E

Summary of NERC Cyber Security Standards

The stated purpose of mandatory NERC Standards CIP-002 through CIP-009 is to provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of the bulk electric system. These standards recognize the differing roles of each entity in the operation of the bulk electric system, the criticality and vulnerability of the assets needed to manage bulk electric system reliability, and the risks to which they are exposed. Responsible entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.

Business and operational demands for managing and maintaining a reliable bulk electric system increasingly rely on cyber assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data, resulting in increased risks to these cyber assets.

Standard CIP-002 requires the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the bulk electric system. These critical assets are to be identified through the application of an annual risk-based assessment that identifies and documents the risk-based assessment methodology used to identify critical assets. The responsible entity is required to maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria.

The risk-based assessment shall consider the following assets: control centers and backup control centers; transmission substations that support the reliable operation of the bulk electric system; generation resources that support the reliable operation of the bulk electric system; systems and facilities critical to system restoration, including black-start generators and substations in the electrical path of transmission lines used for initial system restoration; systems and facilities critical to automatic load shedding under a common control system capable of shedding 300 MW or more; special protection systems that support the reliable operation of the bulk electric system; and any additional assets that support the reliable operation of the bulk electric system that the responsible entity deems appropriate to include in its assessment.

Using this list of critical assets, the responsible entity must develop a list of associated critical cyber assets essential to the operation of the critical asset. Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time inter-utility data exchange. Critical cyber assets are further qualified if they have at least one of the following characteristics: the cyber asset uses a routable protocol to communicate outside the electronic security perimeter, or the cyber asset uses a routable protocol within a control center, or the cyber asset is dial-up accessible.

To ensure compliance, a senior manager or delegate(s) must approve annually the list of critical assets and the list of critical cyber assets and keep a signed and dated record of the approval.

SECURITY MANAGEMENT CONTROLS: THREATS AND RISKS

Responsible entities must have minimum security management controls in place to protect critical cyber assets. The first step in complying with this charge is the development and implementation of a cyber security policy that represents management’s commitment and ability to secure its critical cyber assets. The responsible entity shall, at a minimum,

_____________________

NOTE: This appendix provides a modified summary recitation of the NERC cyber security standards, available at http://www.nerc.com/~flez/standards/Reliability_Standards.html#Critical_Infrastructure_Protection (accessed November 2007). These standards have been reformatted and to some degree paraphrased in order to enhance their readability among diverse audiences.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 128
E Summary of NERC Cyber Security Standards The stated purpose of mandatory NERC Standards bulk electric system; generation resources that support the CIP-002 through CIP-009 is to provide a cyber security reliable operation of the bulk electric system; systems and framework for the identification and protection of critical facilities critical to system restoration, including black-start cyber assets to support reliable operation of the bulk elec- generators and substations in the electrical path of transmis- tric system. These standards recognize the differing roles of sion lines used for initial system restoration; systems and each entity in the operation of the bulk electric system, the facilities critical to automatic load shedding under a com- criticality and vulnerability of the assets needed to manage mon control system capable of shedding 300 MW or more; bulk electric system reliability, and the risks to which they special protection systems that support the reliable operation are exposed. Responsible entities should interpret and apply of the bulk electric system; and any additional assets that Standards CIP-002 through CIP-009 using reasonable busi- support the reliable operation of the bulk electric system ness judgment. that the responsible entity deems appropriate to include in Business and operational demands for managing and its assessment. maintaining a reliable bulk electric system increasingly rely Using this list of critical assets, the responsible entity on cyber assets supporting critical reliability functions and must develop a list of associated critical cyber assets essential processes to communicate with each other, across func- to the operation of the critical asset. Examples at control cen- tions and organizations, for services and data, resulting in ters and backup control centers include systems and facilities increased risks to these cyber assets. at master and remote sites that provide monitoring and con- Standard CIP-002 requires the identification and docu- trol, automatic generation control, real-time power system mentation of the critical cyber assets associated with the modeling, and real-time inter-utility data exchange. Critical critical assets that support the reliable operation of the bulk cyber assets are further qualified if they have at least one of electric system. These critical assets are to be identified the following characteristics: the cyber asset uses a routable through the application of an annual risk-based assessment protocol to communicate outside the electronic security that identifies and documents the risk-based assessment perimeter, or the cyber asset uses a routable protocol within methodology used to identify critical assets. The responsible a control center, or the cyber asset is dial-up accessible. entity is required to maintain documentation describing its To ensure compliance, a senior manager or delegate(s) risk-based assessment methodology that includes procedures must approve annually the list of critical assets and the list and evaluation criteria. of critical cyber assets and keep a signed and dated record The risk-based assessment shall consider the following of the approval. assets: control centers and backup control centers; transmis- sion substations that support the reliable operation of the SECURITY MANAGEMENT CONTROLS: THREATS AND RISKS Responsible entities must have minimum security man- NOTE: This appendix provides a modified summary recitation of the agement controls in place to protect critical cyber assets. The NERC cyber security standards, available at http://www.nerc.com/~filez/ first step in complying with this charge is the development standards/Reliability_Standards.html#Critical_Infrastructure_Protection (accessed November 2007). These standards have been reformatted and and implementation of a cyber security policy that represents to some degree paraphrased in order to enhance their readability among management's commitment and ability to secure its critical diverse audiences. cyber assets. The responsible entity shall, at a minimum, 128

OCR for page 128
APPENDIX E 129 ensure the following: This cyber security policy must be and software components of critical cyber assets pursuant to readily available to all personnel who have access to, or are the change control process. responsible for, critical cyber assets. The responsible entity must assign a senior manager with ELECTRONIC SECURITY PERIMETER(S) overall responsibility for leading and managing the entity's implementation of, and adherence to, the policy. This senior The identification and protection of the electronic security manager shall be identified by name, title, business phone, perimeter(s) inside which all critical cyber assets reside, as business address, and date of designation. Changes to the well as all access points on the perimeter, are required. senior manager must be documented within 30 calendar days of the effective date. The senior manager or delegate(s) shall Electronic Security Perimeter authorize and document any exception from the requirements of the cyber security policy. The responsible entity must ensure that every critical cyber asset resides within an electronic security perimeter. The responsible entity must identify and document the Information Protection electronic security perimeter(s) and all access points to the The responsible entity shall implement and document perimeter(s). a program to identify, classify, and protect information associated with critical cyber assets. The critical cyber asset 1. Access points to the electronic security perimeter(s) information to be protected shall include, at a minimum and must include any externally connected communica- regardless of media type, operational procedures, lists of tion end point (for example, dial-up modems) termi- critical assets, network topology or similar diagrams, floor nating at any device within the electronic security plans of computing centers that contain critical cyber assets, perimeter(s). equipment layouts of critical cyber assets, disaster recovery 2. For a dial-up-accessible critical cyber asset that uses plans, incident response plans, and security configuration a non-routable protocol, the responsible entity must information. define an electronic security perimeter for that single The responsible entity shall, at least annually, assess access point at the dial-up device. adherence to its critical cyber asset information protection 3. Communication links connecting discrete electronic program, document the assessment results, and implement security perimeters must not be considered part of the an action plan to remediate deficiencies identified during electronic security perimeter. However, end points the assessment. of these communication links within the electronic security perimeter(s) must be considered access points to the electronic security perimeter(s). Access Control 4. Any non-critical cyber asset within a defined elec- The responsible entity must document and implement a tronic security perimeter must be identified and program for managing access to protected critical cyber asset protected. information. The responsible entity shall maintain a list of 5. Cyber assets used in the access control and monitor- designated personnel who are responsible for authorizing ing of the electronic security perimeter(s) must be logical or physical access to protected information. Person- afforded certain protective measures. nel are identified by name, title, business phone, and the 6. The responsible entity must maintain documentation information for which they are responsible for authorizing on the electronic security perimeter(s), all intercon- access. At least annually, the responsible entity must review nected critical and non-critical cyber assets within the access privileges to protected information to confirm that the electronic security perimeter(s), all electronic access privileges are correct and that they correspond with access points to the electronic security perimeter(s), the responsible entity's needs and appropriate personnel roles and the cyber assets deployed for the access control and responsibilities. and monitoring of these access points. Change Control and Configuration Management Electronic Access Controls The responsible entity must establish and document a The responsible entity must implement and document process of change control and configuration management the organizational processes and technical and procedural for adding, modifying, replacing, or removing critical cyber mechanisms for control of electronic access at all electronic asset hardware or software, and must implement supporting access points to the electronic security perimeter(s). configuration management activities to identify, control, and document all entity- or vendor-related changes to hardware

OCR for page 128
130 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM 1. These processes and mechanisms must use an access Cyber Vulnerability Assessment control model that denies access by default, such that The responsible entity must perform a cyber vulnerability explicit access permissions must be specified. assessment of the electronic access points to the electronic 2. At all access points to the electronic security security perimeter(s) at least annually. The vulnerability perimeter(s), the responsible entity must enable assessment must include, at a minimum, the following: only ports and services required for operations and for monitoring cyber assets within the electronic 1. A document identifying the vulnerability assessment security perimeter, and must document, individually process; or by specified grouping, the configuration of those 2. A review to verify that only ports and services ports and services. required for operations at these access points are 3. The responsible entity must maintain a procedure enabled; for securing dial-up access to the electronic security 3. The discovery of all access points to the electronic perimeter(s). security perimeter; 4. Where external interactive access into the electronic 4. A review of controls for default accounts, passwords, security perimeter has been enabled, the respon- and network management community strings; and sible entity must implement strong procedural or 5. Documentation of the results of the assessment, the technical controls at the access points to ensure action plan to remediate or mitigate vulnerabilities authenticity of the accessing party, where techni- identified in the assessment, and the execution status cally feasible. of that action plan. 5. The required documentation must, at least, identify and describe: The processes for access request and authorization, Documentation Review and Maintenance The authentication methods, The responsible entity must review, update, and maintain The review process for authorization rights, and all documentation to support compliance with the require- The controls used to secure dial-up accessible ments, including the following: connections. 6. Where technically feasible, electronic access control 1. The responsible entity must ensure that all docu- devices must display an appropriate-use banner on mentation required reflects current configurations the user screen upon all interactive access attempts. and processes and must review the documents and The responsible entity must maintain a document procedures at least annually. identifying the content of the banner. 2. The responsible entity must update the documenta- tion to reflect the modification of the network or Monitoring Electronic Access controls within 90 calendar days of the change. 3. The responsible entity must retain electronic access The responsible entity must implement and document an logs for at least 90 calendar days. Logs related to electronic or manual process(es) for monitoring and logging reportable incidents must be kept in accordance with access at access points to the electronic security perimeter(s) the requirements. 24 hours a day, 7 days a week. 1. For dial-up-accessible critical cyber assets that use INCIDENT REPORTING AND RESPONSE PLANNING non-routable protocols, the responsible entity must implement and document monitoring process(es) at Cyber Security Incident Response Plan each access point to the dial-up device, where techni- The responsible entity must develop and maintain a cyber cally feasible. security incident response plan. The cyber security incident 2. Where technically feasible, the security monitoring response plan must address, at a minimum, the following: process(es) must detect and alert for attempts at or actual unauthorized accesses. These alerts must 1. Procedures to characterize and classify events as provide for appropriate notification to designated reportable cyber security incidents. response personnel. Where alerting is not techni- 2. Response actions, including roles and responsibilities cally feasible, the responsible entity must review or of incident response teams, incident handling proce- otherwise assess access logs for attempts at or actual dures, and communication plans. unauthorized accesses at least every 90 calendar 3. Process for reporting cyber security incidents to the days. Electricity Sector Information Sharing and Analy- sis Center (ES ISAC). The responsible entity must

OCR for page 128
APPENDIX E 131 ensure that all reportable cyber security incidents are 8. Means for ensuring that cyber assets used in the reported to the ES ISAC either directly or through an access control and monitoring of the physical secu- intermediary. rity perimeter(s) are afforded the same protective 4. Process for updating the cyber security incident measures as other cyber assets. response plan within 90 calendar days of any changes. 9. Process for ensuring that the physical security plan 5. Process for ensuring that the cyber security incident is reviewed at least annually. response plan is reviewed at least annually. 6. Process for ensuring that the cyber security incident Physical Access Controls response plan is tested at least annually. A test of the incident response plan can range from a paper drill, The responsible entity must document and implement to a full operational exercise, to the response to an the operational and procedural controls to manage physi- actual incident. cal access at all access points to the physical security perimeter(s) 24 hours a day, 7 days a week. The responsible entity must implement one or more of the following physical Cyber Security Incident Documentation access methods: The responsible entity must keep relevant documentation. 1. Card key. A means of electronic access whereby the access rights of the card holder are predefined in a PHYSICAL SECURITY OF CRITICAL CYBER ASSETS computer database. Access rights may differ from The implementation of a physical security program is one perimeter to another. intended to ensure the protection of critical cyber assets. 2. Special locks. These include, but are not limited to, locks with "restricted key" systems, magnetic locks that can be operated remotely, and "man-trap" Physical Security Plan systems. The responsible entity must create and maintain a physical 3. Security personnel. Personnel who are responsible security plan, approved by a senior manager or delegate(s), for controlling physical access and who might reside that must address, at a minimum, the following: on-site or at a monitoring station. 4. Other authentication devices. Biometric, keypad, 1. Processes to ensure and document that all cyber token, or other equivalent devices that control physi- assets within an electronic security perimeter also cal access to critical cyber assets. reside within an identified physical security perim- eter. Where a completely enclosed ("six-wall") bor- Monitoring Physical Access der cannot be established, the responsible entity must deploy and document alternative measures to control The responsible entity must document and implement physical access to the critical cyber assets. the technical and procedural controls for monitoring physi- 2. Processes to identify all access points through each cal access at all access points to the physical security physical security perimeter and measures to control perimeter(s) 24 hours a day, 7 days a week. Unauthorized entry at those access points. access attempts must be reviewed immediately and handled 3. Processes, tools, and procedures to monitor physical in accordance with established procedures. One or more of access to the perimeter(s). the following monitoring methods must be used: 4. Procedures for the appropriate use of physical access controls, including visitor pass management, 1. Alarm systems. Systems that alarm to indicate that response to loss, and prohibition of inappropriate use a door, gate, or window has been opened with- of physical access controls. out authorization. These alarms must provide for 5. Procedures for reviewing access authorization immediate notification to personnel responsible for requests and revocation of access authorization. response. 6. Procedures for escorted access within the physical 2. Human observation of access points. Monitoring of security perimeter of personnel not authorized for physical access points by authorized personnel. unescorted access. 7. Process for updating the physical security plan within Logging Physical Access 90 calendar days of any physical security system redesign or reconfiguration, including, but not limited Logging must record sufficient information to uniquely to, addition or removal of access points through the identify individuals and the time of access 24 hours a day, physical security perimeter, physical access controls, 7 days a week. The responsible entity must implement and monitoring controls, or logging controls. document the technical and procedural mechanisms for log-

OCR for page 128
132 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM ging physical entry at all access points to the physical secu- Direct communications (e.g., e-mails, memos, com- rity perimeter(s) using one or more of the following logging puter based training, etc.); methods or their equivalent: Indirect communications (e.g., posters, intranet, bro- chures, etc.); 1. Computerized logging. Electronic logs produced by Management support and reinforcement (e.g., pre- the responsible entity's selected access control and sentations, meetings, etc.). monitoring method. 2. Video recording. Electronic capture of video images Training of sufficient quality to determine identity. 3. Manual logging. A log book, sign-in sheet, or other The responsible entity must establish, maintain, and docu- record of physical access maintained by security or ment an annual cyber security training program for personnel other personnel authorized to control and monitor having authorized cyber or authorized unescorted physical physical access. access to critical cyber assets, and review the program annu- ally and update as necessary. This program will ensure that all personnel having such Access Log Retention access to critical cyber assets, including contractors and The responsible entity must retain physical access logs service vendors, are trained within 90 calendar days of such for at least 90 calendar days. Logs related to reportable authorization. incidents must be kept in accordance with the requirements Training must cover the policies, access controls, and pro- of Standard CIP-008. cedures as developed for the critical cyber assets and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: Maintenance and Testing The responsible entity must implement a maintenance and The proper use of critical cyber assets; testing program to ensure that all physical security systems Physical and electronic access controls to critical function properly. The program must include, at a minimum, cyber assets; the following: The proper handling of critical cyber asset informa- tion; and 1. Testing and maintenance of all physical security Action plans and procedures to recover or re-estab- mechanisms on a cycle no longer than 3 years. lish critical cyber assets and access thereto following 2. Retention of testing and maintenance records for the a cyber security incident. proper cycle documented by the responsible entity. 3. Retention of outage records regarding access con- The responsible entity must maintain documentation that trols, logging, and monitoring for a minimum of 1 training is conducted at least annually, including the date the calendar year. training was completed and attendance records. PERSONNEL AND TRAINING Personnel Risk Assessment Personnel having authorized cyber or authorized une- The responsible entity must have a documented personnel scorted physical access to critical cyber assets, including risk assessment program, in accordance with federal, state, contractors and service vendors, are required to have an provincial, and local laws, and subject to existing collective appropriate level of personnel risk assessment, training, and bargaining unit agreements, for personnel having authorized security awareness. cyber or authorized unescorted physical access. A personnel risk assessment must be conducted pursuant to that program within 30 days of such personnel being granted such access. Awareness Such program must at a minimum include the following: The responsible entity must establish, maintain, and docu- ment a security awareness program to ensure that personnel 1. The responsible entity must ensure that each assess- having authorized cyber or authorized unescorted physical ment conducted includes, at least, identity verifica- access receive ongoing reinforcement in sound security tion (e.g., Social Security number verification in practices. The program must include security awareness the United States) and a 7-year criminal check. reinforcement on at least a quarterly basis using mechanisms The responsible entity may conduct more detailed such as: reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending on the criticality of the position.

OCR for page 128
APPENDIX E 133 2. The responsible entity must update each personnel Recovery Plans risk assessment at least every 7 years after the initial The responsible entity must create and annually review personnel risk assessment or for cause. recovery plan(s) for critical cyber assets. The recovery 3. The responsible entity must document the results of plan(s) must address at a minimum the following: personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical 1. Specify the required actions in response to events access to critical cyber assets, and must document or conditions of varying duration and severity that that personnel risk assessments of contractor and ser- would activate the recovery plan(s). vice vendor personnel with such access are conducted 2. Define the roles and responsibilities of responders. pursuant to Standard CIP-004. Exercises Access The recovery plan(s) must be exercised at least annually. The responsible entity must maintain list(s) of person- An exercise of the recovery plan(s) can range from a paper nel with authorized cyber or authorized unescorted physi- drill, to a full operational exercise, to recovery from an actual cal access to critical cyber assets, including their specific incident. electronic and physical access rights to critical cyber assets. The responsible entity must review quarterly the Change Control list(s) of its personnel who have such access to criti- Recovery plan(s) must be updated to reflect any changes cal cyber assets, and update the list(s) within 7 calen- or lessons learned as a result of an exercise or the recovery dar days of any change of personnel with such access from an actual incident. Updates must be communicated to to critical cyber assets, or any change in the access personnel responsible for the activation and implementation rights of such personnel. The responsible entity must of the recovery plan(s) within 90 calendar days of the change. ensure that access list(s) for contractors and service vendors are properly maintained. The responsible entity must revoke such access to Backup and Restore critical cyber assets within 24 hours for personnel The recovery plan(s) must include processes and proce- terminated for cause and within 7 calendar days for dures for the backup and storage of information required personnel who no longer require such access to criti- to successfully restore critical cyber assets. For example, cal cyber assets. backups may include spare electronic components or equip- ment, written documentation of configuration settings, tape RECOVERY PLANS FOR CRITICAL CYBER ASSETS backup, etc. Recovery plan(s) must be in place for critical cyber assets, and these plans must follow established business continuity Testing Backup Media and disaster recovery techniques and practices. The respon- Information essential to recovery that is stored on backup sible entity must comply with the following requirements. media must be tested at least annually to ensure that the information is available. Testing can be completed off-site.