Claroty Named a Strong Performer in The Forrester Wave™: Operational Technology Security Solutions, Q2 2024
Download the Report
Claroty Toggle Search

Complying with:

The NERC-CIP Standards

Claroty simplifies compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, empowering organizations to drive resilience across their critical operations and infrastructure.


What is NERC-CIP?

NERC-CIP standards and regulations were developed to ensure the security and reliability of Bulk Power Systems (BES). The CIP standards provide a cybersecurity framework for identifying and securing critical assets that impact the supply of electricity in the United States, several provinces in Canada, and one state in Mexico.

What are NERC-CIP Requirements?

The fundamental requirements utilities must follow under NERC-CIP are to identify critical assets, create control mechanisms, enforce logical and physical security of their systems, and recover any affected assets following a cybersecurity incident.

Who Does NERC-CIP Impact?

These standards require North American critical infrastructure entities, including owners, operators, and users of any part of the electric power industry to adhere to a baseline set of cybersecurity measures.

How is NERC-CIP Enforced?

The enforcement of NERC-CIP standards involves audits, assessments, and compliance reviews conducted by NERC’s compliance monitoring and enforcement program. Failure to comply with these standards may result in monetary fines, sanctions, or other actions.

How Claroty Supports NERC-CIP Compliance

Claroty’s cyber-physical systems (CPS) cybersecurity portfolio both supports and simplifies NERC-CIP compliance by extending robust protection, monitoring, and other cyber risk management controls to all CPS — including the processes and networks that underpin the BES. Alignment between the Claroty portfolio and NERC-CIP spans the latest CIP requirements. Specifics include:

Claroty CTD and Claroty xDome can automatically identify all assets and identify configuration parameters about those assets (e.g. model number, firmware version, configuration, etc.).

Claroty CTD and xDome can assist security programs to classify assets and support the management of risk reduction capabilities. While Claroty xDome Secure Access can support remote access capabilities to reduce risk and mitigate access concerns.

Claroty’s solutions assist with the design and verification of networks by identifying and mapping all assets communicating on control networks. This information is used to construct network diagrams identifying all external routable communication paths and access points.

Claroty xDome Secure Access prevents a device that initiates a connection from directly accessing a protected asset. It ensures that only the authorized user on the originating device has access and provides encryption between originating devices and the remote access server, amongst other robust remote access capabilities. Claroty CTD and xDome support SAML for the Identity provider (IdP) of choice for Multi-factor authentication (MFA)/IdP integrations.

Claroty xDome Secure Access provides active monitoring of all active vendor remote access sessions and the ability to disconnect any session at any time.

Claroty CTD and xDome can automatically identify all perimeter  communication in and out of the BES, and can identify critical  communication and devices automatically. They can also identify critical communication flows and devices automatically  based on the classification engine. Claroty xDome Secure Access can control all access to and from BES systems, and create the appropriate audit logs for who accessed what system, and enforce approval requirements.

Claroty CTD and xDome can automatically monitor all communication links in the environment, and can monitor the status of the communication links for communication failure or cyber attack, and alert appropriately. Both tools provide a straightforward way to demonstrate the existence of this monitoring and alerting.

Claroty CTD and xDome monitor for changes to BES systems and provide audit trails. Both products can also detect and monitor for  malicious code. xDome Secure Access can enforce authentication and control remote access to OT systems.

CTD and xDome monitor network communications and identify ports on which devices are communicating. This insight can be used to identify necessary ports for this requirement, or as an additional control to identify misconfigured devices or potential security incidents.

Claroty CTD and xDome assist this requirement by identifying specific hardware and firmware versions for devices on networks they monitor. This provides an inventory that can be used to establish and track patch sources. 

Claroty simplifies patch  management compliance by providing all necessary patches, including security patches, for its software and the underlying operating system platform.

Claroty CTD and xDome security fabrics can monitor all network traffic within a protected network. With their advanced deep packet  inspection (DPI) capabilities and protocols, and their advanced machine learning algorithms, the products automatically whitelist legitimate baseline activities and alert on any changes or anomalies. These features provide a robust capability to detect malware activity occurring on the network.

Claroty CTD and xDome identify events within monitored assets, which can be reviewed as needed via management reports. The products can also be configured to capture and store network traffic to support after-the-fact investigations of security incidents. They provide real-time, actionable alerts on known and unknown threats,  suspicious activity, failure of event logging, and changes that pose a risk, so organizations can protect their resources against threats on the ICS network, amongst other robust altering capabilities.

Claroty CTD and xDome can detect unsuccessful login attempts passively throughout the ICS network with DPI. By using WMI, SNMP,  and log collection, the products can detect unsuccessful login  attempts, including password guessing, that occur locally to the asset. They provide alerting when the number of defined consecutive invalid access attempts is exceeded. This is an effective additional control for many devices and may be the only control available for some ICS devices.

Claroty CTD and xDome assist with the identification of potential  Cyber Security Incidents via their many capabilities for monitoring, analyzing, and reporting on network communications and system activity, including the generation of alerts for suspicious, unauthorized, or known malicious activity. The tools support response to incidents by quickly and easily reporting on communications and actions taken within systems they monitor, providing insights to investigators.

Claroty CTD and xDome can identify the root cause of incidents that require a restoration process to occur, and will automatically preserve that data for later investigation. This will generate a record and alert on cyber incidents, to ensure the proper auditing capability.

Claroty CTD and xDome can identify, establish, and document a baseline of expected traffic, and generate alerts on changes against this baseline of activity. The products can do so by both active detection and passive monitoring.

Claroty CTD and xDome can identify and document baseline  configurations for devices using both passive monitoring and active detection. The products document the configuration baseline of assets on the ICS network amongst other functions which support answers to audit evidence requests during NERC-CIP audits.

Claroty CTD and xDome provide alerts when they detect that an  asset has deviated from its documented, approved baseline. If  unauthorized components are connected to the ICS network or  unauthorized communications take place on the ICS network, both products create alerts for designated authorities.

Through passive and active monitoring and detection techniques, Claroty CTD and xDome obtain detailed knowledge of the  configuration of networks, the devices on those networks, and the  communications between those devices. This provides a rich set  of information from which to conduct vulnerability assessments. The products can also generate a summarized Risk Assessment Report which provides a quick and easy overview of system security.

Claroty products can identify transient assets connected to the  network via a variety of different methods and alert on these to  identify anomalous or malicious traffic.

Claroty CTD and xDome can monitor traffic between control centers and specifically look for malicious or abnormal activity within that traffic.

Claroy CTD and xDome automatically identify vulnerabilities and show  which assets are impacted by what vulnerabilities. Both products make it easy to reference in real-time which assets have vendor disclosures.

Claroty Solutions that Align with NERC-CIP

Claroty xDome

Claroty xDome is a flexible SaaS platform purpose-built for all use cases & types of CPS on the entire industrial cybersecurity journey.

Claroty xDome Secure Access

Claroty xDome Secure Access delivers frictionless, reliable, secure access for internal and third-party OT personnel.

Claroty CTD

Claroty Continuous Threat Detection (CTD) offers robust, on-premises cybersecurity controls for industrial environments.

Explore Additional Resources

Claroty Demo

Want to see how Claroty will support your entire XIoT cybersecurity journey?

LinkedIn Twitter YouTube Facebook