The diversity of devices and their geographical locations are significant parts of the challenge in securing configuration ports for utilities. Many of these devices do not allow or support the installation of a local software agent to help logically secure them, and virtually no software agents can effectively manage the actual configuration ports themselves. Because of this, most control devices are only secured through physical security (locks, gates, walls, doors).
In order to effectively secure configuration ports while meeting NERC-CIP requirements, access to all configuration ports must be controlled and all activity over these ports must be automatically logged to provide a forensic record of this activity. These are both requirements.
These physical ports provide a special level of privileged access that can be used to:
- Change Configuration
- Upgrade Firmware or BIOS
- Build-out devices that have components (like servers)
- Perform a variety of Administrative functions
- Perform emergency repair or failure recovery when no other port is accessible
