Flow-based StealthWatch for NERC Compliance

Lancope's StealthWatch System is the leading flow-based security, network and application performance monitoring solution. Delivering visibility across physical and virtual networks, StealthWatch eliminates network blind spots and provides unparalleled levels of accountability and measurability to enable organizations to achieve and maintain compliance.

The North American Electric Reliability Corporation (NERC) has developed mandatory Critical Infrastructure Protection (CIP) Cyber Security Standards to protect the Critical Cyber Assets that control or affect the reliability of North American bulk electric systems. Approved by the Federal Energy Regulatory Commission (FERC), compliance with these standards is mandatory for all organizations involved with the country’s bulk electrical network. Providing continuous network monitoring, StealthWatch helps utilities demonstrate network-wide compliance for the following sections of NERC CIP:

NERC CIP Standard 005, Requirement 2.2 & NERC CIP Standard 007, Requirement 2

StealthWatch helps by:

  • monitoring and profiling all services and ports in use on the network
  • confirming which ports and services are necessary for normal business
  • highlighting those ports and services that may have been overlooked
  • profiling and optionally blocking unnecessary ports and services
  • verifying firewall policy configurations by quickly identifying traffic that's out of compliance
  • optionally mitigating violations to firewall configuration policy


NERC CIP Standard 007, Requirement 4

StealthWatch helps by:

  • detecting compromised hosts based on how that host is behaving regardless of signature availability. When traditional IDS/IPS fails, StealthWatch fills the gap to detect zero day attacks that bypass perimeter defenses, including walk-in worms and internal misuse and abuse.
    • This also meets PNM requirement 2.1.1


NERC CIP Standard 007, Requirement 5

StealthWatch helps by:

  • determining when user accounts are active and what they did during this activity
  • tying the offending IP address to the actual person using that IP, enabling much quicker resolution of both network and security issues
  • alarming on unauthorized access conditions where hosts access disallowed hosts or utilize disallowed services


NERC CIP Standard 007, Requirement 6-6.3

StealthWatch helps by:

  • monitoring all host and network activity, collecting and correlating external events from third party devices with relevant hosts and users

  • alarming on conditions related to security incidents beyond malicious activity, but also including suspicious activity such as unauthorized access and out-of-profile conditions

    • This also meets PNM requirement 2.1.14