal Energy Regulatory Commission (FERC), NERC has proposed a set of requirements for Internal Network Security Monitoring (INSM). INSM is designed to address those situations where the network perimeter has been breached, increasing the probability of detecting a compromise. By providing visibility within the critical network, entities can be warned that an attack is in process and action can be taken before the attack can propagate.

Identification of assets and their communication patterns

Cisco Cyber Vision, a deep packet inspection engine within Cisco industrial IoT network equipment, uncovers the smallest details of your grid infrastructure. It automatically builds a detailed inventory of all grid assets, including their communication patterns, vulnerabilities, rack slot configurations, vendor references, serial numbers, and more. By embedding the sensor within the network infrastructure, Cisco Cyber Vision offers comprehensive visibility, capturing data passively without the need for expensive additional appliances or SPAN cabling.

INSM calls for collection methods to provide security value to address the perceived risks the infrastructure faces. Cyber Vision applies a risk score to all devices and device groups discovered in the OT network. Using a combination of vulnerabilities, activities, and impact, risk scores provide a guidance of which devices should be addressed first when implementing risk-management measures.

Evaluating the network against an expected network communication baseline

Utility networks, especially the communication with an ESP, are usually quite static. By understanding what is normal for your network, you can more easily spot when something unusual happens. For example, if a device suddenly starts communicating using a different protocol, or has started to communicate with new devices, it might mean a bad actor has compromised the device.

To meet the requirements proposed by NERC, Cyber Vision data can be filtered and saved as a baseline, and any deviations from normal process behaviors will generate an alert. If the deviation was expected, an administrative user can acknowledge and make the new norm part of the baseline. However, if the change was unexpected, it can be reported and sent for further investigation.

Detecting anomalous activities within the ESP

NERC CIP 005-7, the requirements document for cybersecurity across the ESP, requires a mechanism for detecting known or suspected malicious communication for both inbound and outbound communications. Traditionally, this is accomplished by using an intrusion detection system (IDS) or intrusion prevention system (IPS) embedded in a boundary firewall.

With the introduction of INSM, this requirement has been extended for use within the ESP. Firewalls as a technology are listed, but will only capture data that crosses the device, leading to difficult architecture choices on where to deploy these boxes.

In addition to its capabilities to detect deviations from a baseline, Cyber Vision leverages Snort to detect malicious traffic within the operational network. Snort is the IDS engine used across the Cisco portfolio and supported by Talos, one of the world’s largest private threat intelligence organization and official developer of Snort signature files.

Talos, Cisco’s threat intelligence arm, continuously monitors the global threat landscape, identifies, and analyses new vulnerabilities, and provides real-time threat intelligence feeds that are tailored to OT systems. Not only does the Talos expertise provide threat intelligence for Cyber Vision, but they also have a team of people dedicated to help secure critical infrastructure. I recommend reading the blog by Joe Marshall – Helping to keep the lights on in Ukraine in the face of electronic warfare.

Cisco’s industrial IoT security solution

Cisco’s industrial IoT security solution provides organizations with a phased approach to securing their industrial networks. This approach involved building the foundation with good network design and secure components, using the network to gain visibility across the critical infrastructure, and then finally implementing policy back into the same network infrastructure for preventative and reactionary measures. INSM is one small piece of a larger security strategy, and Cisco provides the building blocks for securing the infrastructure across LAN, WAN, and Cloud.


To learn more about NERC-CIP and how Cisco can help you better secure your grid operations, check our white paper or ask for a one-on-one meeting with a Cisco expert.


Andrew McPhee

Industrial Security Solutions Manager

IoT Solutions