Implements NERC CIP compliance controls for Bulk Electric System (BES) cyber systems including asset classification (CIP-002), security perimeters (CIP-005), and 2025 updates like remote MFA. Includes Python categorization tool. Useful for power grid audits.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 注册实体必须实现或维护BES网络系统的NERC CIP合规性
Implements NERC CIP compliance controls for BES cyber systems, covering asset categorization (CIP-002), security perimeters (CIP-005), config management (CIP-010), and 2025 MFA/low-impact updates.
Implements NERC CIP compliance controls for BES cyber systems, covering asset categorization (CIP-002), security perimeters (CIP-005), system management (CIP-007), and 2025 MFA updates. For audits and asset compliance.
Performs cybersecurity assessments on power grid infrastructure: NERC CIP compliance verification, IEC 61850 protocol analysis, substation automation security, PMU networks, and threats like Industroyer/CrashOverride.
Share bugs, ideas, or general feedback.
不适用于非BES工业系统(参见implementing-iec-62443-security-zones)、通用IT合规框架(参见auditing-cloud-with-cis-benchmarks),或无网络安全组件的变电站物理安全。
根据对大型电力系统可靠运行的影响,识别并分类所有BES网络系统。
#!/usr/bin/env python3
"""NERC CIP BES网络系统分类工具。
实施CIP-002-5.1a分类标准,将
BES网络系统分类为高、中或低影响。
"""
import json
import sys
from dataclasses import dataclass, field, asdict
from datetime import datetime
@dataclass
class BESCyberSystem:
"""表示用于CIP-002分类的BES网络系统。"""
system_id: str
name: str
description: str
location: str
asset_type: str # control_center(控制中心), generation(发电), transmission(输电), distribution(配电)
connected_mw: float = 0
transmission_kv: float = 0
is_control_center: bool = False
is_backup_control_center: bool = False
has_cranking_path: bool = False
has_blackstart: bool = False
is_sps_ras: bool = False # 特殊保护系统/补救行动方案
impact_rating: str = "" # high, medium, low
categorization_basis: str = ""
cyber_assets: list = field(default_factory=list)
class CIP002Categorizer:
"""NERC CIP-002-5.1a BES网络系统分类引擎。"""
def __init__(self):
self.systems = []
self.categorization_date = datetime.now().isoformat()
def add_system(self, system: BESCyberSystem):
self.systems.append(system)
def categorize_all(self):
"""对所有系统应用CIP-002附件1标准。"""
for system in self.systems:
self._categorize_system(system)
def _categorize_system(self, sys):
"""按照CIP-002附件1应用高、中、低影响标准。"""
# 高影响标准(CIP-002附件1,标准1)
if sys.is_control_center and sys.asset_type == "control_center":
# 执行可靠性协调员、平衡机构或输电运营商职能的控制中心
sys.impact_rating = "high"
sys.categorization_basis = (
"CIP-002 附件1 标准1.1: 执行RC/BA/TOP职能的控制中心"
)
return
if sys.is_backup_control_center and sys.asset_type == "control_center":
sys.impact_rating = "high"
sys.categorization_basis = (
"CIP-002 附件1 标准1.2: 执行RC/BA/TOP职能的备用控制中心"
)
return
if sys.connected_mw >= 3000:
sys.impact_rating = "high"
sys.categorization_basis = (
f"CIP-002 附件1 标准1.3: 发电量 >= 3000 MW "
f"(实际: {sys.connected_mw} MW)"
)
return
# 中影响标准(CIP-002附件1,标准2)
if sys.connected_mw >= 1500 and sys.asset_type == "generation":
sys.impact_rating = "medium"
sys.categorization_basis = (
f"CIP-002 附件1 标准2.1: 发电量 >= 1500 MW "
f"(实际: {sys.connected_mw} MW)"
)
return
if sys.transmission_kv >= 500:
sys.impact_rating = "medium"
sys.categorization_basis = (
f"CIP-002 附件1 标准2.5: 输电 >= 500 kV "
f"(实际: {sys.transmission_kv} kV)"
)
return
if sys.has_cranking_path:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.6: 启动路径元素"
)
return
if sys.has_blackstart:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.7: 黑启动资源"
)
return
if sys.is_sps_ras:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.9: SPS/RAS组件"
)
return
if sys.is_control_center and sys.asset_type == "generation":
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.11: 中影响发电的发电控制中心"
)
return
# 低影响 - 所有其他BES网络系统
sys.impact_rating = "low"
sys.categorization_basis = (
"CIP-002 附件1 标准3: 不满足高或中影响标准的BES网络系统"
)
def generate_report(self):
"""生成CIP-002分类报告。"""
high = [s for s in self.systems if s.impact_rating == "high"]
medium = [s for s in self.systems if s.impact_rating == "medium"]
low = [s for s in self.systems if s.impact_rating == "low"]
report = []
report.append("=" * 70)
report.append("NERC CIP-002-5.1a BES网络系统分类")
report.append(f"日期: {self.categorization_date}")
report.append("=" * 70)
report.append(f"\nBES网络系统总数: {len(self.systems)}")
report.append(f" 高影响: {len(high)}")
report.append(f" 中影响: {len(medium)}")
report.append(f" 低影响: {len(low)}")
for category, systems in [("高", high), ("中", medium), ("低", low)]:
if systems:
report.append(f"\n--- {category}影响系统 ---")
for s in systems:
report.append(f" [{s.system_id}] {s.name}")
report.append(f" 位置: {s.location}")
report.append(f" 类型: {s.asset_type}")
report.append(f" 分类依据: {s.categorization_basis}")
report.append(f" 网络资产: {len(s.cyber_assets)}")
return "\n".join(report)
def export_json(self, output_file):
"""将分类结果导出为JSON作为合规证据。"""
data = {
"categorization_date": self.categorization_date,
"standard": "CIP-002-5.1a",
"systems": [asdict(s) for s in self.systems],
}
with open(output_file, "w") as f:
json.dump(data, f, indent=2)
if __name__ == "__main__":
categorizer = CIP002Categorizer()
# BES网络系统示例
categorizer.add_system(BESCyberSystem(
system_id="BCS-001", name="主能量控制中心EMS",
description="用于BA运营的能量管理系统",
location="Alpha控制中心", asset_type="control_center",
is_control_center=True))
categorizer.add_system(BESCyberSystem(
system_id="BCS-002", name="风电场SCADA",
description="500MW风力发电设施的SCADA",
location="Delta风电场", asset_type="generation",
connected_mw=500))
categorizer.add_system(BESCyberSystem(
system_id="BCS-003", name="Alpha变电站RTU",
description="345kV输电变电站",
location="Alpha变电站", asset_type="transmission",
transmission_kv=345))
categorizer.categorize_all()
print(categorizer.generate_report())
在高影响和中影响BES网络系统周围定义并强制执行电子安全边界(ESP),在所有边界穿越点设置电子访问点(EAP)。
# 电子安全边界 - 防火墙配置
# CIP-005-7 R1: 电子安全边界
# 为控制中心EMS(高影响)定义ESP边界
# ESP边界内的所有BES网络资产
# Palo Alto PA-3260 - ESP边界防火墙
# 入站规则 - 严格限制进入ESP的内容
# CIP-005-7 R1.3: 所有入站/出站访问权限均已记录
# 允许来自邻近BA的ICCP(控制中心间通信协议)
set rulebase security rules ICCP-Inbound from Corporate-Zone to ESP-Zone
set rulebase security rules ICCP-Inbound source 192.168.100.10
set rulebase security rules ICCP-Inbound destination 10.20.1.50
set rulebase security rules ICCP-Inbound application iccp
set rulebase security rules ICCP-Inbound service application-default
set rulebase security rules ICCP-Inbound action allow
set rulebase security rules ICCP-Inbound log-setting CIP-Audit-Log
# 允许NTP进行时间同步(CIP-007 R5.7)
set rulebase security rules NTP-Inbound from Corporate-Zone to ESP-Zone
set rulebase security rules NTP-Inbound source 192.168.100.1
set rulebase security rules NTP-Inbound destination 10.20.1.1
set rulebase security rules NTP-Inbound application ntp
set rulebase security rules NTP-Inbound action allow
# CIP-005-7 R2: 远程访问管理
# 所有远程访问会话需要中间系统
# CIP-005-7 R2.4: 需要多因素认证(2025年更新)
set rulebase security rules RemoteAccess from External to DMZ-Zone
set rulebase security rules RemoteAccess destination 172.16.1.10
set rulebase security rules RemoteAccess application ssl-vpn
set rulebase security rules RemoteAccess action allow
# MFA在中间系统(跳板服务器)上强制执行
# 默认拒绝所有其他流量
set rulebase security rules ESP-Default-Deny from any to ESP-Zone
set rulebase security rules ESP-Default-Deny action deny
set rulebase security rules ESP-Default-Deny log-setting CIP-Audit-Log
为BES网络资产配置安全控制,包括端口管理、安全补丁、恶意代码预防和安全事件监控。
# CIP-007-6实施检查清单
cip_007_controls:
R1_ports_services:
description: "端口和服务管理"
requirements:
- "禁用或限制所有不必要的物理端口(USB、串口)"
- "禁用所有不必要的逻辑端口和服务"
- "记录所有启用的端口/服务及业务理由"
implementation:
windows_servers: |
# 禁用Windows BES网络资产上的不必要服务
Set-Service -Name "RemoteRegistry" -StartupType Disabled
Set-Service -Name "WinRM" -StartupType Disabled
Set-Service -Name "Spooler" -StartupType Disabled
# 通过组策略禁用USB存储
# 计算机配置 > 管理模板 > 系统 > 可移动存储访问
linux_servers: |
# 禁用不必要的服务
systemctl disable cups bluetooth avahi-daemon
systemctl mask cups bluetooth avahi-daemon
# 禁用USB存储
echo "blacklist usb-storage" > /etc/modprobe.d/disable-usb.conf
R2_security_patches:
description: "安全补丁管理"
requirements:
- "跟踪所有BES网络系统的安全补丁"
- "在可用后35天内评估补丁"
- "应用补丁或记录缓解计划"
- "在生产前于非生产环境测试补丁"
implementation:
tracking: "Windows使用WSUS/SCCM;Linux使用yum/dnf"
testing: "维护镜像生产环境的预演环境"
evidence: "在合规追踪系统中记录补丁评估"
R3_malicious_code:
description: "恶意代码预防"
requirements:
- "在所有适用的BES网络资产上部署反恶意软件"
- "更新签名或使用应用程序白名单"
- "缓解来自临时网络资产的威胁"
implementation:
servers: "CrowdFalcon或Carbon Black,使用OT优化策略"
hmi_stations: "应用程序白名单(Carbon Black App Control)"
transient_devices: "连接到BCA之前扫描所有可移动介质"
R4_security_event_monitoring:
description: "安全事件监控"
requirements:
- "记录所有高/中影响BCS上的安全事件"
- "对检测到的安全事件生成告警"
- "日志至少保留90天(CIP-007-6 R4.3)"
- "至少每15天审查一次日志"
implementation:
siem: "Splunk Enterprise Security配合CIP内容包"
log_sources:
- "ESP边界防火墙日志"
- "EAP认证日志"
- "BES网络资产认证成功/失败"
- "远程访问会话日志"
- "恶意代码检测事件"
retention: "在线保存90天,归档3年"
R5_system_access:
description: "系统访问控制"
requirements:
- "对所有交互访问强制执行认证"
- "实施最小权限访问控制"
- "更改默认密码"
- "强制执行密码复杂度(CIP-007-6 R5.5)"
- "限制登录失败尝试次数"
implementation:
password_policy:
min_length: 8
complexity: "大小写混合 + 数字 + 特殊字符"
max_age_days: 365
lockout_threshold: 5
lockout_duration_minutes: 30
shared_accounts: "记录所有共享/服务账户及授权"
| 术语 | 定义 |
|---|---|
| BES网络系统(BES Cyber System) | 为大型电力系统执行可靠性功能的一个或多个BES网络资产的集合 |
| 电子安全边界(ESP) | 包含BES网络系统的网络逻辑边界,所有流量通过电子访问点流入流出 |
| 电子访问点(EAP) | ESP边界上控制进出ESP流量的接口 |
| 中间系统(Intermediate System) | 用于远程访问的系统,防止直接连接到BES网络资产(跳板服务器) |
| 临时网络资产(Transient Cyber Asset) | 连续日历天数少于30天直接连接到BES网络系统的设备(笔记本电脑、USB驱动器) |
| NERC术语表 | CIP标准中使用的官方定义;合规需要精确术语 |
NERC CIP合规评估报告
=======================================
实体: [注册实体名称]
日期: YYYY-MM-DD
标准: CIP-002至CIP-014
BES网络系统分类:
高影响: [N] 个系统
中影响: [N] 个系统
低影响: [N] 个系统
各标准合规状态:
CIP-002: [合规/部分合规/不合规]
CIP-005: [状态] - 已识别 [N] 个差距
CIP-007: [状态] - 已识别 [N] 个差距
CIP-010: [状态] - 已识别 [N] 个差距
CIP-013: [状态] - 已识别 [N] 个差距