NERC CIP

Comparison Guide:
Industrial Defender
vs. Passive-Only
Solutions

READ NOW

1 | Mapping Guide iDefender, LLC © 2022

 Full support for Partial support for No support for
KEY:
compliance compliance compliance

CIP Critical Infrastructure Can Passive-Only vendors

Regulation Does Industrial Defender enable compliance?
Protection support compliance?

NERC-CIP 002-5.1a BES Cyber System YES - R1 & R2 - Industrial Defender’s automated asset Partial - They can automatically
Categorization management system provides the most complete, and identify devices, but
detailed asset inventory. This is especially pertinent to this must manually document
requirement when integrating with OT and IT systems like categorization levels.
relay databases, study systems, and CMDBs.

NERC-CIP 003-8 Security Management Yes - Through integrations with GRC or Document No
Controls Management Systems. Industrial Defender can determine
the true state of your cybersecurity policy documents.
Documentation is critical but it is more important to
compare the documents with the reality of your OT
cybersecurity settings.

NERC-CIP 004-6 Personnel & Training YES - R2, R5 - Industrial Defender can collect ALL of your OT Partial - Passive solutions can
accounts and their configurations and link that information not detect/identify all local
with your IAM system. or active directory accounts
in the plant.  Passive can only
detect accounts that are actively
communicating on the network.

NERC-CIP 005-6 Electronic YES - R1 - Industrial Defender can collect and monitor Partial - This requires
Security changes to all firewall rules over time as well as serial to IP both active and passive
Perimeter(s) gateway communications. solutions. Passive solutions will
not ‘see’ all of the firewall rules,
for example.

NERC-CIP 006-6 Physical Security of BES No - N/A No - N/A

Cyber Systems
NERC-CIP 007-6 System Security YES - R1, R2, R4, R5, R5.1, R5.2 - Industrial Defender can Partial - Passive solutions
Management collect ALL user accounts and their configurations, even ones can not detect unused user
that have not been logged into for a long time. You can also accounts that are not actively
link this to your IAM governance solution on the IT side. on the network. Configurations
of these accounts are also not
picked up for any user accounts
(or changes to the accounts).

2 | Mapping Guide iDefender, LLC © 2022

 Full support for Partial support for No support for
KEY:
compliance compliance compliance

CIP Critical Infrastructure Can Passive-Only vendors

Regulation Does Industrial Defender enable compliance?
Protection support compliance?

NERC-CIP 008-6 Incident Reporting and Yes - Industrial Defender can automatically collect logs Partial - Passive solutions can
Response Planning across all assets into a centralized location. This includes collect network traffic that it has
network traffic. This data collection can automatically be visibility to. It can not collect log
collected on a regularly scheduled interval over time. files from endpoint assets.

NERC-CIP 009-6 Recovery Plans for BES No No

Cyber Systems
NERC-CIP 010-3 Configuration Change YES - R5.1 - Industrial Defender automates the collection Partial - Passive solutions data
Management & of very detailed configurations and data for accurate collection process does allow
Vulnerability Assessments reporting over time. This allows for baseline comparisons of comparisons, however the depth
configurations against a gold standard. of these data collections not
sufficient to survive a NERC
CIP audit without significant
additional work.

NERC-CIP 011-2 Information Protection Yes - Deep Packet Inspection will provide new Yes - Deep Packet
communications as well as other network-based anolmolies. Inspection will provide new
communications as well as other
network-based anolmolies.

NERC-CIP 013-1 Supply Chain Risk Partial - Industrial Defender can detect network activity that Partial - Passive solutions can
Management should not be occuring from your supply chain. If activity monitor unusual network traffic
occurs outside of what has been defined as ‘acceptable’, coming from other partner
a prioritized alert will occur. The Industrial Defender vendors. Passive solutions
vulnerability detection capability looks at individual can’t get to the individual file
executable code for vulnerabilities, not just the holistic level though when it comes
‘application’ that is listed in the add/remove programs to vulnerability detections.
section of the registry. One binary in an application could They can look at what process
have a significant vulnerability. You need this granularity is talking over the network
when looking for vulnerabilities. and sometimes determine the
version of that process but
that is not sufficient for a full
vulnerability assessment.

NERC-CIP 014-2 Physical Security No No

3 | Mapping Guide iDefender, LLC © 2022