Security monitoring and regulatory compliance are often treated as parallel efforts in critical infrastructure environments. One focuses on identifying malicious activity; the other on demonstrating adherence to Standards. In practice, however, the strongest programs are those where operational detection directly reinforces compliance outcomes.
The Dragos Platform is designed with this intersection in mind. While its primary purpose is to detect and respond to threats in industrial environments, the visibility, context, and correlation it provides can also meaningfully support compliance with multiple NERC CIP standards, including CIP‑015 Internal Network Security Monitoring (INSM), CIP‑010, and CIP-003 requirements related to Transient Cyber Assets (TCAs), and CIP-007 requirements related to password changes.
The following example highlights Dragos Platform detections that can help entities to identify Transient Cyber Assets (TCAs) used in NERC CIP environments that are not authorized in their CIP-003, or CIP-010 TCA and Removable Media Plan(s).
The Dragos Platform detects previously unseen devices interacting with protected OT systems by identifying new IP addressed in use for the first time, interactive sessions originating from this source asset, new communication flows from this source IP to various destination assets, observing a new MAC address, RDP connections over non‑standard ports, port scanning activity, and attempted logins from the new source asset to a destination relay. This combination of observable behaviors can be used to identify the presence of a TCA, including those that are unauthorized or improperly authorized operating outside of approved access methods or Transient Cyber Asset controls, warranting investigation from both a security and compliance perspective.
For organizations with a dedicated Dragos Concierge Analyst and Dragos Resident Engineer to support their security operations, the investigation often begins with them and also includes the organization’s own security teams and investigation processes. One of the initial checks is to determine if the detected device’s MAC address matches a known MAC address for an approved TCA. Using the map within the Dragos Platform, see Figure 1, investigators can see additional observed communication information including observed username attempts and command usage.
With the information provided and collaboration between teams, organizations have been able to identify individuals on‑site performing approved work at the time the detections were captured in Platform. In some cases, through investigation, it has been determined that personnel accidentally used a corporate laptop to complete the work instead of an approved TCA. This scenario can be validated by determining if the MAC address of the personnel’s corporate laptop matches the MAC address observed in the Dragos Platform detection(s) and then comparing against a list of authorized TCAs.
In this example, the activity is not malicious but requires review against CIP-003 and CIP-010 TCA and Removable Media plan(s) depending on the impact rating of the site to determine compliance implications. This highlights the importance of having technical controls in place that can be used to determine if observed device activity aligns with approved use and documented controls.
CIP-003 and CIP‑010 establish requirements for the use of Transient Cyber Assets (TCAs). Together, these standards require organizations to ensure that temporary devices used for maintenance, troubleshooting, or performing other approved functions under their TCA plan(s) are authorized, protected, and managed in a manner that mitigates risk to BES Cyber Systems.
TCAs are often expected to exhibit certain characteristics: known device identifiers, approved configurations, and predictable communication behavior. When an asset appears that behaves like a maintenance device but does not align with approved inventories or expected usage, that discrepancy becomes immediately relevant from both a security and compliance standpoint.
The Dragos Platform’s ability to identify previously unseen assets, capture device identifiers, and correlate activity patterns allows organizations to quickly assess whether a device is operating within the bounds of an entity-approved TCA Plan. This directly supports:
- CIP‑003 Attachment 1, Section 5, which requires mitigation of malicious code risk introduced via Transient Cyber Assets
- CIP‑010 Requirement R4, Attachment 1, which requires TCA management, authorization, software vulnerability mitigation, introduction of malicious code mitigation, and protection against unauthorized use.
Many entities rely on procedural and administrative controls, such as dedicated, individually assigned TCAs, physical access controls, visitor access programs, and TCA training requirements, to demonstrate that Transient Cyber Assets are managed in a manner that mitigates risk to the BES. While those controls support the security objectives of the Standards, many entities lack a technical mechanism that validates real‑world behavior. By providing concrete, time‑stamped evidence of asset activity, the Platform helps reduce uncertainty, accelerate compliance validation, and support follow‑on actions when deviations are identified.
In the above example, the outcome was not driven by technology alone. The Dragos Platform provides the detections and visibility, Dragos Concierge Analysts investigate and correlate activity against approved inventories, and Dragos Resident Engineers validate device attribution and environmental context. Together, this combination enables the organization to identify root cause, assess compliance impact, and take corrective action if necessary.
CIP‑007‑6 requires organizations to implement controls for system security management, including password and authentication practices for BES Cyber Systems. In accordance with CIP‑007 R5, electric utilities must complete password changes for High Impact BCS and their associated EACMS, PACS, and PCA and Medium Impact BCS with ERC and their associated EACMS, PACS, and PCA every 15 calendar months. At Medium and High Impact sites, this includes updating passwords on intelligent electronic devices (IEDs) and substation relays.
Once the passwords are changed, documentation is typically gathered to verify completion; however, human and machine error are still possible.
For example, Dragos Concierge Analysts have observed Dragos Platform brute‑force detections across multiple sites that were triggered by repeated failed authentication attempts between site IEDs and one or more relays after CIP‑mandated password changes were completed. The cause of these detections can be due to a process error where a password mismatch exists between the relay, the IED, or a centralized asset management platform used to pull information from site devices.
In these scenarios, the password mismatches must be corrected to stop the brute‑force detections. Without Dragos Platform visibility into substations, this type of issue could go unnoticed and potentially have NERC CIP compliance implications if passwords were not changed within required timeframes.
Dragos brute‑force detections identify repeated authentication attempts against industrial assets and systems. While these detections can indicate adversary behavior, they can also surface situations where password hygiene controls have not been effectively enforced.
From a compliance perspective, these detections can be used to:
- Identify assets that continue to accept repeated authentication attempts without lockout or alerting
- Highlight systems where password changes may not have occurred as required
The presence of a brute‑force detection does not automatically indicate compliance concerns, but it provides objective, network‑based evidence that can prompt focused review of password management practices before issues are identified during an audit or after a security incident.
The most effective compliance programs are informed by real operational data—not static checklists. The Dragos Platform demonstrates how security detections can serve a dual purpose: protecting critical infrastructure from threats while also supporting adherence to regulatory standards.
By delivering deep asset visibility, behavioral context, and expert analysis, Dragos helps organizations identify not only malicious activity but also subtle deviations that can introduce compliance risk. In real‑world cases, a combination of the Dragos Platform, Dragos Concierge, and Dragos Resident Engineer have identified and investigated multiple scenarios that were not malicious but posed potential NERC CIP compliance implications for the organizations in which they were deployed.
For more information on how the Dragos Platform can be utilized in a NERC CIP program, and how the Dragos Services team can help, review the Dragos NERC CIP Compliance page.
