Please visit expo booth #22 to meet the team, learn about our computing solutions developed for the marine industry and pick-up a few freebies. Our solutions sales team, including Hutch Gray, Cort Geis and Gary Overstreet, will demonstrate computing solutions, including the IEC 60945 compliant GS Odyssey III, 6Com, 10Com, and the Fanless Rackmount computer.

ABOUT THE EVENT

The Dynamic Positioning conference is internationally recognized as the leading annual professional symposium covering the latest changes, developments and technology pertaining to dynamic positioning. Attracting an International audience of DP professionals, world-class experts present cutting-edge papers on the latest technology and developments associated with Dynamic Positioning, while DP manufacturers and service companies exhibit their products and services.

RESOURCES

Welcome back to Compliance 101!  Previous articles of this series dealt with the various regulatory requirements for Information Technology Equipment (ITE) in the United States and European Union.  This article will focus on the regulatory changes that have and will continue to occur in 2015 and those which will come into force in 2016.

What’s happening in 2015?
A number of regulatory changes pertaining to IT equipment have taken place so far in 2015, including (but not necessarily limited to) the following:

Looking Ahead to 2016

Among other changes scheduled for 2016, next year marks the end of transitional periods for a number of regulations, including (but not necessarily limited to):

 

How is FoxGuard preparing for all of these changes?

To keep up with the ever-changing world of regulatory compliance, FoxGuard Solutions conducts regular reviews of regional requirements and takes action as soon as any changes are noted.  Communication with regulatory agencies and other experts in the field are frequent, as we attempt to gather as much information as possible.  Planning and preparation is made not only to ensure compliance of our own products, but of the components we purchase from other suppliers and manufacturers, so our customers’ shipments can be made in a timely and fully compliant manner. 

Despite the many “gray” areas of technical regulations and the limited availability of information, the FoxGuard Solutions Regulatory Compliance Team scrutinizes every obstacle that arises and takes action to prevent recurrence of any delay experienced.  

Thank you for joining us again for Compliance 101.  If you have any questions concerning regulatory compliance as it pertains to your FoxGuard orders, please don’t hesitate to contact us.

Welcome back to Compliance 101!  Previous articles of this series dealt with the various regulatory requirements for Information Technology Equipment (ITE) in the United Stated.  Today, we will look at regulations for ITE in the European Union. 

 

 

 

 

 

 

Harmonised Standards

The European Union utilizes Harmonised Standards, which are developed, upon request from the European Commission, by a recognized European Standards Organization.  Current ESO’s include CEN, CENELEC, and ETSI. Upon adoption by the European Parliament and the Council of the European Union, Harmonised Standards are published in the Official Journal of the European Union, and, generally, the legislation is entered into force on the twentieth day thereafter.  Areas of standardization for ITE include electromagnetic compatibility (EMC), low voltage, radio and telecommunication terminal equipment, equipment for explosive atmospheres (ATEX), and restriction of the use of certain hazardous substances (RoHS).  Other areas of standardization that are applicable to ITE are electronic waste and recycling, energy efficiency and the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH).  Below are summaries of just a few of these areas.

Electromagnetic Compatibility (EMC), Low Voltage (LV), and Telecom (RED)

 

 

 

 

 

On March 29, 2014, new Directives for EMC, Low Voltage, and Radio Equipment came into force.  Changes from the previous Directives (in force only for remainder of transition period) are mainly administrative, dealing with areas such as responsibilities of various parties, details of the CE marking and Declaration of Conformity, and multi-lingual nature of documents.  The directive recast was undertaken to align with the European Union New Legislative Framework (NLF).  The NLF was designed in 2008 to enhance traceability within the supply chain and credibility of the CE mark, as well as improving market surveillance.

* The RTTE Directive will no longer exist when 1999/5/EC expires.  RED covers the Radio Equipment portion of RTTE, and Telecom Terminal Equipment regulations are addressed in other Directives.

RoHS (Restriction of Hazardous Substances)

Directive 2011/65/EU prohibits placing on the EU market EEE (electrical and electronic equipment) that contains more than the regulated levels of six substances of very high concern:

Many established businesses spend several months building and perfecting new products in their pipeline without ever showing the product or its early prototype to prospective customers. When the products are eventually launched they fail to attract interest from the market. Upon post-mortem (pun-intended), it is often discovered that the market feedback was never incorporated while developing the product. 

On the other hand, lean start-ups do not invest a majority of their scarce resources to build the final product. Instead, they develop an early prototype with basic features and attributes. This prototype, popularly referred to as a minimal viable product (MVP) is presented to prospects and early adopters to garner feedback. Based on the market feedback, they refine the prototype, launch an improved version of the MVP and repeat the feedback process until the product closely meets the customer requirements. By using this process of build-measure-learn and leveraging the resultant validated learnings, the lean start-up uncovers the true market need and efficiently utilizes its scarce resources to build products that customers really want.

You Can’t Predict The Future

Most businesses operate in an ever-changing environment. Thus, investing time and effort on formulating detailed business plans with uncontrollable assumptions would not be the most efficient use of company resources. Unless building a spaceship to transport critical payload, established businesses should take a cue from lean start-ups who do not rely on a step-by-step plan. Instead, they formulate a milestone-based plan and adopt hypothesis driven experimentation and validated learnings for course correction until they reach those business milestones.

Don’t Collect Data For The Sake Of Collecting Data

We have all been guilty of this one. Spending hours gathering data from multiple sources and creating reports to share with our team – simply because that’s what everyone else does. However, if the data does not accurately reflect the key performance indicators (KPIs) of the business then the resulting intelligence may be meaningless and waste of company resources. For example, analyzing total impressions of company social media profiles may not be as critical as analyzing number of product demonstrations performed by sales associate against actual sales.

Step Outside The Cube - Talk To Your Customers

Even after investing resources on data collection, analysis and jaw-dropping dashboards - you still need to meet with customers to understand them and their pain points. Following up after customer complaints can not only reduce attrition rates, but can also be a source for product and process improvement. For example, your customers may share insights about new ways of using the product that the engineers may have overlooked. No matter how large or successful your company may be, it exists because of your customers.

Lean Management At FoxGuard Solutions

At FoxGuard, one of our core believes is creating value. In our daily operations, we minimize waste and create value by adapting many of the lean management practices. Our R&D teams take pride in rapid-prototyping and iterative development to create products that meet customer requirements. The Marketing team focuses its efforts around meaningful metrics and our Customer Support team pro-actively interacts with our customers for suggestions and feedback. 

Further Reading

Many books and best-practices have been professed about value-creating & waste eliminating lean management techniques that can be deployed at an organization, department and even at the product level. My thoughts in this article were influenced by the production philosophy pioneered by Taiichi Ohno, considered as the father of the Toyota’s lean production system, Eric Ries, consultant and author of The Lean Startup, and James Womack, management expert and co-author of Lean Thinking.

The UL Mark and OSHA
The UL Mark certification for ITE demonstrates compliance with standards of the Occupational Safety and Health Administration (OSHA) found in Title 29 of the Code of Federal Regulations (Labor), Part 1910 (Occupational Safety and Health Administration, Department of Labor), Subpart S (Electrical).  Subpart S is divided into four major divisions, including:

1. Design Safety Standards for Electrical Systems
2. Safety-Related Work Practices
3. Safety-Related Maintenance Requirements
4. Safety Requirements for Special Equipment

Passing Nationally Recognized Testing Laboratory Procedures
When an ITE product is designed, engineers take into consideration the requirements outlined in the “Design Safety Standards for Electrical Systems” division of the regulation. This ensures the product passes the test procedures that must be conducted by a Nationally Recognized Testing Laboratory (NRTL).  Testing is done to prove compliance in a number of areas, such as:

• Suitability for installation and use
• Mechanical strength and durability
• Wire-bending and connection space
• Electrical insulation
• Heating effects under all conditions of use
• Other factors that contribute to the safety of those using the equipment or working in the vicinity of where the equipment is housed

UL- The Mark of Safety
The U.S. safety certification is most commonly referred to as “UL” after Underwriters Laboratories, which is the world’s largest NRTL.  UL was founded in 1894 in the United States, and now has a presence in over 70 countries.  

There are a number of varieties of the UL Mark, depending on (1) whether or not the product was simultaneously tested for Canadian safety compliance, (2) which NRTL conducted the tests, and (3) whether the product is UL listed or UL recognized.

A product that is certified “UL listed” has been fully tested, while a product that is certified “UL recognized” has only had one or more component(s) of the product tested.  Component recognition marking is found on products such as switches, power supplies, and circuit boards. Listed and recognized products are both covered by UL’s follow-up services program, which monitors continued compliance with UL requirements.

Other NRTL’s have their own versions of the safety mark in a similar style to the UL mark.  Additionally, the UL Mark is not only a requirement for ITE within the United States, but it is often accepted in other regions, as it demonstrates compliance with international safety standards.  Some countries, such as Argentina and Brazil, have UL Marks specific to their countries.

To learn about UL safety standards, please visit http://ulstandards.ul.com/.

Testing for Safety
The FoxGuard 3U Industrial HMI was tested and approved under UL60950-1/CSA C22.2 No. 60950-1, Second Edition: Safety of Information Technology Equipment.  Tests performed included:

• Input
• Marking Durability
• Grounding Impedance
• Temperature
• Dielectric Voltage Withstand
• Abnormal Operation Tests
• Mechanical Tests

UL is only one of a number of Nationally Recognized Testing Laboratories; a current, comprehensive list can be found at https://www.osha.gov/dts/otpca/nrtl/nrtllist.html.   

Other Regulatory Compliance Categories 
In addition to Electromagnetic Compatibility and Safety, there are regulatory requirements in the areas of telecommunication equipment, hazardous substances, battery content and disposal, recycling of electronic waste, and other regulations pertaining to environmental conservation.  Many states have their own laws that cover some of these areas.  A few examples are California’s “Toxics in Packaging Prevention Act”, North Carolina’s “Discarded Computer Equipment Management”, and Illinois’ “Electronic Products Recycling and Reuse Act."

When FoxGuard Solutions reviews an order shipping within the United States, the end destination state is taken into consideration to ensure compliance with both national and state-specific regulations.

What’s Next?
In our next installment of Compliance 101, we will discuss new and existing regulations for shipping to the European Union.

Thanks for joining us for Compliance 101!  If you have questions regarding U.S. compliance regulations, please leave a comment below, and we’ll get back to you as soon as possible.

In the first part of this article, we discussed Electro Magnetic Compatibility (EMC) and the benefits of pre-compliance testing. In this installment, we will explore the equipment and procedures used to perform the tests, and the rationale used to evaluate the test results.

Test Equipment

• ​1Ghz Electro Magnetic Compatibility (EMC) Analyzer - The EMC analyzer is a spectrum analyzer that is programmed to perform measurements in accordance with FCC and CE standards. The formal tests require scans to be performed to 4Ghz to cover the high frequency CPU clocks. However, except for specific cases, pre-compliance testing above 1Ghz is unnecessary since CPU clock emissions rarely, if ever, escape the enclosure, and lower frequency I/O signals do not generate significant harmonics above the 1Ghz level. The analyzer also produces plots that can be printed out for results analysis.
• 22dB Broadband Pre Amplifier - This device connects the antenna and the analyzer to amplify detected signals for increased signal-to-noise ratio. The Broadband Pre Amplifier also makes the received signals easier to see on the analyzer display.
• Power Line Impedance Stabilization Network - More commonly referred to as a PLISN, this device allows the analyzer to detect emissions generated by the Equipment Under Test (EUT) that are conducted through the AC power cord. The PLISN normalizes the power line impedance to match the analyzer input impedance of 50 ohms for accurate signal level measurements.
• 30-300Mhz Bi-Conical Antenna - This antenna is known as the “bow tie” antenna due to its distinctive shape. It measures radiated emissions in the 30-300Mhz range and scans are performed with the antenna in both the horizontal and vertical orientations.
• 200Mhz-1Ghz Log-Periodic Antenna - Similar to TV antennas that used to be on house roofs many years ago. The frequency range is 200Mhz to 1Ghz and is also used in both the horizontal and vertical configurations.
• Low loss coax cable, coaxial attenuators, non-metallic EUT test table, antenna stands, HP pen plotter.

Test Environment and Procedure 
We conduct pre-compliance tests in a demarcated test space in the building. We use a 3m test distance between the antenna and the EUT, and at least 1m distance between the EUT test table and any facility obstruction.

We position the antenna at about the 4ft level and set the EUT on the test table so the rear I/O panel area with cables attached faces the antenna. This is an approximation of a formal test setup that spins the EUT on a turntable and uses a telescoping antenna stand, so it’s possible that something may be missed when testing at only one angle and one antenna height. However, experience has shown that if a significant radiated emission is present at frequencies below 1Ghz, it will be at the rear panel cable area and a single antenna position will pick it up. If emissions are likely above 1Ghz, more complex EUT and antenna positioning arrangements are required.

The testing procedure requires the running of ambient radiated emissions scans for each of the antennas, in both orientations, as well as a conducted emission scan on the PLISN. These ambient scans are performed with the EUT connected to power but de-energized. The ambient scans record signals, such as radio stations, that are present in the area and on the power line, but not generated by the EUT.

For the actual emissions scans, the EUT is powered on and a test routine, usually a burn-in program, is initiated to:

• generate moving patterns on the video display
• run the CPU at a high rate of utilization
• read and write data to disk or RAM drive
• loop-back signals through the I/O ports

The same scans that were run for the ambient tests are run again with the EUT operating and the results are recorded.

Test Analysis
The ambient and EUT scans for the PLISN and each antenna orientation are carefully compared to identify any additional signals found in the EUT scan (EUT related) that were not present in the ambient scan. Since the scans are performed in uncontrolled space (no screen room), reflections and other phenomena can reduce the absolute measurement accuracy of the system and some judgment calls concerning EUT related signal levels must be made. If a signal is well below the test limit as measured by the analyzer, it is recorded but ignored. When a signal gets to within 6dB of the test limit, some additional analysis is warranted.

When EUT related emissions that are “close” to the test limit are encountered, the first step is to shut the EUT down and perform another ambient scan with the same antenna configuration. If the signal is present on the new ambient scan, it is reclassified from “EUT related” to “Ambient” and ignored. If the signal is not seen on the new ambient scan, then more advanced EMC containment troubleshooting techniques can be employed.

This process is repeated until all EUT related emissions have been identified and eliminated or reduced to a point where risk of failure in the formal testing phase is minimized, thereby saving time and resources to achieve compliance.

What is the FCC?
The Federal Communications Commission (FCC) is the agency of the United States government that regulates interstate communications by radio, television, wire, satellite, and cable.  It is responsible for governing the interference potential of equipment which emits radio frequency energy.  The rules and regulations of the Federal Communications Commission are housed in Title 47 of the Code of Federal Regulations (CFR).

FCC Testing
Nearly every electronic device emits radio frequency signals, whether it be intentional, unintentional, or incidental. Many products that FoxGuard deals with are in scope of Part 15 of Title 47, which pertains to electromagnetic interference. Electronic devices with end destinations of the United States are required to undergo testing to ensure they comply with the technical requirements of the FCC concerning these emissions. The two types of tests performed are Conducted Emissions Limits and Radiated Emissions Limits. Depending on the type of device, emissions measurement testing can be done by the manufacturer, which then “verifies” its own equipment without any further approval by the FCC; or for equipment which includes special types of electronics, by a nationally recognized testing lab (NRTL).  

Similar certifications for electromagnetic compatibility (EMC) in other countries include RCM in Australia (formerly C-Tick), ICES-003 in Canada, CE in the European Union, KC in South Korea, and TIS in Thailand. To learn more about EMC testing, click here.

Unintentional Radiators
Subpart B of 47 CFR Part 15 concerns “unintentional radiators.”  Certain devices (such as computers and some peripherals) can create and discharge radio frequency signals even though it’s not the primary purpose of the device; these discharges are known as “spurious emissions.”  Unintentional radiators fall into one of two classes:

• Class A, for devices marketed for use in business / industrial / commercial environments
• Class B, for devices marketed for use in residential environments

Class A Devices
Class A devices are subject to authorization under “verification,” defined in Subpart J of Part 2, as the manufacturer takes steps to ensure equipment complies with appropriate technical standards.  The product must be labeled with the following: 

“This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.”  

For example, FoxGuard’s new 3U Industrial HMI has been tested to the requirements of Title 47 CFR, Part 15 Subpart B for a Class A Digital Device, and includes this language on the product label.   While not a requirement for a Class A device, FoxGuard also provides a Declaration of Conformity when the HMI is sold for use within the United States.  This document assures customers of the quality and safety of our product.

Class B Devices
Class B devices, which are marketed primarily for residential use, are subject to authorization under a Declaration of Conformity and “certification,” and are required to bear the FCC mark.  Certification is defined as an equipment authorization issued by the Commission based on representations and test data submitted by the applicant. 

FoxGuard’s Dedicated Compliance Team
FoxGuard has a team dedicated to meeting the regulatory compliance needs of our customers, so don’t hesitate to contact us if you need further help with your compliance efforts.

Thanks for reading the first installment of our new regulatory compliance series. We hope it helped you to better understand compliance with the FCC. Still have questions about FCC compliance? If so, leave a comment below, and we’ll get back to you as soon as possible.

But did you know there are several different types of touch screens? The five most common types of touch screens are 5-wire resistive, surface capacitive, projected capacitive, surface zcoustic wave (SAW), and infrared.

5- Wire Resistive

5-wire resistive is the most commonly used touch technology today. A resistive touch screen is composed of a glass panel and film screen, each covered with a thin metallic layer that's separated by a narrow spacing. When a user touches the screen, the two metallic layers make contact, resulting in electric flow. The point of contact is detected by this change in voltage.

Advantages:

• Can be activated with virtually any object - finger, stylus, gloved hand, pen, etc.
• Has tactile feel
• Lowest cost touch technology
• Low power consumption
• Resistant to dust, oil, grease, moisture, and other liquids

Disadvantages:

• Lower image definition compared to other touch technologies
• Outer polyester film is vulnerable to damage from scratching, poking, and sharp objects

Surface Capacitive

Surface capacitive is the second most popular type of touch screen on the market. In a surface capacitive touch screen, a transparent electrode layer is placed on top of a glass panel and covered by a protective cover. When an exposed finger touches the screen, it reacts to the static electrical capacity of the human body. Some of the electrical charge transfers from the screen to the user. This decrease in capacitance within the screen is detected by sensors located at the four corners of the screen, allowing the controller to determine the touch point. Capacitive touch screens can only be activated by the touch of human skin or a stylus holding an electrical charge.

Advantages:

• Better image clarity than resistive touch screens
• Durable screen
• Excellent resistance to surface contaminants and liquids- dust, oil, grease, water droplets
• High scratch resistance

Disadvantages:

• Requires bare finger or capacitive stylus for activation
• Sensitivity to Electro-Magnetic Interference (EMI)/Radio Frequency Interference (RFI)

Projected Capacitive

Projected capacitive is similar to surface capacitive, but offers two primary advantages. In addition to a bare finger, it can also be activated with surgical gloves or thin cotton gloves. It also enables multi-touch activation (simultaneous input from two fingers). A projected capacitive is composed of a sheet of glass with embedded transparent electrode films and an integrated chip (IC), which creates a three dimensional electrostatic field. When a finger comes into contact with the screen, the ratios of the electrical currents change, and the computer is able to detect the touch points.

Advantages:

• Excellent image clarity
• More resistant to scratching than surface capacitive touch screens
• Resistant to surface contaminants and liquids- dust, oil, grease, moisture
• Multi-touch (two-touch)

Disadvantages:

• Sensitive to EMI/RFI
• Must be activated via exposed finger, thin surgical or cotton gloves

Surface Acoustic Wave (SAW)

SAW touch screen monitors utilize a series of piezoelectric transducers and receivers along the sides of the monitor's glass plate, to create an invisible grid of ultrasonic waves on the surface. When the panel is touched, a portion of the wave is absorbed. This allows the receiving transducer to locate the touch point and send the data to the computer. SAW monitors can be activated by finger, gloved hand, or soft-tip stylus. SAW monitors offer easy use and high visibility.

Advantages:

• Excellent image clarity
• Even better scratch resistance than capacitive touch screens
• High "touch life"

Disadvantages:

• Will not activate with hard items- pen, credit cards, or finger nails
• Water droplets may cause false-triggering
• Solid contaminants on the screen can create non-touch areas until removed

Infrared Touch (IR)

Infrared touch screen monitors do not overlay the display with an additional screen or screen sandwich. Instead, infrared monitors use IR emitters and receivers to create an invisible grid of light beams across the screen. This ensures the best possible image quality. When an object interrupts the invisible infrared light beam, the sensors are able to locate the touch point.

Advantages:

• Highest image clarity and light transmission of all touch screen technologies
• Unlimited "touch-life"
• Impervious to surface scratches

Disadvantages:

• Accidental activation may occur because infrared beams are actually above the glass surface
• Dust, oil, or grease buildup on screen or frame could impede light beam causing malfunction
• Sensitive to water, snow, and rain
• May be sensitive to ambient light interference
• Higher cost

Touch Screen For Industrial Environments

All touch screen interfaces have advantages and disadvantages, depending on their application. For industrial use, there typically are requirements and nuances that lend better to certain types of touch screen interfaces.

The most advantageous touch screen interface type for industrial and automation environments, tends to be resistive touch screens. Since resistive touch screens allow the use of gloves and stylus, the user will not be bothered with having to remove gloves or protective wear in order to use the device. 

Some industry facilities, like food and beverage for example, require a strict "no exposed glass" policy. Resistive touch interfaces employ a flexible- polycarbonate in most cases- sheet over top of a glass substrate. Resistive touch screens prevent any exposed glass and allow use in these type of applications. 

Many types of touch screen interfaces can excel in many environments, so it's best to research what the application environment will consist of, before choosing the type of touch screen interface that would be ideal for your operations.

DEFINING PORTS AND SERVICES

In part 2 of our Ports and Services white paper we will discuss the NERC CIP definition of the term “ports and services”, and how to comply with NERC CIP documentation requirements.

For a review of what ports and services are, refer to the NERC CIP Ports and Services White Paper Part 1: The Apartment Building Analogy.

WHAT PORTS AND SERVICES MEANS TO NERC CIP

Forget what you may already know about ports and services. What we are interested in is the definition of the term as it applies to NERC CIP compliance.  More specifically, how those terms are used for audit. The term “ports and services”, is subtly different in the common IT usage than in the OT environment. A clear understanding of these differences in accordance with NERC CIP will make the process of being complaint much easier. 

The Guidelines and Technical Basis from NERC CIP-007-5, clears away a lot of possible confusion. The Guideline states that “the SDT intends for the entity to know what network accessible ports and associated services are accessible on their assets” [1]. This NERC CIP clarification limits the ports to listening ports and their respective services. 

Other ports in use can vary wildly, and while their use may have some bearing on security, their operation is better covered by an Intrusion Detection System (IDS), and is not within the spirit of this particular requirement.

THE IMPORTANCE OF LISTENING PORTS

One of the difficulties in addressing ports and services requirements, is when common and less specific IT definitions are applied which can cause confusion. These IT style definitions dilute the effectiveness, by diverting resources to documenting and managing network connections that do not have anywhere near the cost/benefit ratio of listening ports and their associated services.  

The term “listening” is very specific, and can be used to identify which ports the NERC CIP requirement refers to. The requirement states “the entity should know whether they are needed for that Cyber Asset’s function and disable or restrict access to all other ports” [2].

While there is much debate about security versus compliance, this compliance requirement, while not all-encompassing by any means, is a relatively affordable and effective security measure. Services that cannot be executed provide little opportunity for exploit.  It doesn’t address exploiting the services you actually use, and isn’t effective if the computer system is already compromised, but it can be very effective in preventing a compromise.

The NERC CIP 007-5 R1.1 requirement, is about attack surface area, as stated in the Guidelines and Technical Basis section. It does not verify that the service running on a port hasn’t been modified (there is no file hash check requirement), but that is not the purpose of this requirement. It’s not about forensics of compromised computers.

OTHER CONNECTION TYPES

“Established” connections are very different from listening ports. They do not play a role in initial attack surface area, and should be removed when creating ports and services documentation. 

While documentation for established connections is not required, if producing such documentation is necessary, it already exists. This documentation should be available either on the listening port of the local computer or for the listening port on the “other end” of the connection. That is, the listening machine should have the documentation describing the reason that a listening port was available to establish the connection. 

This same reasoning applied for other states like “CLOSE_WAIT” and “TIME_WAIT”. This requirement does not apply to any “non-listening” TCP ports. Otherwise, you would have to document every possible listening port on every device in the plant associated with every ephemeral port on the current device. Even if this were possible in practice, it is not useful when discussing attack surface area. As we have seen, it is obvious the requirement isn’t about forensics of compromised computers, as there is no mention of verifying the associated services haven’t had their executables modified. 

ONLY DONE ONCE

The core security value of this NERC CIP requirement, shutting down any unnecessary ports, only needs to be done once [3].  At this point, hopefully many of your devices already have this done by the vendor before they arrive at your site. Any remaining ports and associated services needed for operation must be documented. 

So what is left to do? Monitoring devices, to make sure ports aren’t added any time a relevant change is made to the system. That is the only time it should be necessary to document additional listening ports and services. The checks and verification may happen more frequently [4], but the actual documentation for the port and service reasoning is only done once at the beginning or when a service is added.

"LISTENING" LATER

Services that are not current “listening” but may be “listening” at other times, must also be documented. Any service expected to run at any time on a computer must be documented. This means that using a scan of a running computer to develop documentation baseline can lead to problems and inaccurate reporting.  

Problems can arise using a scan instead of documentation to create the baseline. An example of this might occur if there was a port that was “listening” only on Wednesdays (say during backup), that is not included in your ports and service documentation that you built from the “listening” ports captured on a Monday. 

In that case, your NERC CIP ports and services audit may show this port open, but not documented, resulting in a compliance issue. The more likely reason that a new listening port may appear would be if you installed additional software on the computer in question. Installing antivirus software for instance may create additional listening ports and associated services, requiring additional ports and services documentation.

DOCUMENTING RPC PORTS AND SERVICES

 Remote Procedure Call (RPC) ports can change each time a computer is rebooted. This requires a little careful documentation and is another reason why just a scan of a running machine can be misleading. While RPC port numbers can change whenever the computer reboots, they will only appear in the RPC range. 

You can use the following commands, to find out which ports are in the RPC range:

• netsh int ipv4 show dynamicport tcp
• netsh int ipv4 show dynamicport udp

(Be aware that for this paper we are not addressing IPV6 specifically, though the techniques are very similar.)  

When you document RPC ports and services, instead of documenting the actual port number, document that it is an RPC service, and the range of ports where it may appear. You would collect this information from the netsh commands issued on a command line.

HOW TO BE COMPLIANT

Now that we understand the NERC CIP definition of “ports and services”, it simplifies our compliance process. Begin by asking your vendors for ports and services documentation. Scanning a machine should not reveal any additional ports, but fewer ports are generally not an issue, assuming that the service is only active intermittently. You do not want to document ports that are not actually used at some point on the system. 

A summary of Microsoft Windows ports and services can be found on Microsoft’s website [5]. Your computer will likely have several other ports and services from additional vendors’ software. The goal is to document and verify listening ports, their associated services, and document their required function or disable/restrict access to them. The process must then be repeated for UDP ports.

The Windows 7 Approach

Let’s look at the ports that happen to be open at the moment, remembering that the final documentation must include any port that could be open at any time. 

• netstat -oan

Depending on the function of the computer, there may be between 50 to 500 line items or more, most of which are not relevant to us. Use the following command to find only TCP listening ports.

• netstat -oan | find “LISTEN”

Once you have performed the action above, let’s take a moment to interpret the column data. To save you a lot of unnecessary hardship, let’s begin by reviewing the fourth column of the netstat command output first. The fourth column is primarily used to show the address of another computer for a “non-listening” port. As we are not interested in the “non-listening” ports, remove everything that does not have “LISTENING” in this column. Anything else is not a listening TCP port.

Next, divide the second column into two sections; those that beginning with 127.0.0.1 and those that begin with anything else. Throw away any port numbers that begin with 127.0.0.1. The port numbers that begin with 127.0.0.1, mean that the only connections allowed to this port are from the local machine itself. The only way these ports could be used to attack the machine, is if the machine is already compromised. If you would like to be more conservative with the compliance process, keep the 127.0.0.1 ports and document them as well. There should only be a small number of these ports.

Let’s assume that you are not using IPv6 on your network. If Ipconfig does not show any IPv6 address, they should be unreachable. To completely disable IPv6, follow the Microsoft Knowledge Base article. Unfortunately, some IPv6 items will still appear in the netstat reports, even after IPv6 has been disabled.

Like the fourth column, the third column should also be ignored. The third column is the “Foreign Address”, and is most likely all “0.0.0.0:0”. 

The fifth column is where you find the Process Identification Number “PID”. These are the services of the NERC CIP ports and services requirement. 

Services

You will also need to identify the service associated with the port for your NERC CIP documentation.

To find the associated service in Windows 7, use the following command.

• Netstat -boan

The output from this command is very similar to that of netstat -oan, except that after every listening port on lines by themselves, the service name and associated executable may be listed.

Once you have completed this process, you must now go back and perform the same steps for all UDP ports as there is no concept of “listening” for UDP connections. The term UDP is specific to TCP style connections.

Difficulties

There are some difficulties in mapping services to ports for compliance documentation. In particular netstat –boan will return “Cannot obtain ownership information” instead of the service and process name in some instances.  This commonly happens for PID 4, “SYSTEM”.  Use the following command to lookup additional information about a particular PID, in this example PID 4.  

• Tasklist /FI “PID eq 4”

In some cases the same process (executable) is used to provide different services, for example inetinfo.exe on Windows XP, the service associated with the port isn’t listed in the netstat –boan report.  In those cases the tasklist command can provide additional information about which services that process provides so that you can document the operational purpose for having the port open.

• Tasklist /SVC

This command will list all of the services associated with the process so that you can select the appropriate match.  The difficulty here is that netstat will provide all the listening ports and process PID, and tasklist will provide the lists of services that a process provides, but there is no direct mapping between which service is provided on which port (for processes/PIDs/executables that provide multiple services).  Vendor documentation and configuration information for the particular software in question may be necessary to sufficiently resolve this.

For computers that have multiple IP interfaces (physical or logical), take care to document on which interface the port and associated service should appear.  It is not uncommon for there to be different services provided to those different interfaces.

Operational Purpose

Now that you have a list of ports and their associated service, you must define the “operational purpose” for having that port and service listening.  This is the reason the port and service is used at your location.  

For example, if you have documented that inetinfo.exe has an http (web) server open on port 80 on the 1st Ethernet interface on your computer, the operational purpose might be that "the data historian function of this computer is operated using this http (web) interface.”  

This is why you must identify the service associated with the port number.  The port number alone does not provide sufficient information to document your operational purpose. 

Verifying Ports

For compliance make sure you have documented all the required ports and services, or have shut them down. Remember to look at the ports and services requirement documentation from your vendor and to properly document the ports that might not currently be listening, but could arise in specific circumstances. This process should be repeated after every “significant change” [6] if there is a new port or service afterward, it must be documented.  

You are also required to monitor at least once every 35 calendar days for changes to your listening ports [7].

Firewall As Mitigation

A “host-based” firewall rule, which restricts access to a running service, is the same as shutting down that service. The Guidelines and Technical Basis section of NERC CIP 007-5 section 1.1 states that “the SDT intends that the control be on the device itself, or positioned in a non-bypassable manner”.  The guideline goes on to state that using other external firewalls does not substitute for this requirement. If a host-based firewall is used as your mitigation for an open port, be sure to document it.

Not For Detecting A Malware Infection

Ports and services requirements in CIP 007-3 are not intended to describe forensics investigations after a successful attack. These requirements focus on preparation, and defense before an attack. The NERC CIP 007-3 ports and services requirements shouldn’t be construed as an attempt to discover and recover from malware.

These requirements do not ask the user to verify that the process or executable associated with a port and service has not been secretly (maliciously) modified. That would require some type of validation of a hash of the software that opened the port.

Also, keep in mind a successful root-kit style attack will frequently hide open ports and services from the operating system itself. A netstat command will not show the malicious port being open. This also falls under a forensics investigation, which is not part of the NERC CIP requirements.

Malware may also hide an executable, so even if you attempted to verify a service program, the executable presented on disk may not be the same as the one executing under its name in memory. Disabling ports and services has a great value for preventing infections from malware, but the NERC CIP ports and service requirements shouldn't be construed as an attempt to discover and recover from a previous malware infection.

DNS (On Windows)

A DNS server is “supposed” to open ports 53 UDP and 53 TCP. The Windows DNS server also seems to open port 53 UDP and 53 TCP on the local loopback address 127.0.0.1 (IPv4) and [::1](IPv6). Theoretically, these ports can only accept requests from the same computer so they shouldn’t be an issue, but, additional documentation might be prudent for compliance purposes.

Some versions of DNS on Windows will open a lot of additional UDP listening ports. DNS.exe on Windows Server 2008 R2 with security update MS08-037, will allocate by default 2,501 random UDP listening ports as a precaution against a DNS spoofing attack [8]. It also opens 2,501 IPv6 UDP ports.  Ports used by Microsoft DNS is not sufficiently documented by Microsoft.

These open ports can change each time the service is restarted, and are not necessarily contiguous. While these are not RPC ports, the concept is similar, and it is a known and documented action for the DNS server. These ports and port ranges must be identified and documented, to cover the specified number of open DNS ports in this range.

The DNS server also opens one RPC TCP listening port on IPv4 and IPv6 for DNS management, these (2) can be documented as regular RPC ports and services.

CONCLUSION

This has been a technical overview of some of the tools and techniques useful when preparing for a NERC CIP audit that includes logically network accessible ports.  We have covered ways to reduce the workload involved by carefully reviewing the requirements and items to watch for proper documentation.

References

[1]  CIP-007-5 Cyber Security Management

[2] NERC CIP 007-5 Guidelines and Technical Basis Requirement R, page 51

[3] NERC CIP 007-5 R1.1

[4] NERC CIP 010-1 R2.1

[5] Network Ports Used by Key Microsoft Server Products

[6] I’m using the NERC CIP 007-3 term here, as a suggestion for when to check for changes.  “a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware.”

[7] The SDT’s intent of R2 is to require automated monitoring of the BES Cyber System. However, the SDT understands that there may be some Cyber Assets where automated monitoring may not be possible.

[8] Configuring The Socket Pool, Microsoft Windows