Overview of the NERC CIP Cyber Security Standards CIP-002-1 through CIP-009-1
On August 8, 2005, the Electricity Modernization Act of 2005, which is Title XII, Subtitle A, of the Energy Policy Act of 2005 (EPAct 2005), was enacted. EPAct 2005 includes section 215 which requires a Commission-certified Electric Reliability Organization (ERO), the North American Electric Reliability Corporation (NERC), to develop mandatory and enforceable Reliability Standards. On August 28, 2006 NERC submitted to the Federal Energy Regulatory Commission (FERC) eight Critical Infrastructure Protection (CIP) Reliability Standards to safeguard critical cyber assets. Approval of these standards will help protect the North American Bulk-Power System against potential disruptions from cyber attacks.
The CIP Reliability Standards for critical cyber assets are new and require applicable entities to develop new cyber security systems and procedures, all of which take time to develop and implement. Addressing this task, NERC developed an implementation plan including a proposed four-stage schedule for implementing Cyber Security Standards over a three-year period. Compliance assessment will begin in 2007. Click on the link below to see the current implementation plan for the Cyber Security Standards.
Industrial Defender sees NERC CIP Reliability Standards CIP-002-1 through CIP-009-1 for critical cyber assets as one of the most crucial issues facing North American users, owners and operators of the Bulk Power System. The company has approached the standards by understanding the requirements of our solutions through partnerships with major asset owners. We remain committed to supply our solutions to regulated industries and ensuring we provide the highest value solutions to help affected asset owners achieve compliance.
Education
Industrial Defender has hosted many SCADA and DCS cyber security standards conferences dating back to 2001. Leading utilities representatives have met at these symposiums to discuss the challenges they face in implementing solutions that are compliant with various cyber security standards and guidelines. Industrial Defender used such symposiums to discuss the solutions that companies needed to meet the challenge of implementation.
Developing Solutions for Compliant Applications
Industrial Defender formed a team with the specific task of reviewing the application of Industrial Defender's software and hardware in NERC regulated environments. The team's goals are to identify 'best practices' for implementing Industrial Defender's solutions for NERC CIP Cyber Security Standards compliance and to outline requirements for software improvements to meet this goal. The guiding principal remains - providing solutions that are easy to implement and are quick to achieve results.
Since its inception, this effort has realized several tangible returns. White papers for assessing critical and critical cyber assets have been developed. The release of Industrial Defender 3.0 provides key features and enhancements furthering the goal of making compliance achievable "out of the box".
Customer Focus
Industrial Defender's strategy is continually focused on the needs of bulk power asset owners. Our customers desire information and guidance when implementing compliant solutions. Industrial Defender plans to work as a partner with our customers, providing services for assessing and implementing a compliant infrastructure.
| NERC CIP Reliability Standard |
Requirement |
Definition |
Industrial Defender Service/Product Offering |
CIP-002-1
Identification of Critical Cyber Assets |
R1
Critical Asset Identification Method |
Responsible Entity shall identify and document a risk-based assessment methodology to use to identify its Critical Assets |
ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
R2
Critical Asset Identification |
Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the risk-based assessment methodology |
ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
R3
Critical Cyber Asset Identification |
Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset |
ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
R4
Annual Approval |
A senior manager or delegate shall approve annually the list of Critical Assets and the list of Critical Cyber Assets |
Not Applicable |
CIP-003-1
Security Management Controls |
R1
Cyber Security Policy |
Responsible entity to document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets |
ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
R2
Leadership |
Require the designation of
a single manager who has direct and comprehensive responsibility for the implementation and ongoing compliance with the CIP reliability Standards
|
Not Applicable |
R3
Exceptions |
Require a responsible entity to periodically submit to the Regional Entity the documentation of exceptions to the cyber security policy |
ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
R4
Information Protection |
The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets |
ID SEM user administration includes individual password access and user permissions |
R5
Access Control |
Implement a program for managing access to protected Critical Cyber Asset information |
ID SEM user administration includes individual password access and user permissions |
R6
Change Control and Configuration Management |
Establish and document a process of change control and configuration management for adding, modifying,
replacing, or removing Critical Cyber Asset hardware or software |
ID MSS Configuration Management services include move/add/change requests as well as configuration backups |
CIP-004-1
Personnel and Training |
R1 – R4 |
Requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness
|
ID Professional Services can assist with personnel and training requirements |
CIP-005-1
Electronic Security Perimeter |
R1
Electronic Perimeter |
Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter
|
ID Guard UTM offers traditional firewall protection as well as secure VPN and antivirus at the perimeter |
R2
Electronic Access Controls |
Implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter
|
ID Guard UTM implements access control via username/password or LDAP/Radius server
ID MSS 24x7 event management service to monitor security of ID Guard and third party firewalls |
R3
Monitoring Electronic Access |
Implement and document an electronic or manual process for monitoring and logging access at access points to the Electronic Security Perimeter(s) 24 hours a day, 7 days a week
|
ID Guard, NIDS and HIDS detect unauthorized access and send alert to ID SEM
ID SEM logs all alerts and provides standard reports to provide to a NERC auditor
ID MSS 24x7 event management service to monitor security of ID Guard and third party firewalls |
R4
Cyber Vulnerability Assessment |
Perform a cyber vulnerability
assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually
|
ID Professional Services Vulnerability Assessment and NERC Gap Analysis services |
R5
Documentation Review and Maintenance |
Review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005 |
ID Professional Services Network Architecture Review and NERC Gap Analysis services
ID SEM logs all alerts and provides standard reports to provide to a NERC auditor |
CIP-006-1
Physical Security of Cyber Assets |
R1 – R6 |
Ensure the implementation of a physical security program for the protection of Critical Cyber Assets |
ID Professional Services can assist with physical security assessment services |
CIP-007-1
Systems Security Management |
R1
Test Procedures |
Ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls |
ID MSS Configuration Management services include move/add/change requests as well as configuration backups |
R2
Ports and Services |
Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled |
ID HIDS and NIDS monitor control system workstations and networks for potential malicious port and service activity and send alerts to ID SEM
ID NIDS extends traditional signatures to include control system specific protocols and functions |
R3
Security Patch Management |
Establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s) |
ID SEM automatically updates all ID Guard and ID NIDS signatures as well as software updates
ID MSS IPS/IDS signature updates insures all managed devices, including third parties products, are up to date |
R4
Malicious Software Prevention |
Use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s)
|
ID Guard includes firewall, virus protection and intrusion prevention at the perimeter, thus offering the benefit of not having to install these technologies on operator stations and other high availability control system workstations |
R5
Account Management |
Establish, implement, and document Technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access
|
ID SEM includes auditing feature to create an audit trail of all user activity
ID MSS Log file analysis services performs a review of all authorized and blocked connections |
R6
Security Status Monitoring |
Ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security |
ID HIDS, NIDS and Guard send all events to the ID SEM which presents the information on an incident screen which is customizable |
R7
Disposal or Redeployment |
Establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005
|
ID MSS configuration management service include performing move/add/change requests of all managed devices |
R8
Cyber Vulnerability Assessment |
Perform a cyber vulnerability
assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually
|
ID Professional Services team has performed more Vulnerability Assessments of SCADA and DCS networks than any other company |
R9
Documentation Review and Maintenance |
Review and update the documentation specified in Standard CIP-007 at least annually |
ID Professional Services Network Architecture Review, Vulnerability Assessment and NERC Gap Analysis services |
CIP-008-1
Incident Reporting and Response Planning |
R1
Cyber Security Incident Response Plan |
Develop and maintain a Cyber Security Incident response plan that includes procedures to classify events, response actions including roles of response teams and process for reporting to Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC) |
ID Professional Services offers emergence response planning consulting
ID MSS provides 24x7 event management and escalation services |
R2
Cyber Security Incident Documentation |
Keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years
|
ID SEM logs all alerts and provides standard reports to provide to a NERC auditor |
CIP-009-1
Recovery Plans for Critical Cyber Assets |
R1
Recovery Plans |
Create and annually review recovery plan(s) for Critical Cyber Assets |
ID Professional Services offers disaster recovery consulting |
R2
Exercises |
The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident |
Not Applicable |
R3
Change Control |
Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident |
Not Applicable |
R4
Backup and Restore |
Recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore Critical Cyber Assets
|
ID SEM includes backup and restore functions for all data and includes a recovery CD with shipment |
R5
Testing Backup Media |
Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available |
ID SEM includes backup and restore functions for all data and includes a recovery CD with shipment |
