Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 128
E
Summary of NERC Cyber Security Standards
The stated purpose of mandatory NERC Standards bulk electric system; generation resources that support the
CIP-002 through CIP-009 is to provide a cyber security reliable operation of the bulk electric system; systems and
framework for the identification and protection of critical facilities critical to system restoration, including black-start
cyber assets to support reliable operation of the bulk elec- generators and substations in the electrical path of transmis-
tric system. These standards recognize the differing roles of sion lines used for initial system restoration; systems and
each entity in the operation of the bulk electric system, the facilities critical to automatic load shedding under a com-
criticality and vulnerability of the assets needed to manage mon control system capable of shedding 300 MW or more;
bulk electric system reliability, and the risks to which they special protection systems that support the reliable operation
are exposed. Responsible entities should interpret and apply of the bulk electric system; and any additional assets that
Standards CIP-002 through CIP-009 using reasonable busi- support the reliable operation of the bulk electric system
ness judgment. that the responsible entity deems appropriate to include in
Business and operational demands for managing and its assessment.
maintaining a reliable bulk electric system increasingly rely Using this list of critical assets, the responsible entity
on cyber assets supporting critical reliability functions and must develop a list of associated critical cyber assets essential
processes to communicate with each other, across func- to the operation of the critical asset. Examples at control cen-
tions and organizations, for services and data, resulting in ters and backup control centers include systems and facilities
increased risks to these cyber assets. at master and remote sites that provide monitoring and con-
Standard CIP-002 requires the identification and docu- trol, automatic generation control, real-time power system
mentation of the critical cyber assets associated with the modeling, and real-time inter-utility data exchange. Critical
critical assets that support the reliable operation of the bulk cyber assets are further qualified if they have at least one of
electric system. These critical assets are to be identified the following characteristics: the cyber asset uses a routable
through the application of an annual risk-based assessment protocol to communicate outside the electronic security
that identifies and documents the risk-based assessment perimeter, or the cyber asset uses a routable protocol within
methodology used to identify critical assets. The responsible a control center, or the cyber asset is dial-up accessible.
entity is required to maintain documentation describing its To ensure compliance, a senior manager or delegate(s)
risk-based assessment methodology that includes procedures must approve annually the list of critical assets and the list
and evaluation criteria. of critical cyber assets and keep a signed and dated record
The risk-based assessment shall consider the following of the approval.
assets: control centers and backup control centers; transmis-
sion substations that support the reliable operation of the
SECURITY MANAGEMENT CONTROLS:
THREATS AND RISKS
Responsible entities must have minimum security man-
NOTE: This appendix provides a modified summary recitation of the agement controls in place to protect critical cyber assets. The
NERC cyber security standards, available at http://www.nerc.com/~filez/ first step in complying with this charge is the development
standards/Reliability_Standards.html#Critical_Infrastructure_Protection
(accessed November 2007). These standards have been reformatted and
and implementation of a cyber security policy that represents
to some degree paraphrased in order to enhance their readability among management's commitment and ability to secure its critical
diverse audiences. cyber assets. The responsible entity shall, at a minimum,
128
OCR for page 129
APPENDIX E 129
ensure the following: This cyber security policy must be and software components of critical cyber assets pursuant to
readily available to all personnel who have access to, or are the change control process.
responsible for, critical cyber assets.
The responsible entity must assign a senior manager with
ELECTRONIC SECURITY PERIMETER(S)
overall responsibility for leading and managing the entity's
implementation of, and adherence to, the policy. This senior The identification and protection of the electronic security
manager shall be identified by name, title, business phone, perimeter(s) inside which all critical cyber assets reside, as
business address, and date of designation. Changes to the well as all access points on the perimeter, are required.
senior manager must be documented within 30 calendar days
of the effective date. The senior manager or delegate(s) shall
Electronic Security Perimeter
authorize and document any exception from the requirements
of the cyber security policy. The responsible entity must ensure that every critical
cyber asset resides within an electronic security perimeter.
The responsible entity must identify and document the
Information Protection
electronic security perimeter(s) and all access points to the
The responsible entity shall implement and document perimeter(s).
a program to identify, classify, and protect information
associated with critical cyber assets. The critical cyber asset 1. Access points to the electronic security perimeter(s)
information to be protected shall include, at a minimum and must include any externally connected communica-
regardless of media type, operational procedures, lists of tion end point (for example, dial-up modems) termi-
critical assets, network topology or similar diagrams, floor nating at any device within the electronic security
plans of computing centers that contain critical cyber assets, perimeter(s).
equipment layouts of critical cyber assets, disaster recovery 2. For a dial-up-accessible critical cyber asset that uses
plans, incident response plans, and security configuration a non-routable protocol, the responsible entity must
information. define an electronic security perimeter for that single
The responsible entity shall, at least annually, assess access point at the dial-up device.
adherence to its critical cyber asset information protection 3. Communication links connecting discrete electronic
program, document the assessment results, and implement security perimeters must not be considered part of the
an action plan to remediate deficiencies identified during electronic security perimeter. However, end points
the assessment. of these communication links within the electronic
security perimeter(s) must be considered access
points to the electronic security perimeter(s).
Access Control
4. Any non-critical cyber asset within a defined elec-
The responsible entity must document and implement a tronic security perimeter must be identified and
program for managing access to protected critical cyber asset protected.
information. The responsible entity shall maintain a list of 5. Cyber assets used in the access control and monitor-
designated personnel who are responsible for authorizing ing of the electronic security perimeter(s) must be
logical or physical access to protected information. Person- afforded certain protective measures.
nel are identified by name, title, business phone, and the 6. The responsible entity must maintain documentation
information for which they are responsible for authorizing on the electronic security perimeter(s), all intercon-
access. At least annually, the responsible entity must review nected critical and non-critical cyber assets within
the access privileges to protected information to confirm that the electronic security perimeter(s), all electronic
access privileges are correct and that they correspond with access points to the electronic security perimeter(s),
the responsible entity's needs and appropriate personnel roles and the cyber assets deployed for the access control
and responsibilities. and monitoring of these access points.
Change Control and Configuration Management Electronic Access Controls
The responsible entity must establish and document a The responsible entity must implement and document
process of change control and configuration management the organizational processes and technical and procedural
for adding, modifying, replacing, or removing critical cyber mechanisms for control of electronic access at all electronic
asset hardware or software, and must implement supporting access points to the electronic security perimeter(s).
configuration management activities to identify, control, and
document all entity- or vendor-related changes to hardware
OCR for page 130
130 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM
1. These processes and mechanisms must use an access Cyber Vulnerability Assessment
control model that denies access by default, such that
The responsible entity must perform a cyber vulnerability
explicit access permissions must be specified.
assessment of the electronic access points to the electronic
2. At all access points to the electronic security
security perimeter(s) at least annually. The vulnerability
perimeter(s), the responsible entity must enable
assessment must include, at a minimum, the following:
only ports and services required for operations and
for monitoring cyber assets within the electronic
1. A document identifying the vulnerability assessment
security perimeter, and must document, individually
process;
or by specified grouping, the configuration of those
2. A review to verify that only ports and services
ports and services.
required for operations at these access points are
3. The responsible entity must maintain a procedure
enabled;
for securing dial-up access to the electronic security
3. The discovery of all access points to the electronic
perimeter(s).
security perimeter;
4. Where external interactive access into the electronic
4. A review of controls for default accounts, passwords,
security perimeter has been enabled, the respon-
and network management community strings; and
sible entity must implement strong procedural or
5. Documentation of the results of the assessment, the
technical controls at the access points to ensure
action plan to remediate or mitigate vulnerabilities
authenticity of the accessing party, where techni-
identified in the assessment, and the execution status
cally feasible.
of that action plan.
5. The required documentation must, at least, identify
and describe:
· The processes for access request and authorization, Documentation Review and Maintenance
· The authentication methods,
The responsible entity must review, update, and maintain
· The review process for authorization rights, and
all documentation to support compliance with the require-
· The controls used to secure dial-up accessible
ments, including the following:
connections.
6. Where technically feasible, electronic access control
1. The responsible entity must ensure that all docu-
devices must display an appropriate-use banner on
mentation required reflects current configurations
the user screen upon all interactive access attempts.
and processes and must review the documents and
The responsible entity must maintain a document
procedures at least annually.
identifying the content of the banner.
2. The responsible entity must update the documenta-
tion to reflect the modification of the network or
Monitoring Electronic Access controls within 90 calendar days of the change.
3. The responsible entity must retain electronic access
The responsible entity must implement and document an
logs for at least 90 calendar days. Logs related to
electronic or manual process(es) for monitoring and logging
reportable incidents must be kept in accordance with
access at access points to the electronic security perimeter(s)
the requirements.
24 hours a day, 7 days a week.
1. For dial-up-accessible critical cyber assets that use INCIDENT REPORTING AND RESPONSE PLANNING
non-routable protocols, the responsible entity must
implement and document monitoring process(es) at Cyber Security Incident Response Plan
each access point to the dial-up device, where techni-
The responsible entity must develop and maintain a cyber
cally feasible.
security incident response plan. The cyber security incident
2. Where technically feasible, the security monitoring
response plan must address, at a minimum, the following:
process(es) must detect and alert for attempts at
or actual unauthorized accesses. These alerts must
1. Procedures to characterize and classify events as
provide for appropriate notification to designated
reportable cyber security incidents.
response personnel. Where alerting is not techni-
2. Response actions, including roles and responsibilities
cally feasible, the responsible entity must review or
of incident response teams, incident handling proce-
otherwise assess access logs for attempts at or actual
dures, and communication plans.
unauthorized accesses at least every 90 calendar
3. Process for reporting cyber security incidents to the
days.
Electricity Sector Information Sharing and Analy-
sis Center (ES ISAC). The responsible entity must
OCR for page 131
APPENDIX E 131
ensure that all reportable cyber security incidents are 8. Means for ensuring that cyber assets used in the
reported to the ES ISAC either directly or through an access control and monitoring of the physical secu-
intermediary. rity perimeter(s) are afforded the same protective
4. Process for updating the cyber security incident measures as other cyber assets.
response plan within 90 calendar days of any changes. 9. Process for ensuring that the physical security plan
5. Process for ensuring that the cyber security incident is reviewed at least annually.
response plan is reviewed at least annually.
6. Process for ensuring that the cyber security incident
Physical Access Controls
response plan is tested at least annually. A test of the
incident response plan can range from a paper drill, The responsible entity must document and implement
to a full operational exercise, to the response to an the operational and procedural controls to manage physi-
actual incident. cal access at all access points to the physical security
perimeter(s) 24 hours a day, 7 days a week. The responsible
entity must implement one or more of the following physical
Cyber Security Incident Documentation
access methods:
The responsible entity must keep relevant documentation.
1. Card key. A means of electronic access whereby the
access rights of the card holder are predefined in a
PHYSICAL SECURITY OF CRITICAL CYBER ASSETS
computer database. Access rights may differ from
The implementation of a physical security program is one perimeter to another.
intended to ensure the protection of critical cyber assets. 2. Special locks. These include, but are not limited
to, locks with "restricted key" systems, magnetic
locks that can be operated remotely, and "man-trap"
Physical Security Plan
systems.
The responsible entity must create and maintain a physical 3. Security personnel. Personnel who are responsible
security plan, approved by a senior manager or delegate(s), for controlling physical access and who might reside
that must address, at a minimum, the following: on-site or at a monitoring station.
4. Other authentication devices. Biometric, keypad,
1. Processes to ensure and document that all cyber token, or other equivalent devices that control physi-
assets within an electronic security perimeter also cal access to critical cyber assets.
reside within an identified physical security perim-
eter. Where a completely enclosed ("six-wall") bor-
Monitoring Physical Access
der cannot be established, the responsible entity must
deploy and document alternative measures to control The responsible entity must document and implement
physical access to the critical cyber assets. the technical and procedural controls for monitoring physi-
2. Processes to identify all access points through each cal access at all access points to the physical security
physical security perimeter and measures to control perimeter(s) 24 hours a day, 7 days a week. Unauthorized
entry at those access points. access attempts must be reviewed immediately and handled
3. Processes, tools, and procedures to monitor physical in accordance with established procedures. One or more of
access to the perimeter(s). the following monitoring methods must be used:
4. Procedures for the appropriate use of physical
access controls, including visitor pass management, 1. Alarm systems. Systems that alarm to indicate that
response to loss, and prohibition of inappropriate use a door, gate, or window has been opened with-
of physical access controls. out authorization. These alarms must provide for
5. Procedures for reviewing access authorization immediate notification to personnel responsible for
requests and revocation of access authorization. response.
6. Procedures for escorted access within the physical 2. Human observation of access points. Monitoring of
security perimeter of personnel not authorized for physical access points by authorized personnel.
unescorted access.
7. Process for updating the physical security plan within
Logging Physical Access
90 calendar days of any physical security system
redesign or reconfiguration, including, but not limited Logging must record sufficient information to uniquely
to, addition or removal of access points through the identify individuals and the time of access 24 hours a day,
physical security perimeter, physical access controls, 7 days a week. The responsible entity must implement and
monitoring controls, or logging controls. document the technical and procedural mechanisms for log-
OCR for page 132
132 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM
ging physical entry at all access points to the physical secu- · Direct communications (e.g., e-mails, memos, com-
rity perimeter(s) using one or more of the following logging puter based training, etc.);
methods or their equivalent: · Indirect communications (e.g., posters, intranet, bro-
chures, etc.);
1. Computerized logging. Electronic logs produced by · Management support and reinforcement (e.g., pre-
the responsible entity's selected access control and sentations, meetings, etc.).
monitoring method.
2. Video recording. Electronic capture of video images
Training
of sufficient quality to determine identity.
3. Manual logging. A log book, sign-in sheet, or other The responsible entity must establish, maintain, and docu-
record of physical access maintained by security or ment an annual cyber security training program for personnel
other personnel authorized to control and monitor having authorized cyber or authorized unescorted physical
physical access. access to critical cyber assets, and review the program annu-
ally and update as necessary.
This program will ensure that all personnel having such
Access Log Retention
access to critical cyber assets, including contractors and
The responsible entity must retain physical access logs service vendors, are trained within 90 calendar days of such
for at least 90 calendar days. Logs related to reportable authorization.
incidents must be kept in accordance with the requirements Training must cover the policies, access controls, and pro-
of Standard CIP-008. cedures as developed for the critical cyber assets and include,
at a minimum, the following required items appropriate to
personnel roles and responsibilities:
Maintenance and Testing
The responsible entity must implement a maintenance and · The proper use of critical cyber assets;
testing program to ensure that all physical security systems · Physical and electronic access controls to critical
function properly. The program must include, at a minimum, cyber assets;
the following: · The proper handling of critical cyber asset informa-
tion; and
1. Testing and maintenance of all physical security · Action plans and procedures to recover or re-estab-
mechanisms on a cycle no longer than 3 years. lish critical cyber assets and access thereto following
2. Retention of testing and maintenance records for the a cyber security incident.
proper cycle documented by the responsible entity.
3. Retention of outage records regarding access con- The responsible entity must maintain documentation that
trols, logging, and monitoring for a minimum of 1 training is conducted at least annually, including the date the
calendar year. training was completed and attendance records.
PERSONNEL AND TRAINING Personnel Risk Assessment
Personnel having authorized cyber or authorized une- The responsible entity must have a documented personnel
scorted physical access to critical cyber assets, including risk assessment program, in accordance with federal, state,
contractors and service vendors, are required to have an provincial, and local laws, and subject to existing collective
appropriate level of personnel risk assessment, training, and bargaining unit agreements, for personnel having authorized
security awareness. cyber or authorized unescorted physical access. A personnel
risk assessment must be conducted pursuant to that program
within 30 days of such personnel being granted such access.
Awareness
Such program must at a minimum include the following:
The responsible entity must establish, maintain, and docu-
ment a security awareness program to ensure that personnel 1. The responsible entity must ensure that each assess-
having authorized cyber or authorized unescorted physical ment conducted includes, at least, identity verifica-
access receive ongoing reinforcement in sound security tion (e.g., Social Security number verification in
practices. The program must include security awareness the United States) and a 7-year criminal check.
reinforcement on at least a quarterly basis using mechanisms The responsible entity may conduct more detailed
such as: reviews, as permitted by law and subject to existing
collective bargaining unit agreements, depending on
the criticality of the position.
OCR for page 133
APPENDIX E 133
2. The responsible entity must update each personnel Recovery Plans
risk assessment at least every 7 years after the initial
The responsible entity must create and annually review
personnel risk assessment or for cause.
recovery plan(s) for critical cyber assets. The recovery
3. The responsible entity must document the results of
plan(s) must address at a minimum the following:
personnel risk assessments of its personnel having
authorized cyber or authorized unescorted physical
1. Specify the required actions in response to events
access to critical cyber assets, and must document
or conditions of varying duration and severity that
that personnel risk assessments of contractor and ser-
would activate the recovery plan(s).
vice vendor personnel with such access are conducted
2. Define the roles and responsibilities of responders.
pursuant to Standard CIP-004.
Exercises
Access
The recovery plan(s) must be exercised at least annually.
The responsible entity must maintain list(s) of person-
An exercise of the recovery plan(s) can range from a paper
nel with authorized cyber or authorized unescorted physi-
drill, to a full operational exercise, to recovery from an actual
cal access to critical cyber assets, including their specific
incident.
electronic and physical access rights to critical cyber assets.
· The responsible entity must review quarterly the Change Control
list(s) of its personnel who have such access to criti-
Recovery plan(s) must be updated to reflect any changes
cal cyber assets, and update the list(s) within 7 calen-
or lessons learned as a result of an exercise or the recovery
dar days of any change of personnel with such access
from an actual incident. Updates must be communicated to
to critical cyber assets, or any change in the access
personnel responsible for the activation and implementation
rights of such personnel. The responsible entity must
of the recovery plan(s) within 90 calendar days of the change.
ensure that access list(s) for contractors and service
vendors are properly maintained.
· The responsible entity must revoke such access to Backup and Restore
critical cyber assets within 24 hours for personnel
The recovery plan(s) must include processes and proce-
terminated for cause and within 7 calendar days for
dures for the backup and storage of information required
personnel who no longer require such access to criti-
to successfully restore critical cyber assets. For example,
cal cyber assets.
backups may include spare electronic components or equip-
ment, written documentation of configuration settings, tape
RECOVERY PLANS FOR CRITICAL CYBER ASSETS backup, etc.
Recovery plan(s) must be in place for critical cyber assets,
and these plans must follow established business continuity Testing Backup Media
and disaster recovery techniques and practices. The respon-
Information essential to recovery that is stored on backup
sible entity must comply with the following requirements.
media must be tested at least annually to ensure that the
information is available. Testing can be completed off-site.
