NERC CIP Compliance 10/11/2011

(1)

2774 Cleveland Avenue N  Roseville, MN 55113  Phone (651) 855-1760  Fax (651) 855-1712 www.midwestreliability.org

NERC CIP

Compliance

10/11/2011

Authored by

Dan Barker, American Transmission Co. Ron Bender, Nebraska Public Power District Richard Burt, Minnkota Power Cooperative, Inc.

Marc Child, Great River Energy Marc Gaudette, Dominion Jennifer White, Alliant Energy

The Midwest Reliability Organization (MRO) Standards Committee (SC) is committed to providing training and non-binding guidance to industry stakeholders regarding existing and emerging Reliability Standards. Any materials, including presentations, were developed through the Standards Committee by Subject Matter Experts from member organizations within the MRO.

The materials have been reviewed by MRO staff and provide reasonable application guidance for the standard(s) addressed. Ultimately, demonstrating compliance depends on a number of factors including the precise language of the standard, the specific facts and circumstances, and quality of evidence.

These documents may be reproduced or distributed to any person or entity only in its entirety.

(2)

[NERC CIP Compliance] P a g e | 2 MIDWEST RELIABILITY ORGANIZATION

The key to successful compliance is to concentrate on performance and “doing the right thing” while simultaneously collecting and maintaining evidence to demonstrate that performance. It is easier to demonstrate compliance if the programs, documentation, and process outputs are designed with that task in mind. Though the recommendations within this paper will focus on demonstrating compliance, there may also be program design and configuration suggestions that will overlap with achieving compliance.

Registered entities are in various stages of compliance – some have established, effective compliance programs while others are still developing compliance programs and considering the implications of CIP compliance. The authors of this paper have varied levels of audit experience, ranging from sufficiency audits to audits of all 43 requirements in the CIP Standards. The guidance within this paper is derived from those experiences, as well as the experiences of creating and implementing CIP compliance programs in general. The recommendations in this paper should be helpful to entities responsible for implementing brand new programs as well as those entities engaged in adjusting existing programs to more effectively achieve compliance after audit experiences or program maturation.

(4)

[NERC CIP Compliance] P a g e | 4 MIDWEST RELIABILITY ORGANIZATION Paper Overview

The authors of this paper engaged in hours of discussion over the finer points of interpretation, security practices, and system capability. At the end of those discussions, the authors didn’t always agree. In order to ensure that the results were based on a strict application of the language of the Standards, the results of those conversations have been categorized into the following sections:

General Recommendations:

A successful compliance program relies heavily on a few, universally applied principles. These principles are so central that they were repeated in the discussion of every single requirement. The recommendations in this section should be remembered and revisited when each component of a compliance program is designed.

CIP-002-3 through CIP-009-3:

In addition to the general recommendations, each Standard has an approach more likely to yield success than another. Those approaches have been identified in each section using the following elements:

The actual Standards language is included in each section for reference. This is included for ease of use.

Definitions sections will identify the terms in each Standard that should be clearly documented by the entity. Actual definitions are not provided, as they will differ based on the individual compliance program. Instead, these are lists of terms used to simply identify those that become pivotal within that compliance program.

Recommendations for each requirement are based on strict application. Where sub-requirements require additional information, they will be specifically addressed. It is important to remember that all of the recommendations are to be understood as suggestions and are non-binding application guidance.

(5)

Tips are included within each Recommendation section. Adherence to these tips is not required for strict compliance. Instead, following this guidance may make compliance easier to achieve or demonstrate.

Notes are also provided in the Recommendations sections where the additional considerations are necessary. They contain detail that should be considered when implementing the recommendation.

Evidence sections include a high-level list of the types of evidence that an auditor will likely request or the types of evidence that, if provided, will give the auditors a clear demonstration of compliance. Of course, additional evidence may be appropriate based on the specific compliance implementation. If it clearly answers a compliance question or demonstrates an activity required for compliance, it’s a good idea to include it, regardless of whether or not it appears in the evidence lists in this paper.

Summary:

This paper is based on Version 3 of the CIP Standards. The authors are aware that at least two more versions are underway and in various states of draft and/or approval. The body of this paper does not address future versions or anticipated changes within those versions.

(6)

General Recommendations

While there are details within each requirement that require specific attention, some aspects of compliance are consistent throughout. Each recommendation in this section can be applied to most, if not all, of the requirements. When developing the individual components of a compliance program, each of these recommendations should be revisited. Where any of these can be uniquely applied to an individual requirement, they will be mentioned again in that section.

Documentation: “If you didn’t document it, you didn’t do it.” Many of the

requirements speak directly to documenting a program or process. However, not all documents are created equal.

o Structure – Documents used for compliance should have components that ensure inclusion of necessary information, change management, and references to other relevant documents. Remember your audience and choose a format that allows users and auditors to find information quickly and easily. Helpful components include: Owner/Approver, Definitions, Purpose (mapped to the CIP requirement addressed), Procedure, etc.

o Revision history –Revision history makes it possible to demonstrate that revisions are made in accordance with implementation deadlines, procedural change timeframes, annual reviews, etc. Keeping revision history will establish point-in-time compliance. It is also helpful to have a summary of what changed with each revision. Maintain revision history for the duration of the audit period.

o Roles and Responsibilities – Written procedures are a great way to ensure that each individual knows his or her role in the process. Additionally, they help add clarity in identifying a Subject Matter Expert (SME) to participate during an audit. o Tip: Unless required by the Standards, use titles not names.

Evidence Considerations: Evidence is more than just documentation. Demonstrating

compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.

The best types of evidence are consistent throughout the organization. For example, NERC CIP changes should require the same request form and follow the same processes, yielding exactly the same types of output. They should also provide reliable time/date stamps that are difficult to falsify. As an example, screen captures should include a visible time and date stamp within the capture.

Attestations provided for compliance activities are considered weaker evidence, which may need to be corroborated with stronger evidence. But where demonstration of a null

(7)

list or the absence of an activity is necessary, an attestation may be the only record that can be provided in addition to the documented process; therefore an attestation may be sufficient.

Reviews: Another item expressly addressed throughout the CIP Standards is the

requirement to conduct “reviews.” Each documented process should be accompanied by how reviews are initiated, conducted, and tracked. Rigor and formality in this process will be rewarded. For each documented review, the auditor should easily understand:

o Who was the reviewer? o What content was reviewed? o When was it reviewed?

o What changes were made? If so, how were they communicated?

Definitions: Each requirement may contain words or phrases that are not entirely clear.

Even “industry” terms can be applied differently in relation to a specific program or device. NERC has published, and continues to publish, documents that can be used to understand what is meant by the terms included in the Standards. These documents include, but are not limited to, Compliance Application Notices (CANs), Reliability Standard Audit Worksheets (RSAWs), interpretation documents, and guidance documents. Even though these documents can provide assistance, it is the obligation of the entity to ensure that the definition or interpretation in use is documented. It’s reasonable to use definitions from trusted resources in the industry, but reliance on that definition should be supported in a documented part of the specific program to which it applies. In fact, even where using a definition provided by NERC, ensure that definition is documented with the program for point-in-time understanding of the entity’s implementation of CIP compliance.

References: There are lots of available guidance documents for writing emergency and

operating plans, determining sound security practices, specifications for configuration of physical and electronic controls, industry standards, etc. Adhering to the guidance within those materials can aid in developing and maintaining compliance programs, as well as demonstrate rigor in researching available solutions. Maintain copies of source material to provide during audits, as this can help explain why specific elements were implemented.

Support: Within the organization, it’s possible that disparate groups engage in the

support of the assets within the scope of CIP compliance. Historically segregated IT and business areas are sharing responsibilities and control in order to achieve compliance. Configurations required for compliance should be protected by strong change control processes and clear documentation outlining roles and responsibilities. Personnel who may only be peripherally involved in support of CIP assets, perimeters, and information should receive CIP training.

(8)

Correlation: Ensure a broad understanding of all the NERC Reliability Standards (BAL,

COM, CIP, EOP, FAC, INT, IRO, MOD, NUC, PER, PRC, TOP, TPL, VAR) when developing a CIP Compliance program. This understanding should include reporting obligations, definitions, and any cross-references. Ensure that documented processes are consistent throughout the entity’s compliance programs.

Audits: When resources and time allow, internal and vendor audit resources should be

considered for program definitions, targeted auditing, or full mock audits. The entity can rehearse interviewing, learn about its ability to respond to audit scenarios or information requests, practice compiling evidence and documentation, and identify potential insufficiencies. It can be helpful to check with neighboring entities for reliable vendors. A pre-audit conference call or meeting with MRO audit staff is strongly encouraged by MRO to address questions and answers. Keep in mind MRO staff will answer questions like “what is evidence required to demonstrate compliance.” but will not answer “if I do this will I be complaint?”

Collaboration: Within the constraints of information protection, entities can benefit from

sharing program designs, interpretations, implementation tips, and audit experiences. Collaboration can result in innovative solutions to common problems, increased leverage when dealing with common vendors, as well as shared expertise and lessons learned. Note: It’s important to remember that individual audit experiences may vary, and information should be carefully weighed by each entity before action, even if that information is contained within this paper.

Timing: Consider your compliance activities when scheduling major projects that may

share personnel, technology, or other resources. Consider freezes on technology or process changes when preparing for a regional audit, schedule internal audit activities outside of self-certification windows, etc. Wherever possible, avoid competition and individual priorities will line up appropriately.

(9)

CIP-002-3 – Critical Cyber Asset Identification

The creation of a Risk-Based Assessment Methodology for identifying Critical Assets and the subsequent evaluations of criticality for the associated cyber devices will ultimately determine the size and scope of its CIP compliance program, including the applicability of the CIP-003 through CIP-009 Standards.

CIP-002-3 Requirements:

R1. Critical Asset Identification Method — The Responsible Entity shall identify and document a

risk-based assessment methodology to use to identify its Critical Assets.

R1.1. The Responsible Entity shall maintain documentation describing its risk-based

assessment methodology that includes procedures and evaluation criteria.

R1.2. The risk-based assessment shall consider the following assets:

R1.2.1. Control centers and backup control centers performing the functions of the

entities listed in the Applicability section of this standard.

R1.2.2. Transmission substations that support the reliable operation of the Bulk Electric

System.

R1.2.3. Generation resources that support the reliable operation of the Bulk Electric

System.

R1.2.4. Systems and facilities critical to system restoration, including blackstart

generators and substations in the electrical path of transmission lines used for initial system restoration.

R1.2.5. Systems and facilities critical to automatic load shedding under a common

control system capable of shedding 300 MW or more.

R1.2.6. Special Protection Systems that support the reliable operation of the Bulk Electric

System.

R1.2.7. Any additional assets that support the reliable operation of the Bulk Electric

System that the Responsible Entity deems appropriate to include in its assessment.

R2. Critical Asset Identification — The Responsible Entity shall develop a list of its identified

Critical Assets determined through an annual application of the risk-based assessment

methodology required in R1. The Responsible Entity shall review this list at least annually, and update it as necessary.

R3. Critical Cyber Asset Identification — Using the list of Critical Assets developed pursuant to

Requirement R2, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time inter-utility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002-3, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic

Security Perimeter; or,

R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible.

R4. Annual Approval — The senior manager or delegate(s) shall approve annually the risk-based

assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1, R2, and R3 the Responsible Entity may determine that it has no Critical Assets

(10)

or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)’s approval of the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null.)

Definitions: The terminology used within any CIP-002 risk based methodology should

be carefully defined and included in all documentation. If any proprietary terms impact the risk based methodology or its application, be sure to include those, as well as the following:

o “Essential to the operation of the critical asset” – Have some criteria for this evaluation.

o “Annual” – Be sure to document what you consider “annual” – once per calendar year, 12 rolling months, etc. Even if this lines up with the NERC guidance document, write it down.

o “Control Center,” “Critical Asset,” “Critical Cyber Asset,” and “Cyber Assets” – These are all terms that have industry-established definitions, but entities should consider including those definitions within compliance documentation. Documenting the definition will also allow the entity to add qualifiers and conditions that may be useful in determining inclusion or exclusion of devices or locations while demonstrating that compliance is still achieved.

Recommendations:

CIP-002-3 R1 Critical Asset Identification Method and R2 Critical Asset Identification

o R1.2 is formatted to include sub-requirements for each type of asset that should be included in the risk based methodology. Consider mapping documentation to those sub-requirements. Also, use common terminology or ensure direct mapping from proprietary terminology to the verbiage used within the Standards.

o Document the criteria used to evaluate the criticality of each type of asset. It might be helpful to enlist Bulk Electric System (BES) Asset Subject Matter Experts (SMEs) to assist in the establishment of those criteria, as they are the best equipped to understand impact and criticality. Document the process for applying the risk based methodology and completing the evaluation. Include the results of the evaluations (scorecard) and the name(s) and expertise of the individual(s) completing the assessment.

o The application of the risk based methodology should start with a complete inventory of all systems and assets. Clearly document any filter applied to the inventory before the application of the risk based methodology, reducing the number of assets considered in the application of the risk based methodology. The risk based methodology should also include a dynamic understanding of the entire list of systems and assets to be assessed.

o Ensure that new assets can be added in between approval cycles to address periodic changes to BES assets. It may help to keep documentation from regular meetings designed to address any changes.

o If the application of the risk based methodology results in a null list, the application results and the list, itself, must be documented.

(11)

o Avoid basing an evaluation on any assets, facilities, or systems as though they are isolated. Make sure you are considering common mode failures.

o If any additional assets are identified pursuant to R1.2.7, ensure complete documentation of the criteria or definitions used to identify them.

CIP-002-3 R3 Critical Cyber Asset Identification

o Document the criteria used to evaluate the criticality of each type of cyber asset. It might be helpful to enlist system administrators for each type of asset, system, or perimeter in the establishment of those criteria, as they are best equipped to understand impact and criticality.

o Document the process for applying the risk based methodology and completing the criticality evaluation. Include the process of acquiring the original list of cyber devices to which the risk based methodology will be applied, the results of the criticality evaluations (scorecard), and the name(s) and expertise of the individual(s) completing the assessment.

o For both the criticality methodology and associated documentation, consider grouping Critical Cyber Assets (CCAs) based on identified subcategories (e.g., Operating System (OS), device type, etc.) These categories can expedite the application of the risk based methodology and make it easier to create documentation for the other Standards.

o Once the criteria for determining the criticality of a cyber asset are determined, consider removal of non-Critical Cyber Assets (nCCAs) from within Electronic Security Perimeters (ESPs) (e.g. printers) that house CCAs. Because nCCAs within the ESP must be protected in most of the ways CCAs must be protected, reduction of that list will reduce the overall compliance effort.

o Be prepared to defend what is on your list and what is not on your list.

CIP-002-3 R4 Annual Approval

o Ensure that the senior manager designated in accordance with CIP-003 R2 has, on an annual basis is approved, signed and dated:

CIP-002-3 R1 and R2 Evidence Considerations:

 Critical Asset identification risk-based methodology

 Annual records of the application of the risk-based methodology (dated scorecards)

 Critical Asset List or null attestation

CIP-002-3 R3 Evidence Considerations:

 Critical Cyber Asset identification methodology

 Annual records of the application of the methodology (dated scorecards)

(12)

 the risk-based assessment methodology for determining Critical Assets (new in CIP-002-2 and continued in CIP-002-3)

 the list of Critical Assets

 the list of Critical Cyber Assets

o If a delegate has approved, signed and dated any of the identified lists or methodologies, ensure the delegation of those responsibilities is documented. o If any null lists exist for the CA or CCA identification, they must still be

approved, signed, and dated.

 Dated Sr. Manager or delegate approval for the Critical Asset identification risk-based methodology

 Dated Sr. Manager or delegate approval for the Critical Asset List or null attestation

 Dated Sr. Manager or delegate approval for Critical Cyber Asset List or null attestation

(13)

[NERC CIP Compliance] P a g e | 13

MIDWEST

RELIABILITY

ORGANIZATION

CIP-003-3 – Security Management Controls

The requirements in CIP-003 need to be considered for more than just the Security Management Controls. Due to potentially-related procedures and literal cross-references, many of the requirements in CIP-007 will tie back to the requirements herein. It is up to each entity to determine the extent to which these relationships between the Standards will create relationships in the individual procedures. Whether operationally tied or not, where cross-references exist, the requirements should be considered as additive requirements rather than as replacements.

R1. Cyber Security Policy — The Responsible Entity shall document and implement a cyber

security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following:

R1.1. The cyber security policy addresses the requirements in Standards CIP-002-3

through CIP-009-3, including provision for emergency situations.

R1.2. The cyber security policy is readily available to all personnel who have access to,

or are responsible for, Critical Cyber Assets.

R1.3. Annual review and approval of the cyber security policy by the senior manager

assigned pursuant to R2.

R2. Leadership — The Responsible Entity shall assign a single senior manager with overall

responsibility and authority for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002-3 through CIP-009-3.

R2.1. The senior manager shall be identified by name, title, and date of designation. R2.2. Changes to the senior manager must be documented within thirty calendar days of

the effective date.

R2.3. Where allowed by Standards CIP-002-3 through CIP-009-3, the senior manager

may delegate authority for specific actions to a named delegate or delegates. These delegations shall be documented in the same manner as R2.1 and R2.2, and approved by the senior manager.

R2.4. The senior manager or delegate(s), shall authorize and document any exception

from the requirements of the cyber security policy.

R3. Exceptions — Instances where the Responsible Entity cannot conform to its cyber security

policy must be documented as exceptions and authorized by the senior manager or delegate(s).

R3.1. Exceptions to the Responsible Entity’s cyber security policy must be documented

within thirty days of being approved by the senior manager or delegate(s).

R3.2. Documented exceptions to the cyber security policy must include an explanation as

to why the exception is necessary and any compensating measures.

R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved

annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented.

R4. Information Protection — The Responsible Entity shall implement and document a program

to identify, classify, and protect information associated with Critical Cyber Assets.

R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum

(14)

CIP-[NERC CIP Compliance] P a g e | 14 MIDWEST RELIABILITY ORGANIZATION

002-3, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information.

R4.2. The Responsible Entity shall classify information to be protected under this

program based on the sensitivity of the Critical Cyber Asset information.

R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical

Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment.

R5. Access Control — The Responsible Entity shall document and implement a program for

managing access to protected Critical Cyber Asset information.

R5.1. The Responsible Entity shall maintain a list of designated personnel who are

responsible for authorizing logical or physical access to protected information.

R5.1.1. Personnel shall be identified by name, title, and the information for which

they are responsible for authorizing access.

R5.1.2. The list of personnel responsible for authorizing access to protected

information shall be verified at least annually.

R5.2. The Responsible Entity shall review at least annually the access privileges to

protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities.

R5.3. The Responsible Entity shall assess and document at least annually the processes

for controlling access privileges to protected information.

R6. Change Control and Configuration Management — The Responsible Entity shall establish

and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor-related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process.

Definitions: In addition to those listed below, any proprietary terms used in the

application of CIP-003-3 should be included in any related documentation:

o “Emergency Situations” – It might be helpful to include examples or criteria with a definition.

o “Critical Cyber Asset Information” – While an information protection program can be compliant without having a special classification for NERC CIP information, be prepared to defend any information included, and especially excluded, from the overall information protection program as it relates to the types of information prescribed by the Standards.

(15)

[NERC CIP Compliance] P a g e | 15 MIDWEST RELIABILITY ORGANIZATION Recommendations:

CIP-003-3 R1 Cyber Security Policy

o The Cyber Security Policy is the only document requiring a senior manager signature that cannot be delegated. Ensure the individual identified in CIP-003 R2 is the individual that signs/approves this policy.

o For R1.1, “including provision for emergency situations”, is an additive requirement and must be addressed. It may help to treat it as a separate requirement. Ensure thorough documentation of the individual(s) with authority to declare and conclude emergency situations, along with the specific procedures for those activities. Document the changes to normal operating procedures that are allowed during emergency situations, as well as the compensatory measures in place to mitigate risk. (e.g., emergency change controls, exceptions to physical and logical controls, etc.).

o If your organization has a corporate emergency restoration or business continuity plan, it is important to ensure that these plans do not contain instructions or processes that contradict those in place for compliance. To the extent that it is possible, cross-references will aid responders in ensuring all requirements are met.

o If your organization allows electronic signatures, consider document management systems to expedite approvals.

o For R1.2, be prepared to demonstrate that all personnel have access to the cyber security policy. The text within the policy should explicitly state that availability, as well as any electronic or hardcopy methods of dissemination. Be sure to address availability for external personnel.

o TIP: Methods for ensuring availability for external personnel include, but are not limited to: access to company/corporate internet pages, delivery with annual training, mailings, or corporate/company billboards.

CIP-003-3 R2 Leadership

o This procedure should, at a minimum, address:

 The process for documenting the designation of the “Senior Manager” responsibilities and any relationship to other roles within the organization  Any delegation processes specific to these responsibilities, including the

approval of the delegation by the Senior Manager

 Processes for changing the designation of the “Senior Manager” or any delegates due to personnel changes or absence.

o Ensure procedures include the relevant documentation updates within 30 calendar days of the personnel changes.

CIP-003-3 R1 Evidence Considerations:  A Cyber Security Policy  Evidence of availability

(16)

o TIP: Consider an official form for any delegation which specifies the responsibilities being delegated and the period of delegation.

o TIP: Minimize delegation. Delegation used in excess can create a negative impression of corporate leadership and their awareness of and engagement in CIP activities.

CIP-003-3 R3 Exceptions

o Even if no exceptions are currently necessary, processes for declaration, authorization, and conclusion should be documented.

o Within exception processes, potential scope of allowable exceptions, any relationship to Technical Feasibility Exceptions (TFEs), and documentation requirements for necessity and compensatory measures should be addressed. o Approval procedures should address annual reviews for existing exceptions as

well as approval of new exceptions outside of the annual review cycle. o Exception approval and review records should include, at a minimum:

 Exception duration

 Senior Manager approval date

 Summary of exception, along with necessity  Risk analysis

 Mitigation/compensatory measures

 Subsequent evidence of annual review and approval

o TIP: Long term exceptions are discouraged within successful compliance programs, unless required by technical infeasibility and documented in accordance with those requirements.

CIP-003-3 R4 Information Protection

o Information classifications should be defined, including the individual(s) or role(s) that determines the classification and what protective measures need to be applied based on that classification.

o Information Protection policies and procedures should ensure the protection of information through its lifecycle. Procedures should address labeling, access controls, proper handling/distribution, proper use, storage, and disposal.

 Designation of a Senior Manager  Senior Manager approval for delegates  List of delegates with responsibilities

 Evidence documentation updates for personnel changes

 Initial exception review / approval records

(17)

o Before classifying information, ensure awareness of its uses, both internally and publicly. For example, in some locations, floor plans are stored at the county court house. In those instances, a “confidential” classification may not make sense unless a copy of that floor plan includes additional, sensitive information. o For R4.3, ensure a procedure for the assessments is documented, including

initiation, required personnel, sampling criteria, etc. Define any situations or criteria that would constitute a “deficiency,” as well as acceptable timeframes for mitigations. Document the process for creating mitigation plans and ensuring completion within specified timeframes. Also, ensure that the results from the annual assessments are maintained. Official forms may be helpful for capturing assessment information.

o TIP: Information protection policies and procedures should be flexible enough to address newly identified types of information and repositories.

o TIP: An information protection program should include the components found in requirement #4.

o TIP: If existing information protection policies will be used for NERC CIP compliance, ensure an annual review of those policies if not already implemented.

CIP-003-3 R5 Access Control

o This requirement is not limited to information protection, it should also be used to establish access controls for account management as a product of the cross-reference in CIP-007 R5. As these sub-requirements relate to account management, they will be addressed in that section of this white paper.

o Know what you have and where it lives. For information, this means a comprehensive understanding (which can be an inventory) of existing information is the first step. This includes formats, physical and electronic repositories, any copies, etc. With respect to information, the Standards do not explicitly require an information inventory, though it is easy to see how maintenance of an inventory would aid ongoing compliance. At a minimum, an annual collection and review of the quantity, quality, and location of information is sufficient. o Be cognizant of duplicate data used for multiple types of documentation and

different business needs. Multiple controls and repositories may be appropriate to limit access appropriately.

o At least once annually, the actual access to each repository should be identified, reviewed, and verified as “appropriate.” Understand that this list may include personnel (IT or physical plant) that support the infrastructure in addition to users of the actual information. Even though these personnel do not use the actual CIP-003-3 R4 Evidence Considerations:

 Information Protection policies and procedures  Assessment methodology

(18)

information, a “business need” for that access is still demonstrated as it is required to perform support functions.

o The annual components of this requirement just apply to the access reviews, but access controls are 24 / 7. Ensure that access to information, either electronic or physical, has robust change control implemented. This can mean using the same kinds of request, prerequisite, configuration, and removal processes/timeframes as are implemented for CCA access, but that level is not required.

o In order to demonstrate the ability to understand point-in-time access to NERC CIP information, you should either maintain a list with real-time updates to actual access or you should be able to generate the current list of actual access at any time. Thoroughly document whatever controls are in place to ensure one or the other.

o For R5.2, the lists of access, the reviews for appropriateness, the personnel performing the reviews, and any corrections/mitigations for identified issues should all be included in the documentation of assessments.

o For R5.3, the controls in place to protect information should be reviewed. To make this possible, all controls must be documented, and those processes and procedures should be reviewed at least once annually.

o TIP: Design your data management system to be as automated as possible for tracking, reviewing, approving, and communicating access changes and changes to the information, itself.

CIP-003-3 R6 Change Control and Configuration Management

o For configuration management, identify the list of attributes that will be tracked for each protected cyber asset. To ensure an ongoing understanding of the configuration of protected devices, create a process and a schedule for verifying the accuracy of the attributes.

o For change control, the first step is to thoroughly define the changes that must be documented through this program. Consider decision trees or examples to help determine whether or not change control processes are required.

o TIP: For defining significant changes, start with the list of significant changes identified in CIP-007 R1 and R7 and add any others, as appropriate to the protected systems. In some cases, changes within the application (e.g., clearance code changes for physical access control systems) may constitute the kinds of changes requiring formal request and approval processes.

 List of personnel responsible for authorizing information access, which includes names and titles

 Annual verification of list of personnel responsible for authorizing information access

 Annual review / verification of the access privileges for information  Annual review of the process for controlling access

(19)

o Change control programs should identify “normal” change control processes, which include formal/documented:

 request processes that include a description of the change thorough enough to allow the approver to understand the changes and identify any BES risk or impact

 identification of the appropriate approver(s)  signed (electronic or manual) and dated approval  completion date of the change

o Change control and configuration management programs should have clear request and approval processes for vendor-related changes or vendor-initiated changes before the changes are implemented.

o Consider linking test records from CIP-007 R1 to change control processes to ensure traceability between any significant changes and the required security testing. NOTE: Be aware that linking change control to security testing by using the exact same definitions for significant change may programmatically force security posture testing for application changes that may not impact security of the device, itself. Analyze several change examples to ensure each program is joined where feasible and separated where reasonable.

o Consider linking documentation updates to related changes. This can help demonstrate that changes to documentation were made within compliance timeframes (usually 30 calendar days).

o Exceptions to normal change control processes should be documented. “Emergency” change control processes, if allowed, should define acceptable circumstances for initiation, approval processes, and personnel authorized to make decisions if primary change approvers or implementers are unavailable. o If emergency changes are allowed, document their relationship, or lack of

relationship, to the emergency provisions identified for CIP-003 R1.1 or even other standards. An emergency situation, such as a flood, may not require emergency changes to any individual cyber assets. Likewise, the necessary changes may be isolated to a situation requiring immediate resolution for an individual asset rather than any kind of over-arching emergency situation. CIP-003-3 R6 Evidence Considerations:

 Documented Change Control & Configuration Management process  Change records

(20)

MIDWEST

RELIABILITY

ORGANIZATION

CIP-004-3 – Personnel and Training

One of the most violated of the Standards is CIP-004. This is probably not due to the difficulty of compliance, but rather to the strict timelines associated with each requirement and the volume of individual records needed to prove compliance. Process documentation will be particularly important, as it will aid in the understanding of inputs and outputs for each step of any automated or manual processes. This documentation will also help internal and external personnel understand specific responsibilities and associated timeframes. Lastly, auditors attempting to understand the implemented access controls will rely on process documentation and dated evidence to determine compliance.

R1. Awareness — The Responsible Entity shall establish, document, implement, and maintain a

security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security

practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:

 Direct communications (e.g., emails, memos, computer based training, etc.);  Indirect communications (e.g., posters, intranet, brochures, etc.);

 Management support and reinforcement (e.g., presentations, meetings, etc.).

R2. Training — The Responsible Entity shall establish, document, implement, and maintain an

annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. The cyber security training program shall be reviewed annually, at a minimum, and shall be updated whenever necessary.

R2.1. This program will ensure that all personnel having such access to Critical Cyber

Assets, including contractors and service vendors, are trained prior to their being granted such access except in specified circumstances such as an emergency.

R2.2. Training shall cover the policies, access controls, and procedures as developed for

the Critical Cyber Assets covered by CIP-004-3, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities:

R2.2.1. The proper use of Critical Cyber Assets;

R2.2.2. Physical and electronic access controls to Critical Cyber Assets; R2.2.3. The proper handling of Critical Cyber Asset information; and, R2.2.4. Action plans and procedures to recover or re-establish Critical Cyber

Assets and access thereto following a Cyber Security Incident.

R2.3. The Responsible Entity shall maintain documentation that training is conducted at

least annually, including the date the training was completed and attendance records.

R3. Personnel Risk Assessment —The Responsible Entity shall have a documented personnel

risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. A personnel risk assessment shall be conducted pursuant to that program prior to such personnel being granted such access except in specified circumstances such as an emergency.

The personnel risk assessment program shall at a minimum include:

R3.1. The Responsible Entity shall ensure that each assessment conducted include, at

(21)

seven-year criminal check. The Responsible Entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending upon the criticality of the position.

R3.2. The Responsible Entity shall update each personnel risk assessment at least every

seven years after the initial personnel risk assessment or for cause.

R3.3. The Responsible Entity shall document the results of personnel risk assessments of

its personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, and that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004-3.

R4. Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or

authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets.

R4.1. The Responsible Entity shall review the list(s) of its personnel who have such

access to Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained.

R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets

within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets.

o “Authorized Electronic Access” or “Authorized Physical Access” – It might be helpful to define these where subtle aspects might materially change the access controls in place.

o “Quarterly” – Like “annual,” this term can be interpreted in a couple different ways. Document whether this is a rolling quarter or a calendar quarter.

o “Action plans and procedures” – given the sensitive nature of actual response and recovery plans, it may not be appropriate to share the full plan prior to granting access. For the purposes of training, create a reasonable abstract that can be used to meet this requirement.

Recommendations: CIP-004-3 R1 Awareness

o The quarterly awareness program process documentation should include typical or acceptable communication methods and frequency, as well as the type of content that is considered acceptable for the scope of this requirement.

o Security messages can relate specifically to NERC CIP or to general security concepts.

o Evidence that quarterly awareness messages have been made available should be kept and should include the date of the message and specific delivery method. o Ensure that the awareness messages are made available to everyone with NERC

CIP access and that any special communication methods used to reach vendors and off-site personnel are documented.

(22)

o Evidence of the receipt/attendance for awareness messages is not required. o TIP: Use multiple communication methods to reach all intended audience

members (e.g., company intranet for internal personnel plus an email message directly to external personnel).

CIP-004-3 R2 Training

o Training must be delivered to every individual with physical or cyber access – this will include physical plant workers, support personnel, and vendors. Document the controls that prevent access configuration without training and ensure that evidence of training reflects necessary time/date stamps.

o If third party training solutions or vendor-provided training courses are used, ensure the content can be mapped back to the R2.2 requirements, and obtain copies of the content. Be prepared to demonstrate that all training used to comply with this requirement meets the same criteria. If the training content cannot be modified to meet the requirements, be prepared to supplement it.

o All content requirements of R2.2 must be met prior to actual access being granted within the system.

o The training program needs to encompass or include all authorized internal and external personnel. Evidence of training records need to be maintained and accessible for demonstrating compliance. Ensure the attendance records include the necessary time and date stamps and/or signatures. Attestations or lists from the third party companies with names and dates may not be sufficient.

o TIP: In order to ensure delivery of the training to all personnel with access, consider multiple delivery methods and even multiple types of courses relative to each type of access. All training courses, regardless of media or audience, should map back to the content listed in R2.2.

CIP-004-3 R3 Personnel Risk Assessment

o As with training, the Personnel Risk Assessment (PRA) program needs to accommodate internal and external individuals. Be prepared to provide the actual results from the PRA for each individual who has or has had physical or cyber CIP-004-3 R1 Evidence Considerations:

 Documented quarterly awareness program  Content of quarterly awareness messages  Method of dissemination

 Documented annual training program

 Annual training content, mapped back to R2.2, at a minimum  Annual program review record

 Dated attendance records (Correlation with dated access configuration records will be required for audit)

(23)

access, regardless of who conducted the assessment. Again, attestations with names and dates will not suffice. Nor will contracts that demonstrate obligation. o PRA results can be redacted to remove SS# or driver’s license numbers, but there

should be enough information to uniquely identify the recipient. Also, the results should contain the dates over which the background investigation was conducted. o Make sure the personnel risk assessment is done prior to the granting of access. If

access was granted prior to a compliance date, ensure the PRA is completed prior to that compliance date, as well. There is no such a thing as a “grandfather clause.”

o Recommendation - Make sure you have a way to evaluate the information contained in the PRA. Thoroughly define the types of findings that will result in a denial or an acceptance.

o TIP: From an HR perspective, a restrictive definition for “for cause” used for initiating an off-cycle PRA may inhibit your ability to conduct a PRA. Be cautious with this definition, or be silent on its qualifiers.

CIP-004-3 R4 Access

o It is impossible to track too much information about an individual’s physical or cyber access. Be prepared to produce evidence that specifically identifies the individual, the acquisition and removal date for every discrete type of access, and whether any removal was related to a termination or job change.

o Evidence of quarterly access reviews should follow the same guidance as document reviews, i.e., maintain records that show what was reviewed, who reviewed it, and any actions resulting from the review.

o The quarterly access review should be more than just a comparison between approved and actual lists – appropriateness of access should also be verified. o For R4.2, define the trigger for the 24 hour clock for terminations and the seven

day clock for job changes. This is especially relevant for external personnel where automated access removals may not be possible. Triggers may vary based on whether or not the individual is an internal employee.

o Make sure that when access is removed, evidence of the access is not deleted. Disable accounts, don’t delete them.

o Due to extended transitions and nebulous role/responsibility changes, the actual timeframes associated with job changes are notoriously difficult to manage. Make sure your program has thoroughly defined what constitutes a job change or the “end of business need,” and make sure you have a way to identify when they’ve occurred. If manual processes are used to initiate changes in access, make sure your program definitions account for realistic reaction times.

CIP-004-3 R3 Evidence Considerations:  PRA program

 Dated, redacted PRA results and assessments (Correlation with dated access configuration records will be required for audit)

(24)

o Understand the time requirements for component and potential point of failure for the access removal process. Tip: Have a default option for removing access (e.g., the employee has three days to fill out the form, and if the employee doesn’t fill out the form, then the manager has three days to fill out a form. If both stages fail, perhaps access is removed automatically).

 Access control processes and policies

 Personnel access lists, including specific electronic and physical privileges

 Dated access configuration changes

 Dated records of terminations or changes in business need (Correlation with access configuration records will be needed for audit)

(25)

MIDWEST

RELIABILITY

ORGANIZATION

CIP-005-3 – Electronic Security Perimeters

In many cases, CIP-005 and CIP-007 are inter-related or look similar (e.g., both have “vulnerability assessment” requirements). It’s important to remember that these requirements are not actually duplicative. For CIP-005, the cyber assets addressed are those that create the perimeter, itself, or any access points to it. For CIP-007, it’s the devices within the perimeter. To avoid operational confusion and to make things easier for an auditor to find, make sure your documentation includes a clearly defined scope, is well-organized and is well-labeled. The documentation for this Standard may greatly benefit from use of categorization by device type or function.

CIP-005-3a Requirements:

R1. Electronic Security Perimeter — The Responsible Entity shall ensure that every Critical

Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s).

R1.1. Access points to the Electronic Security Perimeter(s) shall include any externally

connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).

R1.2. For a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the

Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device.

R1.3. Communication links connecting discrete Electronic Security Perimeters shall not

be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s).

R1.4. Any non-critical Cyber Asset within a defined Electronic Security Perimeter shall

be identified and protected pursuant to the requirements of Standard CIP-005-3.

R1.5. Cyber Assets used in the access control and/or monitoring of the Electronic

Security Perimeter(s) shall be afforded the protective measures as a specified in Standard CIP-003-3; Standard CIP-004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP-006-3 Requirement R3; Standard CIP-007-3 Requirements R1 and R3 through R9; Standard CIP-008-3; and Standard CIP-009-3.

R1.6. The Responsible Entity shall maintain documentation of Electronic Security

Perimeter(s), all interconnected Critical and non-critical Cyber Assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points.

R2. Electronic Access Controls — The Responsible Entity shall implement and document the

organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

R2.1. These processes and mechanisms shall use an access control model that denies

access by default, such that explicit access permissions must be specified.

R2.2. At all access points to the Electronic Security Perimeter(s), the Responsible Entity

shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services.

(26)

R2.3. The Responsible Entity shall implement and maintain a procedure for securing

dial-up access to the Electronic Security Perimeter(s).

R2.4. Where external interactive access into the Electronic Security Perimeter has been

enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

R2.5. The required documentation shall, at least, identify and describe: R2.5.1. The processes for access request and authorization. R2.5.2. The authentication methods.

R2.5.3. The review process for authorization rights, in accordance with Standard

CIP-004-3 Requirement R4.

R2.5.4. The controls used to secure dial-up accessible connections.

R2.6. Appropriate Use Banner — Where technically feasible, electronic access control

devices shall display an appropriate use banner on the user screen upon all interactive access attempts. The Responsible Entity shall maintain a document identifying the content of the banner.

R3. Monitoring Electronic Access — The Responsible Entity shall implement and document an

electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

R3.1. For dial-up accessible Critical Cyber Assets that use non-routable protocols, the

Responsible Entity shall implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible.

R3.2. Where technically feasible, the security monitoring process(es) shall detect and

alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not

technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days.

R4. Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber

vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. The vulnerability assessment shall include, at a minimum, the following:

R4.1. A document identifying the vulnerability assessment process;

R4.2. A review to verify that only ports and services required for operations at these

access points are enabled;

R4.3. The discovery of all access points to the Electronic Security Perimeter;

R4.4. A review of controls for default accounts, passwords, and network management

community strings;

R4.5. Documentation of the results of the assessment, the action plan to remediate or

mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.

R5. Documentation Review and Maintenance — The Responsible Entity shall review, update,

and maintain all documentation to support compliance with the requirements of Standard CIP-005-3.

R5.1. The Responsible Entity shall ensure that all documentation required by Standard

CIP-005-3 reflect current configurations and processes and shall review the documents and procedures referenced in Standard CIP-005-3 at least annually.

R5.2. The Responsible Entity shall update the documentation to reflect the modification

(27)

R5.3. The Responsible Entity shall retain electronic access logs for at least ninety

calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008-3.

o “Electronic Access Point” and “Interactive Access Attempt,” – Don’t rely on industry familiarity for these definitions. Document the definition in use at your organization. o “Ports and Services required for operation” – Documented definitions for this term

should indicate whether or not ports required for emergency or intermittent operation are included in the list. Clarity in this definition will aid the development of vulnerability assessment and security testing procedures for this Standard and CIP-007.

o “Reportable Incident” or “Cyber Security Incident” – The definitions for these terms will determine your reporting requirements and the time frames for which you have to retain certain documentation. Make a clear distinction between these terms and the types of circumstances that would simply constitute a “cyber security event.”

Recommendations:

CIP-005-3 R1 Electronic Security Perimeter (ESP)

o There are very few “all” statements that should be used in compliance discussions. Here are two of them:

 Make sure you have a list of all the cyber assets you have within the Electronic Security Perimeter(s) associated with each Critical Asset. This includes devices that are serially connected and/or considered non-critical.  Make sure you can demonstrate that all of the Critical Cyber Assets

identified under CIP-002 reside within an Electronic Security Perimeter (ESP).

One method for accomplishing both of these tasks is through the use of ESP Diagrams. Lists or spreadsheets may also be useful when used in combination with the ESP diagrams to demonstrate compliance.

o The criticality of each Cyber Asset within the ESP should then be assessed, and evidence for this assessment should include a list of all the devices, the criteria used to assess them, and the result of the assessment. This assessment will tell you what requirements must be followed for each device. It will also tell you where there are opportunities to move devices out of the ESP to shrink the list of protected devices. o For R1.1, be sure that documentation includes the process for discovering access

points. These methods may include physical walk-downs of equipment identified as CCAs, reviews of network drawings, etc. For audit purposes, clear identification of the individual(s) responsible for this will make it easier to identify the SME that should be present for the interviews.

o Documentation for R1.1 should also define the implementation and maintenance of the ESP. Consider addressing how temporary connections such as network sniffers, test equipment, anti-virus updates, etc. are handled.

NERC CIP Compliance 10/11/2011

NERC CIP

Compliance

10/11/2011

Contents

General Recommendations

CIP-002-3 – Critical Cyber Asset Identification

CIP-003-3 – Security Management Controls

CIP-004-3 – Personnel and Training

CIP-005-3 – Electronic Security Perimeters