AnsweredAssumed Answered

Qualys Appliances inside the Electronic Security Perimeter and NERC CIP Standards

Question asked by bmathis on Mar 4, 2013
Latest reply on Mar 8, 2013 by bmathis

I have a couple questions in regards to NERC-CIP environments...

 

With NERC-CIP, everything the is connected 'inside' the Electronic Security Perimeter is considered a Cyber Asset.

 

Q1.  CIP-007-3 R5.3.2 requires the use of 'special characters' in the password.  However, the QualysGuard portal can only enforce minimum length and the use of alpha and numeric passwords.  Even though the portal is 'technically' not inside the ESP, the appliance is.  Without an enhancement to QualysGuard's password enforcement parameters, how are the rest of you addressing this with the NERC-CIP auditors?

 

Q2.  CIP-007-3 R4 requires the use of antivirus/antimalware prevention on Cyber Assets.  Since the Qualys appliance does not run AV, how are the rest of you addressing this with the NERC-CIP auditors?

 

Any comments / suggestions are welcome.

 

Thanks,

Brad

Outcomes