1. These processes and mechanisms must use an access control model that denies access by default, such that explicit access permissions must be specified.

2. At all access points to the electronic security perimeter(s), the responsible entity must enable only ports and services required for operations and for monitoring cyber assets within the electronic security perimeter, and must document, individually or by specified grouping, the configuration of those ports and services.

3. The responsible entity must maintain a procedure for securing dial-up access to the electronic security perimeter(s).

4. Where external interactive access into the electronic security perimeter has been enabled, the responsible entity must implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

5. The required documentation must, at least, identify and describe:

•   The processes for access request and authorization,

•   The authentication methods,

•   The review process for authorization rights, and

•   The controls used to secure dial-up accessible connections.

6. Where technically feasible, electronic access control devices must display an appropriate-use banner on the user screen upon all interactive access attempts. The responsible entity must maintain a document identifying the content of the banner.

Monitoring Electronic Access

The responsible entity must implement and document an electronic or manual process(es) for monitoring and logging access at access points to the electronic security perimeter(s) 24 hours a day, 7 days a week.

1. For dial-up-accessible critical cyber assets that use non-routable protocols, the responsible entity must implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible.

2. Where technically feasible, the security monitoring process(es) must detect and alert for attempts at or actual unauthorized accesses. These alerts must provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the responsible entity must review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every 90 calendar days

Cyber Vulnerability Assessment

The responsible entity must perform a cyber vulnerability assessment of the electronic access points to the electronic security perimeter(s) at least annually. The vulnerability assessment must include, at a minimum, the following:

1. A document identifying the vulnerability assessment process;

2. A review to verify that only ports and services required for operations at these access points are enabled;

3. The discovery of all access points to the electronic security perimeter;

4. A review of controls for default accounts, passwords, and network management community strings; and

5. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.

Documentation Review and Maintenance

The responsible entity must review, update, and maintain all documentation to support compliance with the requirements, including the following:

1. The responsible entity must ensure that all documentation required reflects current configurations and processes and must review the documents and procedures at least annually.

2. The responsible entity must update the documentation to reflect the modification of the network or controls within 90 calendar days of the change.

3. The responsible entity must retain electronic access logs for at least 90 calendar days. Logs related to reportable incidents must be kept in accordance with the requirements.


Cyber Security Incident Response Plan

The responsible entity must develop and maintain a cyber security incident response plan. The cyber security incident response plan must address, at a minimum, the following:

1. Procedures to characterize and classify events as reportable cyber security incidents.

2. Response actions, including roles and responsibilities of incident response teams, incident handling procedures, and communication plans.

3. Process for reporting cyber security incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC). The responsible entity must

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement