CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page1of54
Standard Development Timeline
Thissectionismaintainedbythedraftingteamduringthedevelopmentofthestandardandwillberemovedwhenthestandardbecomeseffective. Description of Current Draft ThisdraftofCIP0037isaddressingthedirectiveissuedbytheFederalEnergyRegulatoryCommission(Commission)inparagraph73ofOrderNo.822whichreads:
[T]he Commission concludes that amodification to the Low Impact ExternalRoutableConnectivitydefinitiontoreflectthecommentaryintheGuidelinesandTechnicalBasissectionofCIP0036isnecessarytoprovideneededclaritytothedefinitionandeliminateambiguitysurroundingthetermdirectasitisusedintheproposeddefinition.Therefore,pursuanttosection215(d)(5)oftheFPA,wedirectNERCtodevelopamodificationtoprovidetheneededclarity,withinoneyearoftheeffectivedateofthisFinalRuleapprovingrevisionstothecybersecurityCriticalInfrastructureProtection(CIP)standards.
Previously,theGuidelinesandTechnicalBasishadapproximately10pagesofexplanationandnumerousreferencemodelstodescribedifferentformsofdirectvs.indirectaccessthatcouldbeusedtodeterminewhetherLowImpactExternalRoutableConnectivityexistedandthuswhetheraLowImpactBESCyberSystemElectronicAccessPoint(LEAP)wasrequired.Inthisrevision,thetermLowImpactExternalRoutableConnectivityhasbeenchangedtoLowImpactExternalRoutableCommunication(LERC)andsimplifiedsothatitisanattributeofaBESassetconcerningwhetherthereisroutableprotocolcommunicationsacrosstheassetboundarywithoutregardto'directvs.indirect'accessthatmayoccur.ThisgreatlysimplifiesandclarifiesthedefinitionofLERC.ItremovesthedependencybetweentheelectronicaccesscontrolsthatmaybeinplaceandhavingthosecontrolsdeterminewhetherLERCexistsornot.ForthoseBESassetsthathaveLERC,theSDTchangedtherequirementfromrequiringaLEAPtorequiringelectronicaccesscontrolstopermitonlynecessaryelectronicaccesstolowimpactBESCyberSystems(revisedAttachment1,Section3.1)withintheBESassetandexpandedtheGuidelinesandTechnicalBasiswithnumerousexamplesofelectronicaccesscontrols.GiventhemodifieddefinitionofLERCandtheproposedmodificationsinReliabilityCIP0037,thereisnolongeraneedfortheNERCGlossarytermLowImpactBESCyberSystemElectronicAccessPoint(LEAP).Consequently,NERCisproposingthattermforretirement.
Insummary,theCIPStandardDraftingTeamrevisedCIP0037,Attachments1and2,Sections2and3andtheassociatedHighVSLforRequirementR2.Nonsubstantiveerratachangeswerealsomadewithinthestandard,includingchangingESISACtoEISAC.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page2of54
Completed Actions Date
StandardAuthorizationRequest(SAR)approved July20,2016
Draft1ofCIP0037postedforformalcommentandinitialballot July21September6,2016
Anticipated Actions Date
10dayfinalballot October,2016
NERCBoardofTrustees(BOT)adoption November,2016
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page3of54
A. Introduction
1. Title: CyberSecuritySecurityManagementControls2. Number: CIP003673. Purpose: Tospecifyconsistentandsustainablesecuritymanagementcontrolsthat
establishresponsibilityandaccountabilitytoprotectBESCyberSystemsagainstcompromisethatcouldleadtomisoperationorinstabilityintheBulkElectricSystem(BES).
4. Applicability:4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,the
followinglistoffunctionalentitieswillbecollectivelyreferredtoasResponsibleEntities.Forrequirementsinthisstandardwhereaspecificfunctionalentityorsubsetoffunctionalentitiesaretheapplicableentityorentities,thefunctionalentityorentitiesarespecifiedexplicitly.
4.1.1 BalancingAuthority4.1.2 DistributionProviderthatownsoneormoreofthefollowingFacilities,
systems,andequipmentfortheprotectionorrestorationoftheBES:
4.1.2.1 EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding(UVLS)systemthat:
4.1.2.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard;and
4.1.2.1.2 performsautomaticLoadsheddingunderacommoncontrolsystemownedbytheResponsibleEntity,withouthumanoperatorinitiation,of300MWormore.
4.1.2.2 EachSpecialProtectionSystem(SPS)orRemedialActionScheme(RAS)wheretheSPSorRASissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.
4.1.2.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliestoTransmissionwheretheProtectionSystemissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.
4.1.2.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitchingrequirementsfromaBlackstartResourceuptoandincludingthefirstinterconnectionpointofthestartingstationserviceofthenextgenerationunit(s)tobestarted.
4.1.3 GeneratorOperator4.1.4 GeneratorOwner
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page4of54
4.1.5 InterchangeCoordinatororInterchangeAuthority4.1.6 ReliabilityCoordinator4.1.7 TransmissionOperator4.1.8 TransmissionOwner
4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowingFacilities,systems,andequipmentownedbyeachResponsibleEntityin4.1abovearethosetowhichtheserequirementsareapplicable.ForrequirementsinthisstandardwhereaspecifictypeofFacilities,system,orequipmentorsubsetofFacilities,systems,andequipmentareapplicable,thesearespecifiedexplicitly.
4.2.1 DistributionProvider:OneormoreofthefollowingFacilities,systemsandequipmentownedbytheDistributionProviderfortheprotectionorrestorationoftheBES:
4.2.1.1 EachUFLSorUVLSSystemthat:4.2.1.1.1 ispartofaLoadsheddingprogramthatissubjectto
oneormorerequirementsinaNERCorRegionalReliabilityStandard;and
4.2.1.1.2 performsautomaticLoadsheddingunderacommoncontrolsystemownedbytheResponsibleEntity,withouthumanoperatorinitiation,of300MWormore.
4.2.1.2 EachSPSorRASwheretheSPSorRASissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.
4.2.1.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliestoTransmissionwheretheProtectionSystemissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.
4.2.1.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitchingrequirementsfromaBlackstartResourceuptoandincludingthefirstinterconnectionpointofthestartingstationserviceofthenextgenerationunit(s)tobestarted.
4.2.2 ResponsibleEntitieslistedin4.1otherthanDistributionProviders:AllBESFacilities.
4.2.3 Exemptions:ThefollowingareexemptfromStandardCIP0036:7:4.2.3.1 CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafety
Commission.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page5of54
4.2.3.2 CyberAssetsassociatedwithcommunicationnetworksanddatacommunicationlinksbetweendiscreteElectronicSecurityPerimeters(ESPs).
4.2.3.3 Thesystems,structures,andcomponentsthatareregulatedbytheNuclearRegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.Section73.54.
4.2.3.4 ForDistributionProviders,thesystemsandequipmentthatarenotincludedinsection4.2.1above.
5. EffectiveDates:SeeImplementationPlanforCIP00367.
6. Background:StandardCIP003existsaspartofasuiteofCIPStandardsrelatedtocybersecurity,whichrequiretheinitialidentificationandcategorizationofBESCyberSystemsandrequireorganizational,operational,andproceduralcontrolstomitigaterisktoBESCyberSystems.
ThetermpolicyreferstooneoracollectionofwrittendocumentsthatareusedtocommunicatetheResponsibleEntitiesmanagementgoals,objectivesandexpectationsforhowtheResponsibleEntitywillprotectitsBESCyberSystems.Theuseofpoliciesalsoestablishesanoverallgovernancefoundationforcreatingacultureofsecurityandcompliancewithlaws,regulations,andstandards.
ThetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictotheResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyanynamingorapprovalstructurebeyondwhatisstatedintherequirements.Anentityshouldincludeasmuchasitbelievesnecessaryinitsdocumentedprocesses,butitmustaddresstheapplicablerequirements.
Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesseswhereitmakessenseandiscommonlyunderstood.Forexample,documentedprocessesdescribingaresponsearetypicallyreferredtoasplans(i.e.,incidentresponseplansandrecoveryplans).Likewise,asecurityplancandescribeanapproachinvolvingmultipleprocedurestoaddressabroadsubjectmatter.
Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationofitspolicies,plans,andproceduresinvolvingasubjectmatter.Examplesinthestandardsincludethepersonnelriskassessmentprogramandthepersonneltrainingprogram.ThefullimplementationoftheCIPCyberSecurityReliabilityStandardscouldalsobereferredtoasaprogram.However,thetermsprogramandplandonotimplyanyadditionalrequirementsbeyondwhatisstatedinthestandards.
ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsformultiplehigh,medium,andlowimpactBESCyberSystems.Forexample,asingle
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page6of54
cybersecurityawarenessprogramcouldmeettherequirementsacrossmultipleBESCyberSystems.
Measuresprovideexamplesofevidencetoshowdocumentationandimplementationoftherequirement.Thesemeasuresservetoprovideguidancetoentitiesinacceptablerecordsofcomplianceandshouldnotbeviewedasanallinclusivelist.
Throughoutthestandards,unlessotherwisestated,bulleteditemsintherequirementsandmeasuresareitemsthatarelinkedwithanor,andnumbereditemsareitemsthatarelinkedwithanand.
ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSandUVLS.Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion1oftheCIPCyberSecurityStandards.Thethresholdremainsat300MWsinceitisspecificallyaddressingUVLSandUFLS,whicharelastditcheffortstosavetheBES.AreviewofUFLStolerancesdefinedwithinRegionalReliabilityStandardsforUFLSprogramrequirementstodateindicatesthatthehistoricalvalueof300MWrepresentsanadequateandreasonablethresholdvalueforallowableUFLSoperationaltolerances.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page7of54
B. Requirements and Measures
R1. EachResponsibleEntityshallreviewandobtainCIPSeniorManagerapprovalatleastonceevery15calendarmonthsforoneormoredocumentedcybersecuritypoliciesthatcollectivelyaddressthefollowingtopics:[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning]
1.1 ForitshighimpactandmediumimpactBESCyberSystems,ifany:1.1.1. Personnelandtraining(CIP004);1.1.2. ElectronicSecurityPerimeters(CIP005)includingInteractiveRemote
Access;
1.1.3. PhysicalsecurityofBESCyberSystems(CIP006);1.1.4. Systemsecuritymanagement(CIP007);1.1.5. Incidentreportingandresponseplanning(CIP008);1.1.6. RecoveryplansforBESCyberSystems(CIP009);1.1.7. Configurationchangemanagementandvulnerabilityassessments(CIP
010);
1.1.8. Informationprotection(CIP011);and1.1.9. DeclaringandrespondingtoCIPExceptionalCircumstances.
1.2 ForitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,ifany:
1.2.1. Cybersecurityawareness;1.2.2. Physicalsecuritycontrols;1.2.3. ElectronicaccesscontrolsforLowImpactExternalRoutable
ConnectivityCommunication(LERC)andDialupConnectivity;and
1.2.4. CyberSecurityIncidentresponseM1. Examplesofevidencemayinclude,butarenotlimitedto,policydocuments;revision
history,recordsofreview,orworkflowevidencefromadocumentmanagementsystemthatindicatereviewofeachcybersecuritypolicyatleastonceevery15calendarmonths;anddocumentedapprovalbytheCIPSeniorManagerforeachcybersecuritypolicy.
R2. EachResponsibleEntitywithatleastoneassetidentifiedinCIP002containinglowimpactBESCyberSystemsshallimplementoneormoredocumentedcybersecurityplan(s)foritslowimpactBESCyberSystemsthatincludethesectionsinAttachment1.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanning]
Note:Aninventory,list,ordiscreteidentificationoflowimpactBESCyberSystemsortheirBESCyberAssetsisnotrequired.Listsofauthorizedusersarenotrequired.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page8of54
M2. Evidenceshallincludeeachofthedocumentedcybersecurityplan(s)thatcollectivelyincludeeachofthesectionsinAttachment1andadditionalevidencetodemonstrateimplementationofthecybersecurityplan(s).AdditionalexamplesofevidencepersectionarelocatedinAttachment2.
R3. EachResponsibleEntityshallidentifyaCIPSeniorManagerbynameanddocumentanychangewithin30calendardaysofthechange.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning]
M3. Anexampleofevidencemayinclude,butisnotlimitedto,adatedandapproveddocumentfromahighlevelofficialdesignatingthenameoftheindividualidentifiedastheCIPSeniorManager.
R4. TheResponsibleEntityshallimplementadocumentedprocesstodelegateauthority,unlessnodelegationsareused.WhereallowedbytheCIPStandards,theCIPSeniorManagermaydelegateauthorityforspecificactionstoadelegateordelegates.Thesedelegationsshallbedocumented,includingthenameortitleofthedelegate,thespecificactionsdelegated,andthedateofthedelegation;approvedbytheCIPSeniorManager;andupdatedwithin30daysofanychangetothedelegation.Delegationchangesdonotneedtobereinstatedwithachangetothedelegator.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanning]
M4. Anexampleofevidencemayinclude,butisnotlimitedto,adateddocument,approvedbytheCIPSeniorManager,listingindividuals(bynameortitle)whoaredelegatedtheauthoritytoapproveorauthorizespecificallyidentifieditems.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page9of54
C. Compliance
1. ComplianceMonitoringProcess1.1. ComplianceEnforcementAuthority:
AsdefinedintheNERCRulesofProcedure,ComplianceEnforcementAuthority(CEA)meansNERCortheRegionalEntityintheirrespectiverolesofmonitoringandenforcingcompliancewiththeNERCReliabilityStandards.
1.2. EvidenceRetention:Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityisrequiredtoretainspecificevidencetodemonstratecompliance.Forinstanceswheretheevidenceretentionperiodspecifiedbelowisshorterthanthetimesincethelastaudit,theCEAmayaskanentitytoprovideotherevidencetoshowthatitwascompliantforthefulltimeperiodsincethelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceasidentifiedbelowunlessdirectedbyitsCEAtoretainspecificevidenceforalongerperiodoftimeaspartofaninvestigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthisstandardforthreecalendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformationrelatedtothenoncomplianceuntilmitigationiscompleteandapprovedorforthetimespecifiedabove,whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmittedsubsequentauditrecords.
1.3. ComplianceMonitoringandAssessmentProcesses:ComplianceAudits
SelfCertifications
SpotChecking
ComplianceInvestigations
SelfReporting
Complaints
1.4. AdditionalComplianceInformation:None
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page10of54
2. TableofComplianceElements
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
R1 OperationsPlanning
Medium TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddressoneoftheninetopicsrequiredbyR1.(R1.1)
OR
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1within15calendarmonthsbutdid
TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddresstwooftheninetopicsrequiredbyR1.(R1.1)
OR
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1within16calendarmonthsbutdid
TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddressthreeoftheninetopicsrequiredbyR1.(R1.1)
OR
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1within17calendarmonthsbutdidcompletethisreviewinlessthanorequalto18
TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddressfourormoreoftheninetopicsrequiredbyR1.(R1.1)
OR
TheResponsibleEntitydidnothaveanydocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1.(R1.1)
OR
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page11of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
completethisreviewinlessthanorequalto16calendarmonthsofthepreviousreview.(R1.1)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin15calendarmonthsbutdidcompletethisapprovalinlessthanorequalto16calendarmonthsof
completethisreviewinlessthanorequalto17calendarmonthsofthepreviousreview.(R1.1)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin16calendarmonthsbutdidcompletethisapprovalinlessthanorequalto17calendarmonthsof
calendarmonthsofthepreviousreview.(R1.1)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin17calendarmonthsbutdidcompletethisapprovalinlessthanorequalto18calendarmonthsofthepreviousapproval.(R1)
OR
TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpact
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesasrequiredbyR1within18calendarmonthsofthepreviousreview.(R1)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin18calendarmonthsof
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page12of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
thepreviousapproval.(R1.1)
OR
TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,butdidnotaddressoneofthefourtopicsrequiredbyR1.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsas
thepreviousapproval.(R1.1)
OR
TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,butdidnotaddresstwoofthefourtopicsrequiredbyR1.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsas
BESCyberSystems,butdidnotaddressthreeofthefourtopicsrequiredbyR1.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyR1within17calendarmonthsbutdidcompletethisreviewinlessthanorequalto18calendarmonthsofthepreviousreview.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforits
thepreviousapproval.(R1.1)
OR
TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,butdidnotaddressanyofthefourtopicsrequiredbyR1.(R1.2)
OR
TheResponsibleEntitydidnothaveanydocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyR1.(R1.2)
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page13of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
requiredbyRequirementR1within15calendarmonthsbutdidcompletethisreviewinlessthanorequalto16calendarmonthsofthepreviousreview.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin15calendarmonthsbutdidcompletethis
requiredbyRequirementR1within16calendarmonthsbutdidcompletethisreviewinlessthanorequalto17calendarmonthsofthepreviousreview.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin16calendarmonthsbut
assetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin17calendarmonthsbutdidcompletethisapprovalinlessthanorequalto18calendarmonthsofthepreviousapproval.(R1.2)
OR
TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin18calendarmonthsofthepreviousapproval.(R1.2)
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page14of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
approvalinlessthanorequalto16calendarmonthsofthepreviousapproval.(R1.2)
didcompletethisapprovalinlessthanorequalto17calendarmonthsofthepreviousapproval.(R1.2)
R2 OperationsPlanning
Lower TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentcybersecurityawarenessaccordingtoCIP0036,RequirementR2,Attachment1,Section1.(R2)
OR
TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyber
TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtoreinforcecybersecuritypracticesatleastonceevery15calendarmonthsaccordingtoCIP0036,RequirementR2,Attachment1,Section1.(R2)
OR
TheResponsibleEntitydocumentedoneormoreincidentresponseplans
TheResponsibleEntitydocumentedoneormoreCyberSecurityIncidentresponseplanswithinitscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtotesteachCyberSecurityIncidentresponseplan(s)atleastonceevery36calendarmonthsaccordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)
OR
TheResponsibleEntitydocumentedthedeterminationof
TheResponsibleEntityfailedtodocumentorimplementoneormorecybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystemsaccordingtoCIP0036,RequirementR2,Attachment1.(R2)).
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page15of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
Systems,butfailedtodocumentoneormoreCyberSecurityIncidentresponseplansaccordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)
OR
TheResponsibleEntitydocumentedoneormoreCyberSecurityIncidentresponseplanswithinitscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtoupdateeachCyberSecurityIncidentresponseplan(s)within180daysaccordingtoCIP0036,RequirementR2,
withinitscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtoincludetheprocessforidentification,classification,andresponsetoCyberSecurityIncidentsaccordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)
(R2)
OR
TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentthedeterminationof
whetheranidentifiedCyberSecurityIncidentisaReportableCyberSecurityIncident,butfailedtonotifytheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC)accordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)
OR
TheResponsibleEntitydocumentedandimplementedelectronicaccesscontrolsforLERC,butfailedtoimplementaLEAPorpermitinboundandoutboundaccessaccordingtoCIP0036,RequirementR2,Attachment1,Section3.(R2)
OR
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page16of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
Attachment1,Section4.(R2)
whetheranidentifiedCyberSecurityIncidentisaReportableCyberSecurityIncidentandsubsequentnotificationtotheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC)accordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)
OR
TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentphysicalsecuritycontrolsaccordingtoCIP0036,
TheResponsibleEntitydocumentedandimplementedelectronicaccesscontrolsforitsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentandimplementauthenticationofallDialupConnectivity,ifany,thatprovidestheelectronicaccesstolowimpactBESCyberSystemscontrolsaccordingtoCIP0036,RequirementR2,Attachment1,Section3.(R2)
OR
TheResponsibleEntitydocumentedthephysicalaccesscontrolsforitsassetscontaininglowimpactBESCyberSystems,butfailedtoimplementthephysical
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page17of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
RequirementR2,Attachment1,Section2.(R2)
OR
TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentelectronicaccesscontrolsaccordingtoCIP0036,RequirementR2,Attachment1,Section3.(R2)
securitycontrolsaccordingtoCIP0036,RequirementR2,Attachment1,Section2.(R2)
R3 OperationsPlanning
Medium TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin30calendardaysbutdid
TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin40calendar
TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin50calendardaysbutdiddocumentthischangein
TheResponsibleEntityhasnotidentified,byname,aCIPSeniorManager.
OR
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page18of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
documentthischangeinlessthan40calendardaysofthechange.(R3)
daysbutdiddocumentthischangeinlessthan50calendardaysofthechange.(R3)
lessthan60calendardaysofthechange.(R3)
TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin60calendardaysofthechange.(R3)
R4 OperationsPlanning
Lower TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,andspecificactionsdelegated,butdidnotdocumentchangestothedelegatewithin30calendardaysbutdiddocumentthischangeinlessthan40calendardaysofthechange.(R4)
TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,andspecificactionsdelegated,butdidnotdocumentchangestothedelegatewithin40calendardaysbutdiddocumentthischangeinlessthan50calendardaysofthechange.(R4)
TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,andspecificactionsdelegated,butdidnotdocumentchangestothedelegatewithin50calendardaysbutdiddocumentthischangeinlessthan60calendardaysofthechange.(R4)
TheResponsibleEntityhasuseddelegatedauthorityforactionswhereallowedbytheCIPStandards,butdoesnothaveaprocesstodelegateactionsfromtheCIPSeniorManager.(R4)
OR
TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,and
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page19of54
R# TimeHorizon
VRF ViolationSeverityLevels(CIP00367)
LowerVSL ModerateVSL HighVSL SevereVSL
specificactionsdelegated,butdidnotdocumentchangestothedelegatewithin60calendardaysofthechange.(R4)
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page20of54
Version History
Version Date Action ChangeTracking
1 1/16/06 R3.2ChangeControlCentertocontrolcenter.
3/24/06
2 9/30/09 Modificationstoclarifytherequirementsandtobringthecomplianceelementsintoconformancewiththelatestguidelinesfordevelopingcomplianceelementsofstandards.
Removalofreasonablebusinessjudgment.
ReplacedtheRROwiththeREasaresponsibleentity.
RewordingofEffectiveDate.
ChangedcompliancemonitortoComplianceEnforcementAuthority.
3 12/16/09 UpdatedVersionNumberfrom2to3
InRequirement1.6,deletedthesentencepertainingtoremovingcomponentorsystemfromserviceinordertoperformtesting,inresponsetoFERCorderissuedSeptember30,2009.
3 12/16/09 ApprovedbytheNERCBoardofTrustees.
3 3/31/10 ApprovedbyFERC.
4 1/24/11 ApprovedbytheNERCBoardofTrustees.
5 11/26/12 AdoptedbytheNERCBoardofTrustees. ModifiedtocoordinatewithotherCIPstandardsandtoreviseformattouseRBSTemplate.
5 11/22/13 FERCOrderissuedapprovingCIP0035.
6 11/13/14 AdoptedbytheNERCBoardofTrustees. AddressedtwoFERCdirectivesfromOrderNo.791relatedtoidentify,assess,andcorrect
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page21of54
Version Date Action ChangeTracking
languageandcommunicationnetworks.
6 2/12/15 AdoptedbytheNERCBoardofTrustees. Replaces theversionadoptedbytheBoardon11/13/2014.RevisedversionaddressesremainingdirectivesfromOrderNo.791relatedtotransientdevicesandlowimpactBESCyberSystems.
6 1/21/16 FERCOrderissuedapprovingCIP0036.DocketNo.RM1514000
7 TBD AdoptedbytheNERCBoardofTrustees. RevisedtoaddressFERCOrder822directiveregardingdefinitionofLERC
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page22of54
CIP-003-6 - Attachment 1
RequiredSectionsforCyberSecurityPlan(s)forAssetsContainingLowImpactBESCyberSystems
ResponsibleEntitiesshallincludeeachofthesectionsprovidedbelowinthecybersecurityplan(s)requiredunderRequirementR2.
ResponsibleEntitieswithmultipleimpactBESCyberSystemsratingscanutilizepolicies,procedures,andprocessesfortheirhighormediumimpactBESCyberSystemstofulfillthesectionsforthedevelopmentoflowimpactcybersecurityplan(s).EachResponsibleEntitycandevelopacybersecurityplan(s)eitherbyindividualassetorgroupsofassets.
Section1. CyberSecurityAwareness:EachResponsibleEntityshallreinforce,atleastonceevery15calendarmonths,cybersecuritypractices(whichmayincludeassociatedphysicalsecuritypractices).
Section2. PhysicalSecurityControls:EachResponsibleEntityshallcontrolphysicalaccess,basedonneedasdeterminedbytheResponsibleEntity,to(1)theassetorthelocationsofthelowimpactBESCyberSystemswithintheassetand(2)theLowImpactBESCyberSystemElectronicAccessPoints(LEAPs),,and(2)theCyberAsset(s),asspecifiedbytheResponsibleEntity,thatprovideelectronicaccesscontrol(s)implementedforSection3.1,ifany.
Section3. ElectronicAccessControls:EachResponsibleEntityshall:3.1 ForImplementelectronicaccesscontrol(s)forLERC,ifany,implementaLEAP
topermitonlynecessaryinboundandoutboundbidirectionalroutableprotocolaccess;andelectronicaccesstolowimpactBESCyberSystem(s).
3.2 ImplementauthenticationforallDialupConnectivity,ifany,thatprovidesaccesstolowimpactBESCyberSystems,perCyberAssetcapability.
Section4. CyberSecurityIncidentResponse:EachResponsibleEntityshallhaveoneormoreCyberSecurityIncidentresponseplan(s),eitherbyassetorgroupofassets,whichshallinclude:
4.1 Identification,classification,andresponsetoCyberSecurityIncidents;4.2 DeterminationofwhetheranidentifiedCyberSecurityIncidentisa
ReportableCyberSecurityIncidentandsubsequentnotificationtotheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC),unlessprohibitedbylaw;
4.3 IdentificationoftherolesandresponsibilitiesforCyberSecurityIncidentresponsebygroupsorindividuals;
4.4 IncidenthandlingforCyberSecurityIncidents;
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page23of54
4.5 TestingtheCyberSecurityIncidentresponseplan(s)atleastonceevery36calendarmonthsby:(1)respondingtoanactualReportableCyberSecurityIncident;(2)usingadrillortabletopexerciseofaReportableCyberSecurityIncident;or(3)usinganoperationalexerciseofaReportableCyberSecurityIncident;and
4.6 UpdatingtheCyberSecurityIncidentresponseplan(s),ifneeded,within180calendardaysaftercompletionofaCyberSecurityIncidentresponseplan(s)testoractualReportableCyberSecurityIncident.
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page24of54
CIP-003-6 - Attachment 2
ExamplesofEvidenceforCyberSecurityPlan(s)forAssetsContainingLowImpactBESCyberSystems
Section1. CyberSecurityAwareness:AnexampleofevidenceforSection1mayinclude,butisnotlimitedto,documentationthatthereinforcementofcybersecuritypracticesoccurredatleastonceevery15calendarmonths.Theevidencecouldbedocumentationthroughoneormoreofthefollowingmethods:
Directcommunications(forexample,emails,memos,orcomputerbasedtraining);
Indirectcommunications(forexample,posters,intranet,orbrochures);or
Managementsupportandreinforcement(forexample,presentationsormeetings).
Section2. PhysicalSecurityControls:ExamplesofevidenceforSection2mayinclude,butarenotlimitedto:
Documentationoftheselectedaccesscontrol(s)(e.g.,cardkey,locks,perimetercontrols),monitoringcontrols(e.g.,alarmsystems,humanobservation),orotheroperational,procedural,ortechnicalphysicalsecuritycontrolsthatcontrolphysicalaccesstoboth:
a. Theasset,ifany,orthelocationsofthelowimpactBESCyberSystemswithintheasset;and
b. TheCyberAssetspecifiedbytheResponsibleEntitythatprovideselectronicaccesscontrolsimplementedforSection3.1,ifany,containingaLEAP.
Section3. ElectronicAccessControls:ExamplesofevidenceforSection3mayinclude,butarenotlimitedto:
1. Documentation,suchasrepresentativediagramsorlistsofimplementedelectronicaccesscontrols(e.g.,restrictingIPaddresses,ports,orservices;authenticatingusers;airgappingnetworks;terminatingroutableprotocolsessionsonanonBESCyberAsset;implementingunidirectionalgateways)showingthatinboundandoutboundconnectionsforanyLEAP(s)areLERCateachassetorgroupofassetscontaininglowimpactBESCyberSystems,isconfinedtoonlythosetothataccesstheResponsibleEntitydeemsnecessary(e.g.,byrestrictingIPaddresses,ports,orservices);anddocumentation;and
1.2. DocumentationofauthenticationforDialupConnectivity(e.g.,dialoutonlytoapreprogrammednumbertodeliverdata,dialbackmodems,modemsthatmustberemotelycontrolledbythecontrolcenterorcontrolroom,oraccesscontrolontheBESCyberSystem).
CIP00367CyberSecuritySecurityManagementControls
PageDraft1ofCIP0037July2016 Page25of54
Section4. CyberSecurityIncidentResponse:AnexampleofevidenceforSection4mayinclude,butisnotlimitedto,dateddocumentation,suchaspolicies,procedures,orprocessdocumentsofoneormoreCyberSecurityIncidentresponseplan(s)developedeitherbyassetorgroupofassetsthatincludethefollowingprocesses:
1. toidentify,classify,andrespondtoCyberSecurityIncidents;todeterminewhetheranidentifiedCyberSecurityIncidentisaReportableCyberSecurityIncidentandfornotifyingtheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC);
2. toidentifyanddocumenttherolesandresponsibilitiesforCyberSecurityIncidentresponsebygroupsorindividuals(e.g.,initiating,documenting,monitoring,reporting,etc.);
3. forincidenthandlingofaCyberSecurityIncident(e.g.,containment,eradication,orrecovery/incidentresolution);
4. fortestingtheplan(s)alongwiththedateddocumentationthatatesthasbeencompletedatleastonceevery36calendarmonths;and
5. toupdate,asneeded,CyberSecurityIncidentresponseplan(s)within180calendardaysaftercompletionofatestoractualReportableCyberSecurityIncident.
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page26of54
Guidelines and Technical Basis
Section 4 Scope of Applicability of the CIP Cyber Security Standards Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsibleEntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandardapplies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatowncertaintypesofsystemsandequipmentlistedin4.2.
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedbytheResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthestandard.InadditiontothesetofBESFacilities,ControlCenters,andothersystemsandequipment,thelistincludesthesetofsystemsandequipmentownedbyDistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBEScharacteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeofapplicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothestandards.
Requirement R1: IndevelopingpoliciesincompliancewithRequirementR1,thenumberofpoliciesandtheircontentshouldbeguidedbyaResponsibleEntity'smanagementstructureandoperatingconditions.Policiesmightbeincludedaspartofageneralinformationsecurityprogramfortheentireorganization,orascomponentsofspecificprograms.TheResponsibleEntityhastheflexibilitytodevelopasinglecomprehensivecybersecuritypolicycoveringtherequiredtopics,oritmaychoosetodevelopasinglehighlevelumbrellapolicyandprovideadditionalpolicydetailinlowerleveldocumentsinitsdocumentationhierarchy.Inthecaseofahighlevelumbrellapolicy,theResponsibleEntitywouldbeexpectedtoprovidethehighlevelpolicyaswellastheadditionaldocumentationinordertodemonstratecompliancewithCIP00367,RequirementR1.
IfaResponsibleEntityhasanyhighormediumimpactBESCyberSystems,theoneormorecybersecuritypoliciesmustcovertheninesubjectmatterareasrequiredbyCIP00367,RequirementR1,Part1.1.IfaResponsibleEntityhasidentifiedfromCIP002anyassetscontaininglowimpactBESCyberSystems,,alsoreferredtohereinas(BESassets),theoneormorecybersecuritypoliciesmustcoverthefoursubjectmatterareasrequiredbyRequirementR1,Part1.2.
ResponsibleEntitiesthathavemultipleimpactratedBESCyberSystemsarenotrequiredtocreateseparatecybersecuritypoliciesforhigh,medium,orlowimpactBESCyberSystems.TheResponsibleEntitieshavetheflexibilitytodeveloppoliciesthatcoverallthreeimpactratings.
ImplementationofthecybersecuritypolicyisnotspecificallyincludedinCIP00367,RequirementR1asitisenvisionedthattheimplementationofthispolicyisevidencedthroughsuccessfulimplementationofCIP003throughCIP011.However,ResponsibleEntitiesareencouragednottolimitthescopeoftheircybersecuritypoliciestoonlythoserequirementsin
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page27of54
NERCcybersecurityReliabilityStandards,buttodevelopaholisticcybersecuritypolicyappropriateforitsorganization.ElementsofapolicythatextendbeyondthescopeofNERCscybersecurityReliabilityStandardswillnotbeconsideredcandidatesforpotentialviolationsalthoughtheywillhelpdemonstratetheorganizationsinternalcultureofcomplianceandposturetowardscybersecurity.
ForPart1.1,theResponsibleEntityshouldconsiderthefollowingforeachoftherequiredtopicsinitsoneormorecybersecuritypoliciesformediumandhighimpactBESCyberSystems,ifany:
1.1.1 Personnelandtraining(CIP004)
Organizationpositiononacceptablebackgroundinvestigations
Identificationofpossibledisciplinaryactionforviolatingthispolicy
Accountmanagement
1.1.2 ElectronicSecurityPerimeters(CIP005)includingInteractiveRemoteAccess
Organizationstanceonuseofwirelessnetworks
Identificationofacceptableauthenticationmethods
Identificationoftrustedanduntrustedresources
MonitoringandloggingofingressandegressatElectronicAccessPoints
MaintaininguptodateantimalwaresoftwarebeforeinitiatingInteractiveRemoteAccess
MaintaininguptodatepatchlevelsforoperatingsystemsandapplicationsusedtoinitiateInteractiveRemoteAccess
DisablingVPNsplittunnelingordualhomedworkstationsbeforeinitiatingInteractiveRemoteAccess
Forvendors,contractors,orconsultants:includelanguageincontractsthatrequiresadherencetotheResponsibleEntitysInteractiveRemoteAccesscontrols
1.1.3 PhysicalsecurityofBESCyberSystems(CIP006)
StrategyforprotectingCyberAssetsfromunauthorizedphysicalaccess
Acceptablephysicalaccesscontrolmethods
Monitoringandloggingofphysicalingress
1.1.4 Systemsecuritymanagement(CIP007)
Strategiesforsystemhardening
Acceptablemethodsofauthenticationandaccesscontrol
Passwordpoliciesincludinglength,complexity,enforcement,preventionofbruteforceattempts
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page28of54
MonitoringandloggingofBESCyberSystems
1.1.5 Incidentreportingandresponseplanning(CIP008)
RecognitionofCyberSecurityIncidents
Appropriatenotificationsupondiscoveryofanincident
ObligationstoreportCyberSecurityIncidents
1.1.6 RecoveryplansforBESCyberSystems(CIP009)
Availabilityofsparecomponents
Availabilityofsystembackups
1.1.7 Configurationchangemanagementandvulnerabilityassessments(CIP010)
Initiationofchangerequests
Approvalofchanges
Breakfixprocesses
1.1.8 Informationprotection(CIP011)
Informationaccesscontrolmethods
Notificationofunauthorizedinformationdisclosure
Informationaccessonaneedtoknowbasis
1.1.9 DeclaringandrespondingtoCIPExceptionalCircumstances
ProcessestoinvokespecialproceduresintheeventofaCIPExceptionalCircumstance
ProcessestoallowforexceptionstopolicythatdonotviolateCIPrequirements
RequirementsrelatingtoexceptionstoaResponsibleEntityssecuritypolicieswereremovedbecauseitisageneralmanagementissuethatisnotwithinthescopeofareliabilityrequirement.Itisaninternalpolicyrequirementandnotareliabilityrequirement.However,ResponsibleEntitiesareencouragedtocontinuethispracticeasacomponentoftheircybersecuritypolicies.
InthisandallsubsequentrequiredapprovalsintheNERCCIPReliabilityStandards,theResponsibleEntitymayelecttousehardcopyorelectronicapprovalstotheextentthatthereissufficientevidencetoensuretheauthenticityoftheapprovingparty.
Requirement R2: UsingthelistofassetscontaininglowimpactBESCyberSystemsfromCIP002,theintentoftherequirementisforeachResponsibleEntitytocreate,document,andimplementoneormorecybersecurityplan(s)thataddressesobjectivecriteriafortheprotectionoflowimpactBESCyberSystems.TheprotectionsrequiredbyRequirementR2reflectthelevelofriskthatmisuseortheunavailabilityoflowimpactBESCyberSystemsposestotheBES.TheintentisthattherequiredprotectionsarepartofaprogramthatcoversthelowimpactBESCyberSystems
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page29of54
collectivelyeitheratanassetorsitelevel(assetscontaininglowimpactBESCyberSystems),butnotatanindividualdeviceorsystemlevel.
Therearefoursubjectmatterareas,asidentifiedinAttachment1,thatmustbecoveredbythecybersecurityplan:(1)cybersecurityawareness,(2)physicalsecuritycontrols,(3)electronicaccesscontrolsforLERCandDialupConnectivity,and(4)CyberSecurityIncidentresponse.
Requirement R2, Attachment 1 Asnoted,Attachment1containsthesectionsthatmustbeinthecybersecurityplan(s).Theintentistoallowentitiesthathaveacombinationofhigh,medium,andlowimpactBESCyberSystemstheflexibilitytochoose,ifdesired,tocovertheirlowimpactBESCyberSystems(oranysubset)undertheirprogramsusedforthehighormediumimpactBESCyberSystemsratherthanmaintaintwoseparateprograms.GuidanceforeachofthefoursubjectmatterareasofAttachment1isprovidedbelow.
Requirement R2, Attachment 1, Section 1 Cyber Security Awareness Theintentofthecybersecurityawarenessprogramisforentitiestoreinforcegoodcybersecuritypracticeswiththeirpersonnelatleastonceevery15calendarmonths.Theentityhasthediscretiontodeterminethetopicstobeaddressedandthemannerinwhichitwillcommunicatethesetopics.Asevidenceofcompliance,theResponsibleEntityshouldbeabletoproducetheawarenessmaterialthatwasdeliveredaccordingtothedeliverymethod(s)(e.g.,posters,emails,ortopicsatstaffmeetings,etc.).TheResponsibleEntityisnotrequiredtomaintainlistsofrecipientsandtrackthereceptionoftheawarenessmaterialbypersonnel.
Althoughthefocusoftheawarenessiscybersecurity,itdoesnotmeanthatonlytechnologyrelatedtopicscanbeincludedintheprogram.Appropriatephysicalsecuritytopics(e.g.,tailgatingawarenessandprotectionofbadgesforphysicalsecurity,orIfyouseesomething,saysomethingcampaigns,etc.)arevalidforcybersecurityawareness.TheintentistocovertopicsconcerninganyaspectoftheprotectionofBESCyberSystems.
Requirement R2, Attachment 1, Section 2 Physical Security Controls TheResponsibleEntitymustdocumentandimplementmethodstocontrolphysicalaccessto(1)theassetorthelocationsoflowimpactBESCyberSystemsatassetscontaininglowimpactBESwithintheasset,and(2)CyberSystemAssetsthatimplementtheelectronicaccesscontrol(s)and(2)LEAPsspecifiedbytheResponsibleEntityinSection3,ifany.IftheLEAPistheseCyberAssetsarelocatedwithintheBESassetandinheritsinheritthesamecontrolsoutlinedinSection2,thiscanbenotedbytheResponsibleEntityineitheritspoliciesorcybersecurityplan(s)toavoidduplicatedocumentationofthesamecontrols.
TheResponsibleEntityhastheflexibilityintheselectionofthemethodsusedtomeettheobjectivetocontrolphysicalaccesstotheasset(s)containinglowimpactBESCyberSystems,System(s)orthelowimpactBESCyberSystemsthemselves,orLEAPsaswellasphysicalprotectionoftheelectronicaccesscontrolCyberAssetsspecifiedbytheResponsibleEntity,ifany.TheResponsibleEntitymayuseoneoracombinationofaccesscontrols,monitoringcontrols,orotheroperational,procedural,ortechnicalphysicalsecuritycontrols.Entitiesmayuseperimetercontrols(e.g.,fenceswithlockedgates,guards,orsiteaccesspolicies,etc.)ormoregranularareasofphysicalaccesscontrolinareaswherelowimpactBESCyberSystemsarelocated,suchascontrolroomsorcontrolhouses.Userauthorizationprogramsandlistsof
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page30of54
authorizedusersforphysicalaccessarenotrequiredalthoughtheyareanoptiontomeetthesecurityobjective.
TheobjectiveistocontrolthephysicalaccessbasedonneedasdeterminedbytheResponsibleEntity.Theneedcanbedocumentedatthepolicylevelforaccesstothesiteorsystems,includingLEAPs..Therequirementdoesnotobligateanentitytospecifyaneedforeachaccessorauthorizationofauserforaccess.
Monitoringasaphysicalsecuritycontrolcanbeusedasacomplementoranalternativetoaccesscontrol.Examplesofmonitoringcontrolsinclude,butarenotlimitedto:(1)alarmsystemstodetectmotionorentryintoacontrolledarea,or(2)humanobservationofacontrolledarea.Monitoringdoesnotnecessarilyrequireloggingandmaintaininglogsbutcouldincludemonitoringthatphysicalaccesshasoccurredorbeenattempted(e.g.,dooralarm,orhumanobservation,etc.).ThemonitoringdoesnotneedtobeperlowimpactBESCyberSystembutshouldbeattheappropriateleveltomeetthesecurityobjective.
Requirement R2, Attachment 1, Section 3 Electronic Access Controls Section3requirestheestablishmentofboundaryprotectionselectronicaccesscontrolsforassetscontaininglowimpactBESCyberSystems,alsoreferredtohereinas(BESassets)whenthelowimpactBESCyberSystemshavebidirectionalexternalroutableprotocolcommunication(LERC)orDialupConnectivityispresenttodevicesexternaltoorfromtheassetcontainingthelowimpactBESCyberSystems.System(s).TheestablishmentofboundaryprotectionselectronicaccesscontrolsisintendedtocontrolcommunicationeitherintotheassetcontaininglowimpactBESCyberSystem(s)ortothelowimpactBESCyberSystemitselftoreducetherisksassociatedwithuncontrolledcommunicationusingroutableprotocolsorDialupConnectivity.Thetermelectronicaccesscontrolisusedinthegeneralsense,i.e.,tocontrolaccess,andnotinthespecifictechnicalsenserequiringauthentication,authorization,andauditing.TheResponsibleEntityisnotrequiredtoestablishLERCcommunicationoraLEAPifthereisnobidirectionalroutableprotocolcommunicationorInthecasewherethereisnoLERCorDialupConnectivitypresent.Inthecasewherethereisnoexternalbidirectionalroutableprotocolcommunication,theResponsibleEntitycandocumenttheabsenceofsuchcommunicationinitslowimpactcybersecurityplan(s).
Whenidentifyingelectronicaccesscontrols,ResponsibleEntitiesareprovidedflexibilityintheselectionofthecontrolsthatmeettheiroperationalneedswhilemeetingthesecurityobjectiveofallowingonlynecessaryelectronicaccesstolowimpactBESCyberSystems.
Inessence,ResponsibleEntitiesaretodetermineLERCorDialupConnectivityfortheirBESassetsandthen,ifpresent,documentandimplementelectronicaccesscontrol(s).
Determining LERC ThedefinedtermsLERCandLEAParetermLowImpactExternalRoutableCommunication(LERC)isusedtoavoidconfusionwiththesimilartermstermExternalRoutableConnectivity(ERC)usedforhighandmediumimpactBESCyberSystems(e.g.,ExternalRoutableConnectivity(ERC)orasthesetermsaredifferentconcepts.TheinputtothisrequirementfromCIP002isalistofassetscontaininglowimpactBESCyberSystems,thereforeLERCisanattributeofaBESassetandinvolvesroutableprotocolcommunicationstoorfromtheBESasset(crossingthe
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page31of54
assetboundary)withoutregardtoconnectivitytoCyberAssetswithintheBESasset.ERContheotherhandisanattributeofanindividualhighormediumimpactBESCyberSystemandisrelativetoanElectronicAccessPoint(EAP)).Tofutureproofthestandards,andinSecurityPerimeter(ESP).
WithLERCbeingaBESassetlevelattribute,itisusedasahigherlevelfiltertoexcludefromfurtherconsiderationthoseassetscontaininglowimpactBESCyberSystemsthathavenoroutableprotocolcommunicationstothemfromoutsidetheBESasset.ResponsibleEntitiescanthenconcentratetheirelectronicaccesscontroleffortsonthoseBESassetsthatdohaveLERC.However,thisalsomeansthatLERCcanexistforaBESassetevenifthereisnoroutableprotocolconnectivitytoanylowimpactBESCyberSystemwithintheBESasset.Inordertoavoidfuturetechnologyissues,thedefinitionsLERCdefinitionspecificallyexcludepointtopointexcludescommunicationsbetweenintelligentelectronicdevicesthatuseroutablecommunicationprotocolsfortimesensitiveprotectionorcontrolfunctionsbetweenTransmissionstationorsubstationnonControlCenterBESassetscontaininglowimpactBESCyberSystems,,suchasIEC61850messaging.ThisdoesnotexcludeControlCentertofieldcommunicationbutratherexcludesthecommunicationbetweentheintelligentelectronicdevicesthemselves.(e.g.relays)inthefield.AResponsibleEntityusingthistechnologyisnotexpectedtoimplementaLEAPtheelectronicaccesscontrolsnotedherein.Thisexceptionwasincludedsoasnottoinhibitthefunctionalityofthetimesensitiverequirementsrelatedtothistechnologynortoprecludetheuseofsuchtimesensitivereliabilityenhancingfunctionsiftheyusearoutableprotocolinthefuture.
Determining Asset Boundary AsLERCisaBESassetlevelattribute,itinvolvesadeterminationbytheResponsibleEntityofaBESassetboundaryfortheirassetscontaininglowimpactBESCyberSystems.ThisboundarywillvarybyBESassettype(ControlCenter,substation,generationresource)andthespecificconfigurationoftheBESasset.TheintentisfortheResponsibleEntitytodefinetheBESassetboundarysuchthatthelowimpactBESCyberSystem(s)thatarelocatedattheBESassetarecontainedwithintheBESassetboundary.ThisisstrictlyfordeterminingwhatconstitutestheBESassetandfordeterminingwhichroutableprotocolcommunicationsandnetworksareinternalorinsideorlocaltotheBESassetandwhichareexternaltooroutsidetheBESasset.ThisisnotanElectronicSecurityPerimeterorPhysicalSecurityPerimeterasdefinedformediumandhighimpactBESCyberSystems.FortheassetcontaininglowimpactBESCyberSystem(s),theBESassetboundaryissynonymoustotheconceptofalogicalborderdemarcationwhereroutableprotocolcommunication(e.g.LERC)entersandexitstheBESassetcontainingthelowimpactBESCyberSystem.SomeexamplesofwaysaResponsibleEntitymaydetermineBESassetboundariesare:
ForControlCenters
o Designatedareas(room(s)orfloor(s))iftheControlCenterislocatedwithinalargerbuilding.
o Abuildingifinadedicatedbuildingonasharedcampus.
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page32of54
o Theproperty/fencelineiftheControlCenterisadedicatedfacilityondedicatedproperty.
Forsubstations,thiscouldbetheproperty/fencelineorthecontrolhouse.
Forgenerationresources:
o Fossil/hydrogeneratingfacilities:Thiscouldbetheproperty/fenceline.Ifpumpsorwellsorotherequipmentthatarepartoftheplantassetareoutsidethepropertyline,thentheBESassetboundarycouldexpandtoaccommodateallthatisconsideredpartoftheplant.
o Solarfarms:Thiscouldbethepropertyline(s)orfence(s)surroundingallsolarpanelsandinterconnectionfacilities.
o Windfarms:Thiscouldbethecollectionofindividualturbinesplustheequipmentneededforinterconnection.
o Cogenerationfacilities:Thiscouldbetheidentifiedportionofthelargerplantthatperformsgeneration.
Determining Electronic Access Controls OnceaResponsibleEntityhasdeterminedthatLERCexistsattheBESassetboundary,theResponsibleEntitydocumentsandimplementsitschosenelectronicaccesscontrol(s).Thecontrol(s)mustallowonlynecessaryaccessasdeterminedbytheResponsibleEntityandtheyneedtobeabletoexplainthereasonsfortheelectronicaccesspermittedwiththeirelectronicaccesscontrols.ThereasoningforthenecessaryaccesscontrolscanbedocumentedwithintheResponsibleEntityscybersecurityplan(s)orotherpoliciesorproceduresassociatedwiththeelectronicaccesscontrols.
Concept DiagramsThediagramsonthefollowingpagesareprovidedasexamplestoillustratevariouselectronicaccesscontrolsataconceptuallevel.RegardlessoftheconceptsorconfigurationschosenbytheResponsibleEntity,thesecurityobjectiveofpermittingonlynecessaryaccesstolowimpactBESCyberSystemsmustbemetwhenthereisLERCtoaBESasset.
NOTE: Thisisnotanexhaustivelistofapplicableconcepts. LERCispresentineachdiagram. Thesamelegendisusedineachdiagram;however,thediagrammaynotcontainallofthe
articlesrepresentedinthelegend. ThetermBESAssetBoundaryiscapitalizedinthediagramsbutitisnotadefinedterm.
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page33of54
LERC Reference Model 1 Physical Isolation TheResponsibleEntitymaychoosetophysicallyisolatethelowimpactBESCyberSystem(s)fromtheLERC.Thiscontroliscommonlyreferredtoasanairgap.TheserialnonroutableprotocolconnectionandtheroutableprotocolLERCarecompletelyisolatedfromeachother.ThereisnoequipmentsharedwiththelowimpactBESCyberSystem(s).
Reference Model 1
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page34of54
LERC Reference Model 2 Logical Isolation TheResponsibleEntitymaychoosetologicallyisolatethelowimpactBESCyberSystem(s)fromtheLERC.ThelowimpactBESCyberSystem(s)isonanisolatednetworksegmentwithlogicalcontrolspreventingroutableprotocolcommunicationintooroutofthenetworkcontainingthelowimpactBESCyberSystem(s).
Reference Model 2
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page35of54
LERC Reference Model 3 Host-based Inbound & Outbound Access Permissions TheResponsibleEntitymaychoosetoutilizeahostbasedfirewalltechnologyonthelowimpactBESCyberSystem(s)thatmanageselectronicaccesspermissionsothatonlynecessaryinboundandoutboundroutableprotocolaccessisallowedtothelowimpactBESCyberSystem(s).
Reference Model 3
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page36of54
LERC Reference Model 4 Network-based Inbound & Outbound Access Permissions TheResponsibleEntitymaychoosetoutilizeasecuritydevicethatpermitsonlynecessaryaccesstothelowimpactBESCyberSystem(s)withintheBESasset.Inthisexample,twolowimpactBESCyberSystemsareaccessedovertheLERCastheIP/Serialconverteriscontinuingthesamecommunicationssessionfromdevice(s)outsidetheBESassetboundarytothelowimpactBESCyberSystems.ThesecuritydeviceprovidestheelectronicaccesscontrolstopermitonlynecessaryinboundandoutboundroutableprotocolaccesstothelowimpactBESCyberSystems.
Reference Model 4
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page37of54
LERC Reference Model 5 Centralized Network-based Inbound & Outbound Access Permissions TheResponsibleEntitymaychoosetoutilizeasecuritydeviceatacentralizedlocationthatmayormaynotbeanotherBESasset.Theelectronicaccesscontrol(s)donotnecessarilyhavetoresideinsidetheassetcontainingthelowimpactBESCyberSystem(s).AsecuritydeviceisinplaceatLocationXtoactastheelectronicaccesscontrolandpermitonlynecessaryinboundandoutboundroutableprotocolaccesstothelowimpactBESCyberSystem(s).CareshouldbetakenthatelectronicaccesstoorbetweeneachBESassetisthroughtheelectronicaccesscontrolsatthecentralizedlocation.
Reference Model 5
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page38of54
LERC Reference Model 6 Uni-directional Gateway TheResponsibleEntitymaychoosetoutilizeaunidirectionalgatewayastheelectronicaccesscontrol.ThelowimpactBESCyberSystem(s)isnotaccessible(datacannotflowintothelowimpactBESCyberSystem)fromtheLERCduetotheimplementationofaoneway(unidirectional)pathfordatatoflowacrosstheBESassetboundary.
Reference Model 6
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page39of54
LERC Reference Model 7 User Authentication TheResponsibleEntitymaychoosetoutilizeanonBESCyberAssetbetweenthenetworkoutsidetheBESassetboundaryandthelowimpactBESCyberSystemtoperformuserauthenticationforinteractiveaccess.ThenonBESCyberAssetwouldrequireauthenticationbeforeestablishinganewconnectiontothelowimpactBESCyberSystem.TheelectronicaccesscontroldepictedinthisreferencemodelmaynotmeetthesecurityobjectiveforcontrollingdevicetodevicecommunicationacrosstheLERCdependingonthespecificsystemconfigurationinplace.
Reference Model 7
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page40of54
LERC Reference Model 8 Session Termination TheResponsibleEntitymaychoosetoterminateroutableprotocolapplicationsessionsatanonBESCyberAssetinsidetheassetcontainingthelowimpactBESCyberSystem(s)suchthataseparateapplicationsessionisestablishedtothelowimpactBESCyberSystem(s)fromthenonBESCyberAsset(theroutablesessionfromoutsidetheBESasset).TheResponsibleEntitymaychoosetoauthenticateaccessatanonBESCyberAsseteitheroutsideBESassetboundaryorinsidetheassetcontainingthelowimpactBESCyberSystem(s)suchthatunauthenticatedaccesstothelowimpactBESCyberSystem(s)isprohibited.ThenonBESCyberAssetsitsonademilitarizedzone(DMZ)betweenthenetworkoutsidetheBESassetboundaryandthelowimpactBESCyberSystem(s).ThenonBESCyberAssetintheDMZterminatestheroutableprotocolsessionandestablishesanewsessiontothelowimpactBESCyberSystem(s).Additionally,asecuritydevicepermitstrafficfromthenetworkoutsidetheBESassetboundarytoflowonlytoandfromthenonBESCyberAssetintheDMZ(theroutablesessiontothelowimpactBESCyberSystem).
Reference Model 8
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page41of54
LERC Reference Model 9 LERC and ERC ThereisbothLERCandERCpresentinthisreferencemodelbecausethereisatleastonemediumimpactBESCyberSystemandonelowimpactBESCyberSystemwithintheBESasset.TheResponsibleEntitymaychoosetoleverageaninterfaceonthemediumimpactElectronicAccessControlorMonitoringSystems(EACMS)devicetoprovideelectronicaccesscontrolsfortheLERC.TheEACMSisthereforeperformingmultiplefunctionsasamediumimpactEACMSandasimplementinglowimpactelectronicaccesscontrols.
Reference Model 9
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page42of54
When determining whether there is LERC to the low impact BES Cyber System, the definition uses the phrases direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. The intent of direct in the definition is to indicate LERC exists if a person is sitting at another device outside of the asset containing the low impact BES Cyber System, and the person can connect to logon, configure, read, or interact, etc. with the low impact BES Cyber System using a bi-directional routable protocol within a single end-to-end protocol session even if there is a serial-to-routable protocol conversion. The reverse case would also be LERC, in which the individual sits at the low impact BES Cyber System and connects to a device outside the asset containing low impact BES Cyber Systems using a single end-to-end bi-directional routable protocol session. Additionally, for device-to-device connection, LERC exists if the Responsible Entity has devices outside of the asset containing the low impact BES Cyber System sending or receiving bi-directional routable communication to or from the low impact BES Cyber System. When identifying a LEAP, Responsible Entities are provided flexibility in the selection of the interface on a Cyber Asset that controls the LERC. Examples include, but are not limited to, the internal (facing the low impact BES Cyber Systems) interface on an external or host-based firewall, the internal interface on a router that has implemented an access control list (ACL), or other security device. The entity also has flexibility with respect to the location of the LEAP. LEAPs are not required to reside at the asset containing the low impact BES Cyber Systems. Furthermore, the entity is not required to establish a unique physical LEAP per asset containing low impact BES Cyber Systems. Responsible Entities can have a single Cyber Asset containing multiple LEAPs that controls the LERC for more than one asset containing low impact BES Cyber Systems. Locating the Cyber Asset with multiple LEAPs at an external location with multiple assets containing low impact BES Cyber Systems behind it, however, should not allow uncontrolled access to assets containing low impact BES Cyber Systems sharing a Cyber Asset containing the LEAP(s). In Reference Model 4, the communication flows through an IP/Serial converter. LERC is correctly identified in this Reference Model because the IP/Serial converter in this instance is doing nothing more than extending the communication between the low impact BES Cyber System and the Cyber Asset outside the asset containing the low impact BES Cyber System. In contrast, Reference Model 6 has placed a Cyber Asset that performs a complete break or interruption that does not allow the user or device data flow to directly communicate with the low impact BES Cyber System. The Cyber Asset in Reference Model 6 is preventing extending access to the low impact BES Cyber System from the Cyber Asset outside the asset containing the low impact BES Cyber System. The intent is that if the IP/Serial converter that is deployed only does a pass-through of the data flow communication, then that pass-through data flow communication is LERC and a LEAP is required. However, if that IP/Serial converter performs some type of authentication in the data flow at the asset containing the low impact BES Cyber System before the communication can be sent to the low impact BES Cyber System, then that type of IP/Serial converter implementation is not LERC.
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page43of54
A Cyber Asset that contains interface(s) that only perform the function of a LEAP does not meet the definition of Electronic Access Control or Monitoring System (EACMS) associated with medium or high impact BES Cyber Systems and is not subject to the requirements applicable to an EACMS. However, a Cyber Asset may contain some interfaces that function as a LEAP and other interfaces that function as an EAP for high or medium impact BES Cyber Systems. In this case, the Cyber Asset would also be subject to the requirements applicable to the EACMS associated with the medium or high impact BES Cyber Systems. Examples of sufficient access controls may include:
Any LERC for the asset passes through a LEAP with explicit inbound and outbound access permissions defined, or equivalent method by which both inbound and outbound connections are confined to only those that the Responsible Entity deems necessary (e.g., IP addresses, ports, or services).
As shown in Reference Model 1 below, the low impact BES Cyber System has a host-based firewall that is controlling the inbound and outbound access. In this model, it is also possible that the host-based firewall could be on a non-BES Cyber Asset. The intent is that the host-based firewall controls the inbound and outbound access between the low impact BES Cyber System and the Cyber Asset in the business network.
As shown in Reference Model 5 below, a non-BES Cyber Asset has been placed between the low impact BES Cyber System on the substation network and the Cyber Asset in the business network. The expectation is that the non-BES Cyber Asset has provided a protocol break so that access to the low impact BES Cyber System is only from the non-BES Cyber Asset that is located within the asset containing the low impact BES Cyber System.
Dial-up Connectivity DialupConnectivitytoalowimpactBESCyberSystemissettodialoutonly(noautoanswer)toapreprogrammednumbertodeliverdata.IncomingDialupConnectivityistoadialbackmodem,amodemthatmustberemotelycontrolledbythecontrolcenterorcontrolroom,hassomeformofaccesscontrol,orthelowimpactBESCyberSystemhasaccesscontrol.
Insufficient Access Controls Someexamplesofsituationsthatwouldlacksufficientaccesscontrolstomeettheintentofthisrequirementinclude:
AnassethasDialupConnectivityandalowimpactBESCyberSystemisreachableviaanautoanswermodemthatconnectsanycallertotheCyberAssetthathasadefaultpassword.Thereisnopracticalaccesscontrolinthisinstance.
AnassethasLERCduetoaBESCyberSystemwithinithavingawirelesscardonapubliccarrierthatallowstheBESCyberSystemtobereachableviaapublicIPaddress.Inessence,lowimpactBESCyberSystemsshouldnotbeaccessiblefromtheInternetandsearchenginessuchasShodan.
InReferenceModel5,usingjustdualDualhomingormultiplenetworkinterfacecardswithoutdisablingIPforwardinginthenonBESCyberAssetwithintheDMZtoprovide
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page44of54
separationbetweenthelowimpactBESCyberSystem(s)andthebusinessexternalnetworkwouldnotmeettheintentofcontrollinginboundandoutboundelectronicaccessassumingtherewasnootherhostbasedfirewallorothersecuritydevicedevicesonthatthenonBESCyberAsset.
ThefollowingdiagramsprovidereferenceexamplesintendedtoillustratehowtodeterminewhetherthereisLERCandforimplementingaLEAP.Whilethesediagramsidentifyseveralpossibleconfigurations,ResponsibleEntitiesmayhaveadditionalconfigurationsnotidentifiedbelow.
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page45of54
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page46of54
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page47of54
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page48of54
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page49of54
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page50of54
Requirement R2, Attachment 1, Section 4 Cyber Security Incident Response TheentityshouldhaveoneormoredocumentedCyberSecurityIncidentresponseplan(s)thatincludeeachofthetopicslistedinSection4.If,inthenormalcourseofbusiness,suspiciousactivitiesarenotedatanassetcontaininglowimpactBESCyberSystem(s),theintentisfortheentitytoimplementaCyberSecurityIncidentresponseplanthatwillguidetheentityinrespondingtotheincidentandreportingtheincidentifitrisestothelevelofaReportableCyberSecurityIncident.
EntitiesareprovidedtheflexibilitytodeveloptheirAttachment1,Section4CyberSecurityIncidentresponseplan(s)byassetorgroupofassets.TheplansdonotneedtobeonaperassetsiteorperlowimpactBESCyberSystembasis.EntitiescanchoosetouseasingleenterprisewideplantofulfilltheobligationsforlowimpactBESCyberSystems.
Theplan(s)mustbetestedonceevery36months.ThisisnotanexerciseperlowimpactBESCyberAssetorpertypeofBESCyberAssetbutratherisanexerciseofeachincidentresponseplantheentitycreatedtomeetthisrequirement.AnactualReportableCyberSecurityIncidentcountsasanexerciseasdootherformsoftabletopexercisesordrills.NERCledexercisessuchasGridExparticipationwouldalsocountasanexerciseprovidedtheentitysresponseplanisfollowed.TheintentoftherequirementisforentitiestokeeptheCyberSecurityIncident
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page51of54
responseplan(s)current,whichincludesupdatingtheplan(s),ifneeded,within180daysfollowingatestoranactualincident.
ForlowimpactBESCyberSystems,theonlyportionofthedefinitionofCyberSecurityIncidentthatwouldapplyisAmaliciousactorsuspiciouseventthatdisrupts,orwasanattempttodisrupt,theoperationofaBESCyberSystem.TheotherportionofthatdefinitionisnottobeusedtorequireESPsandPSPsforlowimpactBESCyberSystems.
Requirement R3: TheintentofCIP00367,RequirementR3iseffectivelyunchangedsincepriorversionsofthestandard.ThespecificdescriptionoftheCIPSeniorManagerhasnowbeenincludedasadefinedtermratherthanclarifiedintheReliabilityStandarditselftopreventanyunnecessarycrossreferencetothisstandard.ItisexpectedthattheCIPSeniorManagerwillplayakeyroleinensuringproperstrategicplanning,executive/boardlevelawareness,andoverallprogramgovernance.
Requirement R4: AsindicatedintherationaleforCIP00367,RequirementR4,thisrequirementisintendedtodemonstrateaclearlineofauthorityandownershipforsecuritymatters.TheintentoftheSDTwasnottoimposeanyparticularorganizationalstructure,but,rather,theintentistoaffordtheResponsibleEntitysignificantflexibilitytoadaptthisrequirementtoitsexistingorganizationalstructure.AResponsibleEntitymaysatisfythisrequirementthroughasingledelegationdocumentorthroughmultipledelegationdocuments.TheResponsibleEntitycanmakeuseofthedelegationofthedelegationauthorityitselftoincreasetheflexibilityinhowthisappliestoitsorganization.Insuchacase,delegationsmayexistinnumerousdocumentationrecordsaslongasthecollectionofthesedocumentationrecordsshowsaclearlineofauthoritybacktotheCIPSeniorManager.Inaddition,theCIPSeniorManagercouldalsochoosenottodelegateanyauthorityandmeetthisrequirementwithoutsuchdelegationdocumentation.
TheResponsibleEntitymustkeepitsdocumentationoftheCIPSeniorManagerandanydelegationsuptodate.Thisistoensurethatindividualsdonotassumeanyundocumentedauthority.However,delegationsdonothavetobereinstatediftheindividualwhodelegatedthetaskchangesrolesortheindividualisreplaced.Forinstance,assumethatJohnDoeisnamedtheCIPSeniorManagerandhedelegatesaspecifictasktotheSubstationMaintenanceManager.IfJohnDoeisreplacedastheCIPSeniorManager,theCIPSeniorManagerdocumentationmustbeupdatedwithinthespecifiedtimeframe,buttheexistingdelegationtotheSubstationMaintenanceManagerremainsineffectasapprovedbythepreviousCIPSeniorManager,JohnDoe.
Rationale: Duringdevelopmentofthisstandard,textboxeswereembeddedwithinthestandardtoexplaintherationaleforvariouspartsofthestandard.UponBOTapproval,thetextfromtherationaletextboxeswasmovedtothissection.
Rationale for Requirement R1: OneormoresecuritypoliciesenableeffectiveimplementationoftherequirementsofthecybersecurityReliabilityStandards.ThepurposeofpoliciesistoprovideamanagementandgovernancefoundationforallrequirementsthatapplytoaResponsibleEntitysBESCyber
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page52of54
Systems.TheResponsibleEntitycandemonstratethroughitspoliciesthatitsmanagementsupportstheaccountabilityandresponsibilitynecessaryforeffectiveimplementationoftherequirements.
AnnualreviewandapprovalofthecybersecuritypoliciesensuresthatthepoliciesarekeptuptodateandperiodicallyreaffirmsmanagementscommitmenttotheprotectionofitsBESCyberSystems.
Rationale for Requirement R2: InresponsetoFERCOrderNo.791,RequirementR2requiresentitiestodevelopandimplementcybersecurityplanstomeetspecificsecuritycontrolobjectivesforassetscontaininglowimpactBESCyberSystem(s).Thecybersecurityplan(s)coversfoursubjectmatterareas:(1)cybersecurityawareness;(2)physicalsecuritycontrols;(3)electronicaccesscontrols;and(4)CyberSecurityIncidentresponse.Thisplan(s),alongwiththecybersecuritypoliciesrequiredunderRequirementR1,Part1.2,providesaframeworkforoperational,procedural,andtechnicalsafeguardsforlowimpactBESCyberSystems.
ConsideringthevariedtypesoflowimpactBESCyberSystemsacrosstheBES,Attachment1providesResponsibleEntitiesflexibilityonhowtoapplythesecuritycontrolstomeetthesecurityobjectives.Additionally,becausemanyResponsibleEntitieshavemultipleimpactratedBESCyberSystems,nothingintherequirementprohibitsentitiesfromusingtheirhighandmediumimpactBESCyberSystempolicies,procedures,andprocessestoimplementsecuritycontrolsrequiredforlowimpactBESCyberSystems,asdetailedinRequirementR2,Attachment1.
ResponsibleEntitieswillusetheiridentifiedassetscontaininglowimpactBESCyberSystem(s)(developedpursuanttoCIP002)tosubstantiatethesitesorlocationsassociatedwithlowimpactBESCyberSystem(s).However,thereisnorequirementorcomplianceexpectationforResponsibleEntitiestomaintainalist(s)ofindividuallowimpactBESCyberSystem(s)andtheirassociatedcyberassetsortomaintainalistofauthorizedusers.
Rationale for Requirement R3: TheidentificationanddocumentationofthesingleCIPSeniorManagerensuresthatthereisclearauthorityandownershipfortheCIPprogramwithinanorganization,ascalledforinBlackoutReportRecommendation43.ThelanguagethatidentifiesCIPSeniorManagerresponsibilitiesisincludedintheGlossaryofTermsusedinNERCReliabilityStandardssothatitmaybeusedacrossthebodyofCIPstandardswithoutanexplicitcrossreference.
FERCOrderNo.706,Paragraph296,requestsconsiderationofwhetherthesingleseniormanagershouldbeacorporateofficerorequivalent.Asimplicatedthroughthedefinedterm,theseniormanagerhastheoverallauthorityandresponsibilityforleadingandmanagingimplementationoftherequirementswithinthissetofstandardswhichensuresthattheseniormanagerisofsufficientpositionintheResponsibleEntitytoensurethatcybersecurityreceivestheprominencethatisnecessary.Inaddition,giventherangeofbusinessmodelsforresponsibleentities,frommunicipal,cooperative,federalagencies,investorownedutilities,privatelyownedutilities,andeverythinginbetween,theSDTbelievesthatrequiringtheCIP
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page53of54
SeniorManagertobeacorporateofficerorequivalentwouldbeextremelydifficulttointerpretandenforceonaconsistentbasis.
GuidelinesandTechnicalBasisCIP0037SupplementalMaterial
PageDraft1ofCIP0037July2016 Page54of54
Rationale for Requirement R4: Theintentoftherequirementistoensureclearaccountabilitywithinanorganizationforcertainsecuritymatters.Italsoensuresthatdelegationsarekeptuptodateandthatindividualsdonotassumeundocumentedauthority.
InFERCOrderNo.706,Paragraphs379and381,theCommissionnotesthatRecommendation43ofthe2003BlackoutReportcallsforclearlinesofauthorityandownershipforsecuritymatters.Withthisinmind,theStandardDraftingTeamhassoughttoprovideclarityintherequirementfordelegationssothatthislineofauthorityisclearandapparentfromthedocumenteddelegations.