Stats
Actions
Tags
Implements NERC CIP compliance controls for Bulk Electric System (BES) cyber systems including asset classification (CIP-002), security perimeters (CIP-005), and 2025 updates like remote MFA. Includes Python categorization tool. Useful for power grid audits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-nerc-cip-compliance-controlsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 注册实体必须实现或维护BES网络系统的NERC CIP合规性
不适用于非BES工业系统(参见implementing-iec-62443-security-zones)、通用IT合规框架(参见auditing-cloud-with-cis-benchmarks),或无网络安全组件的变电站物理安全。
根据对大型电力系统可靠运行的影响,识别并分类所有BES网络系统。
#!/usr/bin/env python3
"""NERC CIP BES网络系统分类工具。
实施CIP-002-5.1a分类标准,将
BES网络系统分类为高、中或低影响。
"""
import json
import sys
from dataclasses import dataclass, field, asdict
from datetime import datetime
@dataclass
class BESCyberSystem:
"""表示用于CIP-002分类的BES网络系统。"""
system_id: str
name: str
description: str
location: str
asset_type: str # control_center(控制中心), generation(发电), transmission(输电), distribution(配电)
connected_mw: float = 0
transmission_kv: float = 0
is_control_center: bool = False
is_backup_control_center: bool = False
has_cranking_path: bool = False
has_blackstart: bool = False
is_sps_ras: bool = False # 特殊保护系统/补救行动方案
impact_rating: str = "" # high, medium, low
categorization_basis: str = ""
cyber_assets: list = field(default_factory=list)
class CIP002Categorizer:
"""NERC CIP-002-5.1a BES网络系统分类引擎。"""
def __init__(self):
self.systems = []
self.categorization_date = datetime.now().isoformat()
def add_system(self, system: BESCyberSystem):
self.systems.append(system)
def categorize_all(self):
"""对所有系统应用CIP-002附件1标准。"""
for system in self.systems:
self._categorize_system(system)
def _categorize_system(self, sys):
"""按照CIP-002附件1应用高、中、低影响标准。"""
# 高影响标准(CIP-002附件1,标准1)
if sys.is_control_center and sys.asset_type == "control_center":
# 执行可靠性协调员、平衡机构或输电运营商职能的控制中心
sys.impact_rating = "high"
sys.categorization_basis = (
"CIP-002 附件1 标准1.1: 执行RC/BA/TOP职能的控制中心"
)
return
if sys.is_backup_control_center and sys.asset_type == "control_center":
sys.impact_rating = "high"
sys.categorization_basis = (
"CIP-002 附件1 标准1.2: 执行RC/BA/TOP职能的备用控制中心"
)
return
if sys.connected_mw >= 3000:
sys.impact_rating = "high"
sys.categorization_basis = (
f"CIP-002 附件1 标准1.3: 发电量 >= 3000 MW "
f"(实际: {sys.connected_mw} MW)"
)
return
# 中影响标准(CIP-002附件1,标准2)
if sys.connected_mw >= 1500 and sys.asset_type == "generation":
sys.impact_rating = "medium"
sys.categorization_basis = (
f"CIP-002 附件1 标准2.1: 发电量 >= 1500 MW "
f"(实际: {sys.connected_mw} MW)"
)
return
if sys.transmission_kv >= 500:
sys.impact_rating = "medium"
sys.categorization_basis = (
f"CIP-002 附件1 标准2.5: 输电 >= 500 kV "
f"(实际: {sys.transmission_kv} kV)"
)
return
if sys.has_cranking_path:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.6: 启动路径元素"
)
return
if sys.has_blackstart:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.7: 黑启动资源"
)
return
if sys.is_sps_ras:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.9: SPS/RAS组件"
)
return
if sys.is_control_center and sys.asset_type == "generation":
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 附件1 标准2.11: 中影响发电的发电控制中心"
)
return
# 低影响 - 所有其他BES网络系统
sys.impact_rating = "low"
sys.categorization_basis = (
"CIP-002 附件1 标准3: 不满足高或中影响标准的BES网络系统"
)
def generate_report(self):
"""生成CIP-002分类报告。"""
high = [s for s in self.systems if s.impact_rating == "high"]
medium = [s for s in self.systems if s.impact_rating == "medium"]
low = [s for s in self.systems if s.impact_rating == "low"]
report = []
report.append("=" * 70)
report.append("NERC CIP-002-5.1a BES网络系统分类")
report.append(f"日期: {self.categorization_date}")
report.append("=" * 70)
report.append(f"\nBES网络系统总数: {len(self.systems)}")
report.append(f" 高影响: {len(high)}")
report.append(f" 中影响: {len(medium)}")
report.append(f" 低影响: {len(low)}")
for category, systems in [("高", high), ("中", medium), ("低", low)]:
if systems:
report.append(f"\n--- {category}影响系统 ---")
for s in systems:
report.append(f" [{s.system_id}] {s.name}")
report.append(f" 位置: {s.location}")
report.append(f" 类型: {s.asset_type}")
report.append(f" 分类依据: {s.categorization_basis}")
report.append(f" 网络资产: {len(s.cyber_assets)}")
return "\n".join(report)
def export_json(self, output_file):
"""将分类结果导出为JSON作为合规证据。"""
data = {
"categorization_date": self.categorization_date,
"standard": "CIP-002-5.1a",
"systems": [asdict(s) for s in self.systems],
}
with open(output_file, "w") as f:
json.dump(data, f, indent=2)
if __name__ == "__main__":
categorizer = CIP002Categorizer()
# BES网络系统示例
categorizer.add_system(BESCyberSystem(
system_id="BCS-001", name="主能量控制中心EMS",
description="用于BA运营的能量管理系统",
location="Alpha控制中心", asset_type="control_center",
is_control_center=True))
categorizer.add_system(BESCyberSystem(
system_id="BCS-002", name="风电场SCADA",
description="500MW风力发电设施的SCADA",
location="Delta风电场", asset_type="generation",
connected_mw=500))
categorizer.add_system(BESCyberSystem(
system_id="BCS-003", name="Alpha变电站RTU",
description="345kV输电变电站",
location="Alpha变电站", asset_type="transmission",
transmission_kv=345))
categorizer.categorize_all()
print(categorizer.generate_report())
在高影响和中影响BES网络系统周围定义并强制执行电子安全边界(ESP),在所有边界穿越点设置电子访问点(EAP)。
# 电子安全边界 - 防火墙配置
# CIP-005-7 R1: 电子安全边界
# 为控制中心EMS(高影响)定义ESP边界
# ESP边界内的所有BES网络资产
# Palo Alto PA-3260 - ESP边界防火墙
# 入站规则 - 严格限制进入ESP的内容
# CIP-005-7 R1.3: 所有入站/出站访问权限均已记录
# 允许来自邻近BA的ICCP(控制中心间通信协议)
set rulebase security rules ICCP-Inbound from Corporate-Zone to ESP-Zone
set rulebase security rules ICCP-Inbound source 192.168.100.10
set rulebase security rules ICCP-Inbound destination 10.20.1.50
set rulebase security rules ICCP-Inbound application iccp
set rulebase security rules ICCP-Inbound service application-default
set rulebase security rules ICCP-Inbound action allow
set rulebase security rules ICCP-Inbound log-setting CIP-Audit-Log
# 允许NTP进行时间同步(CIP-007 R5.7)
set rulebase security rules NTP-Inbound from Corporate-Zone to ESP-Zone
set rulebase security rules NTP-Inbound source 192.168.100.1
set rulebase security rules NTP-Inbound destination 10.20.1.1
set rulebase security rules NTP-Inbound application ntp
set rulebase security rules NTP-Inbound action allow
# CIP-005-7 R2: 远程访问管理
# 所有远程访问会话需要中间系统
# CIP-005-7 R2.4: 需要多因素认证(2025年更新)
set rulebase security rules RemoteAccess from External to DMZ-Zone
set rulebase security rules RemoteAccess destination 172.16.1.10
set rulebase security rules RemoteAccess application ssl-vpn
set rulebase security rules RemoteAccess action allow
# MFA在中间系统(跳板服务器)上强制执行
# 默认拒绝所有其他流量
set rulebase security rules ESP-Default-Deny from any to ESP-Zone
set rulebase security rules ESP-Default-Deny action deny
set rulebase security rules ESP-Default-Deny log-setting CIP-Audit-Log
为BES网络资产配置安全控制,包括端口管理、安全补丁、恶意代码预防和安全事件监控。
# CIP-007-6实施检查清单
cip_007_controls:
R1_ports_services:
description: "端口和服务管理"
requirements:
- "禁用或限制所有不必要的物理端口(USB、串口)"
- "禁用所有不必要的逻辑端口和服务"
- "记录所有启用的端口/服务及业务理由"
implementation:
windows_servers: |
# 禁用Windows BES网络资产上的不必要服务
Set-Service -Name "RemoteRegistry" -StartupType Disabled
Set-Service -Name "WinRM" -StartupType Disabled
Set-Service -Name "Spooler" -StartupType Disabled
# 通过组策略禁用USB存储
# 计算机配置 > 管理模板 > 系统 > 可移动存储访问
linux_servers: |
# 禁用不必要的服务
systemctl disable cups bluetooth avahi-daemon
systemctl mask cups bluetooth avahi-daemon
# 禁用USB存储
echo "blacklist usb-storage" > /etc/modprobe.d/disable-usb.conf
R2_security_patches:
description: "安全补丁管理"
requirements:
- "跟踪所有BES网络系统的安全补丁"
- "在可用后35天内评估补丁"
- "应用补丁或记录缓解计划"
- "在生产前于非生产环境测试补丁"
implementation:
tracking: "Windows使用WSUS/SCCM;Linux使用yum/dnf"
testing: "维护镜像生产环境的预演环境"
evidence: "在合规追踪系统中记录补丁评估"
R3_malicious_code:
description: "恶意代码预防"
requirements:
- "在所有适用的BES网络资产上部署反恶意软件"
- "更新签名或使用应用程序白名单"
- "缓解来自临时网络资产的威胁"
implementation:
servers: "CrowdFalcon或Carbon Black,使用OT优化策略"
hmi_stations: "应用程序白名单(Carbon Black App Control)"
transient_devices: "连接到BCA之前扫描所有可移动介质"
R4_security_event_monitoring:
description: "安全事件监控"
requirements:
- "记录所有高/中影响BCS上的安全事件"
- "对检测到的安全事件生成告警"
- "日志至少保留90天(CIP-007-6 R4.3)"
- "至少每15天审查一次日志"
implementation:
siem: "Splunk Enterprise Security配合CIP内容包"
log_sources:
- "ESP边界防火墙日志"
- "EAP认证日志"
- "BES网络资产认证成功/失败"
- "远程访问会话日志"
- "恶意代码检测事件"
retention: "在线保存90天,归档3年"
R5_system_access:
description: "系统访问控制"
requirements:
- "对所有交互访问强制执行认证"
- "实施最小权限访问控制"
- "更改默认密码"
- "强制执行密码复杂度(CIP-007-6 R5.5)"
- "限制登录失败尝试次数"
implementation:
password_policy:
min_length: 8
complexity: "大小写混合 + 数字 + 特殊字符"
max_age_days: 365
lockout_threshold: 5
lockout_duration_minutes: 30
shared_accounts: "记录所有共享/服务账户及授权"
| 术语 | 定义 |
|---|---|
| BES网络系统(BES Cyber System) | 为大型电力系统执行可靠性功能的一个或多个BES网络资产的集合 |
| 电子安全边界(ESP) | 包含BES网络系统的网络逻辑边界,所有流量通过电子访问点流入流出 |
| 电子访问点(EAP) | ESP边界上控制进出ESP流量的接口 |
| 中间系统(Intermediate System) | 用于远程访问的系统,防止直接连接到BES网络资产(跳板服务器) |
| 临时网络资产(Transient Cyber Asset) | 连续日历天数少于30天直接连接到BES网络系统的设备(笔记本电脑、USB驱动器) |
| NERC术语表 | CIP标准中使用的官方定义;合规需要精确术语 |
NERC CIP合规评估报告
=======================================
实体: [注册实体名称]
日期: YYYY-MM-DD
标准: CIP-002至CIP-014
BES网络系统分类:
高影响: [N] 个系统
中影响: [N] 个系统
低影响: [N] 个系统
各标准合规状态:
CIP-002: [合规/部分合规/不合规]
CIP-005: [状态] - 已识别 [N] 个差距
CIP-007: [状态] - 已识别 [N] 个差距
CIP-010: [状态] - 已识别 [N] 个差距
CIP-013: [状态] - 已识别 [N] 个差距
npx claudepluginhub killvxk/cybersecurity-skills-zhImplements NERC CIP compliance controls for BES cyber systems, covering asset categorization, security perimeters, configuration management, and supply chain risk management with 2025 updates.
Implements NERC CIP compliance controls for BES cyber systems, covering asset categorization (CIP-002), electronic security perimeters (CIP-005), configuration management (CIP-010), and 2025 updates including mandatory MFA for remote access.
Implements NERC CIP compliance controls for BES cyber systems, covering asset categorization (CIP-002), security perimeters (CIP-005), system management (CIP-007), and 2025 MFA updates. For audits and asset compliance.